| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
September 2002 News Archives:September 26, 2002 HIPAA Confusing About Sports Injury News As evidenced last Saturday, informative injury updates by sideline reporters in college football games are becoming history, reports USA Today. Following a federal law designed to protect privacy of individuals' health information, some colleges have begun withholding basic medical information on injured players, even though the law does not become official until April 14, 2003. "From the network side, we're not happy with it," ABC's vice president of production Bob Toms said. "My people work hard but can't push it. It's making it very difficult to get the information. A lot of schools are saying, 'Let's not give out the information to get ready for the law.'" However, Claude Allen, deputy secretary of HHS, says there shouldn't be major changes in how HIPAA will affect the reporting of injuries to the media and public. According to USA Today, Allen said, "I doubt seriously that information the way it's currently issued will change substantially." If there are privacy problems for teams regarding HIPAA, Allen said the issues could be solved by applying for a waiver or inserting provisions into contracts or scholarships. Allen said most of the major sports bodies in the USA have requested a meeting with HHS so the final regulations take into account their "unique" situation, probably next month. Read USA Today's September 24th article, "Job of Updating Sports Injuries Tougher." September 25, 2002 Witnesses at House Hearing Debate Genetic Information Privacy Gaps in the HIPAA medical privacy rule and the Americans with Disabilities Act leave genetic information susceptible to misuse by insurers and employers, privacy advocates said at a House Judiciary subcommittee hearing on September 12. Consumers' fear of potential recriminations from disclosing their genetic information to insurers may be making some health care services, such as advance screenings for certain types of cancers, inaccessible, witnesses told the House Subcommittee on the Constitution's Oversight Hearing, "Privacy Concerns Raised by the Collection and Use of Genetic Information by Employers and Insurers." Read statements made at the hearing by:
September
25, 2002 Court Upholds State Access to Abortion Clinic Records
The New York Times reports a South Carolina law allowing state inspectors
access to all abortion clinic records does not violate patients'
privacy rights, a divided federal appeals court ruled September
19th. The 2-to-1 decision by the United States Court of Appeals
for the Fourth Circuit in Richmond, Virginia reversed a lower court
ruling on the privacy issue. It upheld part of the lower court ruling
that found other elements of the clinic regulations to be constitutional.
Two clinics had challenged the regulations, arguing that the confidentiality
of patient information was vital because women seeking abortions
could face harassment. The appeals court noted, though, that the
state was required to keep patient records confidential. September 24, 2002 Bush Administration Releases Cybersecurity Plan The President's Critical Infrastructure Protection Board on September 18 released its first public draft of the National Strategy to Secure Cyberspace (NSSC) at a joint government-industry press event at Stanford University. The plan separates cyberspace into five levels:
The draft represents an ongoing work in progress that is subject to change and modification, according to White House sources. Earlier drafts of the plan were viewed by the private sector, particularly the wireless industry and Internet Service Providers, as unreasonably mandating government-induced security standards. Contrary to earlier reports, the National Strategy does not contain requirements of data retention or any other data collection/data mining requirements by ISPs or other IT service providers. Significantly, unlike previous versions of the plan, the current draft strategy does not call for the creation of a Federal privacy "czar" position. September 24, 2002 EPIC Testifies Before Congress on Preventing SSN Misuse At a joint hearing before two House subcommittees, Electronic Privacy Information Center (EPIC) legislative counsel Chris Hoofnagle urged Congress to create a comprehensive set of limitations on the collection and use of the Social Security Number (SSN). EPIC's testimony covered recent developments in identity theft, state attempts to limit the SSN, and federal legislation designed to stem SSN use. Two states, California and Georgia, have recently passed legislation to limit the use of SSNs. In California, Senate Bill 168 was signed into law in October 2001. The bill prohibits public posting of SSNs and the printing of SSNs on identity cards or documents used to obtain a product or service. In Georgia, businesses are now required to safely dispose of records that contain personal identifiers. Business records -- including data stored on computer hard drives -- must be shredded or, in the case of electronic records, completely wiped clean where they contain SSNs, driver's license numbers, dates of birth, medical information, account balances, or credit limit information. September 17, 2002 NIST Releases Four Security Guidelines The National Institute of Standards and Technology (NIST) has released final publications of four computer security guidelines. Special Publication (SP) 800-46, Security for Telecommuting and Broadband Communications, provides security and policy information to assist users, sysadmins and management in better securing telecommunications resources. SP 800-47, Security Guide for Interconnecting Information Technology Systems, addresses interconnections between IT systems that are owned and operated by different organizations. SP 800-40, Procedures for Handling Security Patches, addresses the problem of ignored or improperly applied fixes for vulnerabilities and recommends ways to develop a patching and vulnerability policy using a systematic, accountable and documented process. Finally, SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, recommends that federal agencies make use of CVE designations when acquiring or using CVE-compatible security-related products and services. The scheme also can help admins monitor systems for vulnerabilities. View the guides at NIST's web site. September 11, 2002 House Committee Approves Bill Requiring Agencies to Analyze Privacy Impact The House Judiciary Committee yesterday approved legislation that would require government agencies to analyze how proposed regulations would affect personal privacy. The bill, called the Federal Agency Protection of Privacy Act, would require federal agencies to include a privacy impact analysis at the time regulations are proposed. The bill, sponsored by Congressman Bob Barr (R-GA), will now goes to the full House for consideration. “Americans deserve to know how government regulations will impact their personal privacy, and this legislation reforms the regulatory process make sure that occurs,” Barr said today. “This bill will not only make the federal government more accountable to the American people, but it will also serve to slow the growing erosion of citizens’ privacy rights.” September 11, 2002 Banks Urged to Apply for Compliance Extension The American Bankers Association and the National Automated ClearingHouse Association (NACHA) are encouraging banks to seek a one-year extension to the HIPAA transactions compliance date. The HIPAA Transactions Rule applies to all healthcare providers, plans and “healthcare clearinghouses” as well as their third-party “business associates.” According to the Department of Health and Human Services (HHS), banks could be considered “healthcare clearinghouses” if they process certain payments (e.g., provide lockbox services) or other transactions for doctors, pharmacies, hospitals, etc. that include personally identifiable “protected health information” (PHI). HHS has not yet determined whether certain bank payment processing activities make banks subject to the HIPAA rule. Nonetheless, the compliance deadline for the HIPAA Transactions Rule of October 16, 2002 is looming, and HHS expects banks to take action. HHS will extend the compliance deadline for one year for banks and other parties that file an extension letter with the agency by October 15. To make this easier for banks, ABA and NACHA have created a sample letter that says the bank promises to be in compliance by October 16, 2003, if HHS determines that banks are subject to HIPAA. September 9, 2002 FL Senator Drafts Bill for Stricter Drug Marketing Rules A Florida Senator recently unveiled a legislative response to the final HIPAA privacy rule. Sen. Bill Nelson (D-FL) has drafted legislation intended to stop drugstore chains from using consumers' records without consent for pharmaceutical marketing. "This loophole lets drug companies and pharmacies mine and secretly profit from your most private medical information," said Nelson. "Instead of allowing further erosion of our privacy standards, we should be strengthening medical privacy protections." Specifically, Nelson's bill would require that consumers' give explicit consent before pharmacies could cull health information for drug companies that pay them to market their products. The bill does not interfere with health-care providers' sharing information for patients' treatment. Last year, Nelson introduced a bill to keep insurance companies, banks and other financial institutions from sharing health-related and financial information about consumers without their explicit consent. September 9, 2002 Judge Rules Web Tracking Firm Did Not Violate Privacy Laws A federal court ruled last month that Pharmatrak Inc., a now-defunct company that tracked visits to pharmaceutical company Web sites using "cookies" and "Web bugs," did not violate federal wiretap, computer hacking or privacy statutes, reports Reuters Health. The August 13, 2002 ruling by Judge Joseph L. Tauro of the US District Court for Massachusetts found in favor of Pharmatrak and its pharmaceutical clients, including Pfizer Inc., Pharmacia Corp. and American Home Products. The plaintiffs alleged that Pharmatrak and its clients "secretly intercepted and accessed Internet users' electronic communications with various health-related and medical-related Internet Web sites" and collected information about visitors' Web browsing habits without their knowledge or consent. Pharmatrak offered a product called "NETcompare" that allowed drug company clients to gauge monthly Web site traffic and track browsing activity. The company maintained that it did not collect "personally identifiable information." "It is possible that many individual users were unaware that, in addition to their browser communicating with a pharmaceutical defendant's Web site, it was also communicating with Pharmatrak," Judge Tauro wrote. But in granting defendants' motion for summary judgement, the court held that there was no evidence to support the plaintiffs' allegations. September 6, 2002 HPP Releases More Revised Summaries of State Privacy Laws This week, the Health Privacy Project released more revised summaries of the health privacy statutes of seven states: Louisiana, Mississippi, New Mexico, North Dakota, Oregon, Rhode Island and South Dakota. In addition, the Pennsylvania summary has been updated to incorporate changes in copying costs for medical records. The updated state summaries reflect changes in state health privacy statutes that have been made since the original report, The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes), was published in 1999. These state laws have not been analyzed as to how they will interact with the modified final Privacy Rule. View the updated state summaries at the Health Privacy Project Web site.
|
|
Schedule for Reg Publication/
|
