HIPAA News Archives - February 2003

HIPAAdvisory > HIPAAnews > Archives

glossary
FAQ
search
site map

privacy policy
contribute
advertise
contact us

February 2003 News Archives:

February 28, 2003 Encryption Optional in Security Rule, Could Alter Payment Processes Among changes in the final HIPAA security rule is elimination of any requirement to encrypt electronically transmitted protected health information, reports Health Data Management. Encryption is one of many required procedures or technologies in the proposed rule which are now "addressable," meaning a provider or payer organization must determine if it is appropriate to use the technology. Many providers implementing the final security rule likely will conclude encryption is a reasonable and appropriate way to protect sensitive data. Consequently, one area provider organization executives must examine is the electronic transmission of payment information--which can include PHI--among their facilities, payers and financial institutions, says The Medical Banking Project.

Read more.

February 27, 2003 ACLU Makes Second Online Privacy Gaffe The Washington Post reports that protecting personal information on the digital frontier remains a tough task, even for the most ardent privacy activists. That's the lesson the American Civil Liberties Union learned this week after sending out an email newsletter that inadvertently contained the names and email addresses of the hundreds of groups and individuals who received it. The gaffe, on Monday afternoon, came just weeks after the group was chided by New York State Attorney General Eliot L. Spitzer for exposing the names, phone numbers and other details of about 91 people who bought merchandise in 2001 from an ACLU site online.

Read more.

February 27, 2003 Final Cyber Strategy Released Federal Computer Week reports the White House released the final version of its National Strategy to Secure Cyberspace on February 14, focusing on five priority areas and recommendations -- including the creation of a single national cyberspace security response system.

Read more.

February 27, 2003 DOD Wireless Policy Delayed Federal Computer Week reports the Defense Department's (DOD) policy on the use of wireless devices, originally due out this week, will not be available until sometime in March or April, according to Defense officials. The policy, currently in draft form and collecting comments from those assembling it, is supposed to be more comprehensive and practical than the current policy, which affects only the use of wireless devices within the Pentagon.

Read more.

February 27, 2003 DOD Introduces Database of Soldiers’ Updated Health Info IHealthBeat reports the Department of Defense (DOD) will use a computer system to store and analyze soldiers’ most recent medical information, Wired reports. The program is intended to solve the problem of lost and deleted medical records encountered during the Gulf War. "The idea is also to plug military health-service black holes that devoured tens of thousands of individual medical records during the Gulf War." Some critics contend that the new program will do nothing to deter the deliberate deletion or falsification of health records by the Pentagon.

Read more.

February 27, 2003 Deadline Nears for Rights to Use ABC Codes in HIPAA Transactions Healthcare stakeholders have less than three weeks to secure rights to use Advanced Billing Concept (ABC) codes in HIPAA transactions, according to the organizations that develop and update these.

Read more.

February 27, 2003 WV Jury Awards Millions to Victims of Medical Privacy Breach A jury in Morgantown, WV reportedly awarded $2.3 million February 5 to three women whose confidential mental health treatment records were not kept private by West Virginia University Medical Corporation. The corporation, also known as University Health Associates, fired a records clerk in July 1999 after one of the women complained to University Health Associates that the clerk took their mental health records to his home and to local bars, where he disclosed the information to others.

February 20, 2003 Final Rules Officially Published; Understanding Security Rule Requires Assistance Today's Federal Register contains the official versions of the final Security and Transaction Modifications Rules which were released via the Centers for Medicaid and Medicare Services' (CMS) HIPAA web site last Thursday (see February 13 story below). Also appearing in today's Federal Register is a notice reflecting a change to the organizational structure of CMS by establishing the Office of Health Insurance Portability and Accountability Act Standards. Among the Office's duties:

Develop, implement and administer the enforcement of HIPAA including portability, transactions, code sets, identifiers, and security.
Develop, implement and administer the enforcement of the Administrative Simplification Compliance Act (ASCA).
Develop regulations to enforce the provisions of the HIPAA and the ASCA. Also develop regulations and guidance materials on HIPAA standards.
Educate and reach out to the public and internal CMS staff on HIPAA issues. Formulate and coordinate a public relations campaign, prepare and deliver presentations and speeches, responds to inquiries on HIPAA issues, and liaisons with industry representatives.
Work with Federal departments and agencies to identify and adopt universal messaging and clinical health data standards, and represent CMS and HHS in national projects supporting the national health enterprise architecture and the National Health Information Infrastructure.
Provide technical assistance regarding HIPAA standards and their implementation.
Collaborate with the Department, especially the Office for Civil Rights, on HIPAA policy issues.
Coordinate and provide guidance on legislative and regulatory issues.
Provide assistance and guidance for HIPAA-related budget formulation and execution activities.

Meanwhile, both Health Data Management and Information Week are saying that even though the final HIPAA security rule is simpler than its predecessor proposed more than four years ago, it is vague enough and lacks technological specifics to make it difficult for entities to understand whether they are in compliance.

Read the official Final Security Rule in PDF or text formats

Read the official Final Transaction Modifications Rule in PDF or text formats

Learn how the new rule will affect your organization with Phoenix Health Systems' "Securely HIPAA: Understanding the Final Security Rule" audio conference

February 13, 2003 HHS Adopts Final Security & Transaction Modifications Rules HHS Secretary Tommy G. Thompson today announced the adoption of the Security and Transaction Modifications Final Rules. The security standards will be published as a final rule in the Feb. 20 Federal Register with an effective date of April 21, 2003. Most covered entities will have two full years -- until April 21, 2005 -- to comply with the standards; small health plans will have an additional year to comply, as HIPAA requires.

In a separate final regulation, HHS adopted modifications to the transaction standards. Covered entities must comply with these modified transaction standards by Oct. 16, 2003. The final transaction modifications rule, which will also be published in the Federal Register on Feb. 20, combines two proposed rules published May 31, 2002. HHS worked extensively with the Designated Standards Maintenance Organizations (DSMOs) to revise the proposed changes to the standards, as required by Congress as part of HIPAA.

Read the official HHS press release.

Read the full text of the Final Security Rule in PDF or Word formats, or by section in HTML.

Read the full text of the Transaction Modifications Final Rule in PDF or by section in HTML.

February 11, 2003 URAC Releases Draft HIPAA Privacy Standards for Public Comment URAC yesterday released a draft set of HIPAA Privacy Accreditation standards for public comment. When completed later this year, the new program will enable health care organizations to display a commitment to fair information practices, and to demonstrate that they have taken the necessary steps to protect health information privacy in accordance with the HIPAA Privacy Rule. Comments on the draft standards are due March 12.

Read more.

February 11, 2003 KY Agency Computer Approved for Sale Contained Patient Info IHealthBeat reports Kentucky state officials last year approved for sale a computer containing confidential files about HIV/AIDS patients, the state auditor announced this week. Although the computer never left state custody, the incident raises questions about potential privacy violations, the Associated Press reports.

February 11, 2003 Report: Data Security Lacking at TX Health Agencies IHealthBeat reports several Texas health and human services agencies fail to protect personal information in their computer systems, according to a report the State Auditor’s Office released last week. Insufficient external and internal security controls allow unauthorized access to sensitive information such as medical records and other personal health data.

Read more.

February 11, 2003 OMB Completes Review of TCS Modification Final Rule; Security May Be Any Day Now OMB completed its review of the Modification to the Transactions and Code Sets Final Rule yesterday. In a few days, the final version of the regulation should be placed on display at the Government Printing Office (GPO) in Washington, DC, and then published in the Federal Register. Meanwhile, Modern Physician magazine is reporting that the HIPAA security rule may be published any day now.

February 6, 2003 Kaiser to Put Patient Records Online Kaiser Permanente, the nation's largest non-profit health maintenance organization (HMO), said this week it is embarking on a three-year plan to put 8.5 million of its members' patient records online at a cost of around $1.8 billion, reports InternetNews.com. Kaiser said the new system will comply with HIPAA for privacy and security protocols. The software has a built-in "Minimum Necessary" system, so that sensitive medical information, such as psychiatric visits or HIV tests, is only available to the health care provider and the patient.

Read more.

February 6, 2003 Stolen Hard-Drive with Medical Records Data Recovered in Canada's Largest Privacy Breach The Globe and Mail reports that according to police, Canada's largest privacy breach yet, affecting more than a million people, began as a petty crime by a Saskatchewan tech-company employee who wanted an extra 30 gigabytes of personal hard-drive space. But police acknowledged they cannot be sure what happened to the personal, financial and medical records from the Saskatchewan government and major Canadian financial institutions that were stored on the drive.

Read more.

February 6, 2003 CMS May Get HIPAA Enforcement Funds Health Data Management reports that under the proposed fiscal 2004 HHS budget, the Centers for Medicare and Medicaid Services (CMS) would receive $10 million to begin activities related to enforcement of HIPAA’s transactions and code sets, security, and identifier rules, including the promulgation of a HIPAA enforcement rule. The proposed budget includes $34 million in total spending for the Office of Civil Rights, which will enforce the HIPAA privacy rule. It is unclear how much funding the office will have for privacy rule enforcement.

February 5, 2003 CAQH & WEDI Launch Site to Ease Electronic Transactions Change Created by the Council for Affordable Quality Healthcare (CAQH) and the Workgroup for Electronic Data Interchange (WEDI), a new web site intends to ease potential provider confusion related to 2003 HIPAA- and NCPDP-mandated changes in health plan-provider electronic interactions. Designed as one common resource for providers and plans alike, the site gives providers information on health plan transaction changes and equips health plans with tools to communicate these changes to providers. Participation and use of the site is free.

Read more.

February 3, 2003 California Patients Urged to Get Records Hundreds of thousands of Southern Californians are in danger of having their medical records destroyed because a Boston company says it is no longer being paid to store them. Iron Mountain has been housing the records of KPC Medical Management, which closed its clinics in 2000 and left behind 8 million medical documents. The Iron Mountain, which has housed the records since August 2001, was paid to store them for one year and distribute them to patients who requested them, company spokeswoman Melissa Burman said. Because the company has not received more money, officials have been considering whether to destroy the documents.

Read more.

News Archives

Go to TOP

Current News