| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
May 2002 News ArchivesMay 31, 2002 Three HIPAA Regs Published Today The following three HIPAA regulations were published in the Federal Register today:
The concurrent comment periods for the NPRM's are 30 (as opposed to the usual 60) days. The initial compliance date for the Employer Identifier will be approximately July 30, 2004 (July 30, 2005 for small health plans). May 31, 2002 CMS to Broadcast Video on "Meeting the HIPAA Challenge" June 18 On Tuesday, June 18, the Centers for Medicare & Medicaid Services (CMS) will be presenting a video entitled "Meeting the HIPAA Challenge: Implementing HIPAA Standards and the Administrative Simplification Compliance Act." The video will air, via satellite broadcast and simultaneous webcast, 2:00 - 3:30 PM, and will include opening remarks from the CMS Deputy Administrator, Ruben King-Shaw. The video will show physicians and the health care provider community:
The video will remain available through the web for three months after this initial broadcast. May 30, 2002 Klez.H Becomes the Web's Most Widespread Worm Email security provider MessageLabs reports that the Klez.H has become the most widespread worm in the history of the Internet, currently infecting 1 in every 300 emails. According to Alex Shipp, an antivirus technologist at MessageLabs, "LoveLetter only really lasted for one day, while Klez has sustained 20,000 copies per day since April 18 and shows no signs yet of slacking off." Experts attribute the worm's persistence to its ability to forge senders' addresses, and to change subject lines and attachment names. May 21, 2002 VA Patients' Records Found on Surplus Computers The Indianapolis VA Medical Center is making changes after a local TV news team's investigation found patient records on used computers bought for $10 each at a thrift store. The three computers were tested with the help of a computer forensics expert. Within minutes, the news team found hospital patient records as well as patients' social security numbers, home addresses, and home telephone numbers. Ironically, also found on the computer, along with the patient records: the VA's own written policy about patient privacy. Also read the New York Times article, "Hard-Drive Magic: Making Data Disappear Forever." May
20, 2002 Senate Approves Online Privacy Bill On Friday,
the US Senate Commerce Committee approved 15-8 the Online Personal
Privacy Act (S. 2201), a bill sponsored by committee Chairman Ernest
F. Hollings. The bill requires Internet companies to ask consumers’
permission before collecting and sharing their sensitive information,
such as medical and financial records. The legislation also would
preempt state privacy laws and allow consumers to sue companies
that mishandle their personal data. A second vote is now necessary
before the bill is sent to the full Senate. Read
the Washington Post article, "Senate Panel Debates Divisive
Internet Privacy Bill.” May 20, 2002 ACS Calls for Changes to BA Requirements The privacy rule's business associate (BA) requirements place unreasonable administrative and cost burdens on providers, other covered entities, and their business associates, according to the American College of Surgeons (ACS). Iin its April 26 letter of comment, ACS commended HHS for proposed changes to the privacy rule's provisions for disclosing protected health information (PHI) for treatment, payment, and health care operations, and de-identifying PHI. But the ACS expressed disappointment that HHS did not make significant changes to the business associate requirements. May 20, 2002 HIMSS and AHIMA to Offer Combined Certification for Both Disciplines Recognizing the growing need by all healthcare facilities for employees to have expertise in health information security and privacy, the Healthcare Information and Management Systems Society (HIMSS) and the American Health Information Management Association (AHIMA) announced today their collaborative agreement to offer certification in those areas to meet the industry's needs. HIMSS will offer the Certified in Healthcare Security (CHS) and AHIMA will offer the Certified in Healthcare Privacy (CHP). The two organizations will jointly offer a combined certification covering both disciplines, the Certified in Healthcare Privacy and Security (CHPS) credential. Approved today by AHIMA's House of Delegates, AHIMA will begin administering the CHP examination in the fall of 2002. HIMSS will begin administering the CHS examination in February 2003 at the Annual HIMSS Conference and Exhibition. The CHPS exam will be offered in February 2003. May 14, 2002 National Pharmacy Database Assigns IDs to Unsuspecting Prescribers Although the national provider identifier remains on hold, Modern Physician reports the National Council for Prescription Drug Programs (NCPDP), an ANSI-accredited standards development organization, has begun assigning ID numbers to prescribers without their knowledge. In late March, the NCPDP launched HCIdea, a not-for-profit initiative to standardize prescribing databases. According to the NCPDP, the new and improved Health Care Identifier number will "eliminate the confusion of using the DEA number by providing the industry with an affordable, accurate and standard database and enumerator of individual health care providers and prescribers." HCIdea is a response to the needs of the NCPDP membership. The use of the DEA number has been problematic and is further complicated due to legislation prohibiting the use of the DEA number in claims submissions. HCIdea will provide the pharmacy and health care community with an improved way to identify prescribers for the purpose of claims and other business transmissions. HCIdea will utilize the NCPDP membership’s advanced technical capabilities and prescriber information content sources. All prescribers, including Medical Doctors, Doctors of Osteopathic Medicine, Nurse Practitioners, Physician Assistants, Dentists, Optometrists, and Podiatrists will have their own unique ID, along with multiple addresses listed for each of them. May 13, 2002 HHS to Release Final Rules & NPRMs Soon The Department of Health and Human Services' Semiannual Regulatory Agenda published in today's Federal Register includes updates on the status of some of the HIPAA Administrative Simplification requirements. HHS is required to publish a realistic forecast of the rulemaking activities that the Department will engage in over the next 12 months. The estimated publication dates are:
HHS' Centers for Medicare and Medicaid Services (CMS) also recently updated its list of 24 frequently asked questions (FAQ) and answers concerning the Administrative Simplification Compliance Act (ASCA). May 13, 2002 JCAHO Urges HHS to Change Privacy NPRM BA Requirements In its letter of comment to HHS on the privacy rule's proposed modifications, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) said that a business associate (BA) agreement between covered entities and national accrediting organizations is an unnecessary, costly requirement that will not benefit patients. JCAHO proposes further modification of the BA agreement. May 13, 2002 Health Groups Want Exemption From Online Privacy Bill Health Data Management reports a group of health care and business organizations want entities covered under the medical privacy rule to be exempt from the Online Personal Privacy Act recently introduced by Sen. Ernest Hollings (D-SC). Thirty-four health care organizations have sent a letter to Hollings, chair of the Senate Commerce Committee. HHS recently proposed to eliminate the privacy rule’s patient consent requirement, but Hollings’ legislation requires consumer consent to use identifiable information obtained online. May 13, 2002 EPIC Urges Openness, Accountability for Infrastructure Protection In testimony before the Senate Governmental Affairs Committee's May 8 hearing on “Securing Our Infrastructure: Private/Public Information Sharing,” Electronic Privacy Information Center (EPIC) General Counsel David Sobel criticized proposals to create a new Freedom of Information Act (FOIA) exemption for "critical infrastructure information." He told the Committee that, "rather than seeking ways to hide information, Congress should consider approaches that would make as much information as possible available to the public" concerning security flaws in critical systems. May 13, 2002 HPP Releases More Updated Summaries of State Health Privacy Statutes The Health Privacy Project recently released revised summaries of the health privacy statutes of nine states: Arkansas, Arizona, Colorado, District of Columbia, Florida, Idaho, Michigan, Minnesota, and New York. These updated summaries reflect changes in state health privacy statutes that have been made since its original report, The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes), was published in 1999. The Project will continue to issue updated state summaries over the next few months. The summaries focus predominantly on the use and disclosure of information gathered and shared in the context of providing and paying for health care. Furthermore, the Project has not analyzed how these state laws will interact with the HIPAA privacy rule Read the updated state summaries.
May 9, 2002 Newspaper Groups Still Object to Privacy Rules Proposed changes to the privacy rule will restrict newspapers’ access to important health information, say three major newspaper assocations. The Newspaper Association of America, the National Newspaper Association, and the American Society of Newspaper Editors submitted comments to HHS on the Privacy NPRM, arguing that "some use of individual information is necessary and justified - and protected by the Constitution." Under the rule, patients will have to authorize use of their personal health information, but the groups complain that by the time they get authorization, “the story will have passed by.” The organizations point out that if HIPAA rules had been in effect, news relating to Sept. 11 and the anthrax scare would have been withheld from the public. May 7, 2002 VIRUS ALERT: Klez Continues Causing Chaos The latest versions of Klez have infected more than 7% of PCs around the world, moving past totals accrued by SirCam and Nimda. The W32.Klez worm and its variants are still loose in the wild two weeks after the latest variant was discovered, moving antivirus software vendor Symantec Corp. to upgrade it to a "level 4 virus threat" on its danger scale of five. Klez uses a variety of subject lines and can spoof senders' email addresses, making it harder for people to look out for the usual signs of virus-laden emails. Klez uses its own SMTP server to mail itself out to email addresses found on infected computers' hard drives. While the Klez worms are not particularly destructive, they pose a security threat by sharing files plucked from infected PCs as they spread. A new report from Symantec says that some infections of the Klez.h worm, which spread rapidly over the Internet last month, are also carrying the four-year old Chernobyl virus. According to Symantec, the addition of the Chernobyl virus wasn't intentional, but a product of the Klez.h worm being infected by Chernobyl on computers that had both viruses. The New York Times is yet another victim of the Klez worm; 250 members of its TimesDigest service received infected emails. The company emailed its affected customers, advising them to delete email that do not look like the email the Times normally sends. Download Symantec's Klez removal tool.
May 7, 2002 CHCF, HPP Release New Report on Genetics and Privacy A new report released yesterday by the California HealthCare Foundation (CHCF) and written by the Georgetown University Health Privacy Project looks at genetics and privacy. "Genetics and Privacy: A Patchwork of Protections" reviews the state of the science and defines common genetic terms. It discusses how genetic information is vulnerable, examines the role of Internet health, and the gaps in national policy that leave genetic information exposed to potential misuse. May 6, 2002 AHA Urges HHS: Require Acceptance & Fast Payment of HIPAA Claims AHA is urging HHS Secretary Tommy Thompson to adopt a rule or guidance requiring health plans to accept & quickly pay hospitals' HIPAA-compliant claims, reports AHA News. According to the May 2nd letter, HIPAA regulations establish national standards for electronic submission of claims, and makes clear that health plans are not permitted to require additional elements. "Hospitals' confidence and continued support for administrative simplification is being eroded further by statements indicating that providers should not expect to see faster or smoother claims payment as a result of HIPAA standardization," according to the letter. "HHS clarification, through guidance or regulation, that HIPAA standardization has a direct connection to the prompt payment of claims will go a long way toward restoring provider confidence in the promise of administrative simplification." May 6, 2002 Zoo Refuses to Release Animal's Medical Records Citing Privacy Concerns The Smithsonian Institution's National Zoo has taken the position that viewing animal medical records would violate the animal's right to privacy and be an intrusion into the zookeeper-animal relationship. A Washington Post staff writer recently asked the National Zoo for animal medical records after the death of a beloved giraffe there. Zoo Director Lucy Spelman replied the Post cannot see animal medical records, only "detailed summaries prepared by the individual generating those records or reports. One reason [for denying the records request] is privacy," Spelman wrote. "Certainly, the privacy rules that apply to human medical records, and the physician-patient relationship, do not apply in precisely the same way to animal medicine at a public institution like the National Zoo. But we believe they do in principle." May
2, 2002 Privacy: on the Hill & in "The Hill"
ZDNet News reports a bill introduced in the House Wednesday
would require states to include biometric features such as retinal
scans or fingerprints on encrypted microchips in driver's licenses
and state-issued ID cards. The bill, sponsored by Reps. Jim Moran
(D-VA) and Tom Davis (R-VA), is called the Driver's License Modernization
Act, however, the American Civl Liberties Union (ACLU) thinks the
bill "would more appropriately be called the National ID Act
of 2002," said Katie Corrigan, ACLU legislative counsel. The
ACLU and other privacy advocate groups oppose the measure. On a related note, both Representatives Moran and Davis have written an article appearing in Wednesday's The Hill newspaper special section on privacy. The article, entitled, "Identity integrity through smart drivers’ licenses," presents their views on the subject. Included in the special section is an article by Sen. Edward Kennedy (D-MA): "Patients risk medical privacy with Bush proposal." Chairman of the Senate Commerce Committee, Sen. Ernest Hollings (D-SC), who recently introduced and held hearings on S.2201, the Online Personal Privacy Act which references HIPAA privacy regs, has also written an article, "Protecting information collected over the Internet." The remaining articles, written by Reps. Lamar Smith (R-TX), Ron Paul (R-TX), Sens. Dianne Feinstein (D-CA), Judd Gregg (R-NH), and others, cover cyber security, identity theft, and protecting Social Security numbers. Read The Hill's "Special Section: Privacy." Read ZDNet's article, "Next Up -- Eye Scans on Driver's Licenses?" May 2, 2002 Companies Urged to Maintain Privacy, Security or Face Legal Trouble Companies face many snares, some of which are hidden, when protecting sensitive information and maintaining security, said lawyers addressing the Massachusetts Software and Internet Council yesterday as reported by Computerworld. "I was amused to read in the paper that the Harvard Medical School was giving PalmPilots out to all its medical students," said David S. Szabo, a lawyer at Boston firm Nutter, McClennen & Fish LLP. "This is a radioactive device filled with medical data." Szabo said that it's impossible to guess the school's liability if one of the devices were lost or stolen. HIPAA Privacy rules say such data has to be protected. The question, he said, then arises: What would constitute protection in such a case? May 2, 2002 NCVHS Sends Recommendations to HSS on Privacy NPRM As part of its responsibilities under HIPAA, the National Committee on Vital and Health Statistics (NCVHS) provides recommendations regarding the HIPAA privacy standards. On the Privacy NPRM, the NCVHS supports the consent revision, believing "the consent form would likely become simply another piece of paper for a patient to sign without much thought or discussion with a health care provider." NCVHS also supports the NPRM's minimum necessary provisions. NCVHS supports many of the proposals in the NPRM with regard to research, but has concerns with the issue of remuneration. NCVHS also supports the NPRM's new requirement that specific authorization is required before PHI may be used for marketing, but recommends the provisions dealing with marketing be revised to further protect PHI. NCVHS recommends that HHS clarify the rules for accounting for disclosures for public health and research purposes, and the burden for public health and research purposes should be minimized. May 2, 2002 AFEHCT Delivers Response to Privacy NPRM On April 26th, the Association For Electronic Health Care Transactions (AFEHCT) hand-delivered its response to the HHS Privacy NPRM published on March 27th. According to Tom Gilligan, AFEHCT's Executive Director, two key points were made:
News ArchivesGo to TOP |
|
Schedule for Reg Publication/
|
