| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
January 2003 News Archives:January 27, 2003 Health Data Monitored for Bioterror Warning The New York Times reports the government is building a computerized network that will collect and analyze health data of people in eight major cities to monitor for bioterror attack. The Centers for Disease Control and Prevention (CDC) is to lead the surveillance effort which represents a sharp swing to civilian leadership in a field the military pioneered and once dominated. But even in civilian hands, the emerging network has raised concerns that such surveillance may violate individual medical privacy rights. January 27, 2003 Utah Developing Database of Residents' Genetic Info According to the Kaiser Daily Health Report, Utah Governor Michael Leavitt (R) announced in his Jan. 21 State of the State speech a new biotechnology/human genetics project called GenData. Genetic information will be collected from state residents and put into a database to help researchers find treatments for diseases such as diabetes and cancer. The nonprofit formed by the state, the University of Utah, and the Huntsman Cancer Foundation will be taking steps to pass legislation to further protect the privacy and security of information in the database. Read more about Utah's GenData project. January 24, 2003 From OMB: Regulations.gov open; Prototype for Interagency EDI Coming Federal Computer Week reports the Office of Management and Budget (OMB) unveiled the Regulations.gov portal last week, the first project under the e-rulemaking electronic government initiative. Regulations.gov is intended to provide a single place for all citizens to search, access and comment on proposed federal rules. OMB will also begin testing by March a prototype of a system that will make possible interagency transactions, reports Government Computer News. OMB will modify the Navy’s E-Commerce Online portal to interface with the Treasury Department’s Intragovernmental Payment and Collection system. OMB also must create new electronic data interchange data sets and file formats to use the Navy’s system, McBride Read more about Regulations.gov. Read more about OMB's transactions prototype. January 24, 2003 Security Researcher Discovers Master Keys Are Easy to Create A researcher for AT&T Labs-Research has discovered that a copy of the master key for an entire building can be created starting with any key from that building, the New York Times reports. All that is required is access to a key, the lock that it opens, a metal file, and a few key blanks. The researcher, Matt Blaze, reports in a paper submitted for publication in a computer security journal that "it required only a few minutes to carry out, even when using a file to cut the keys." "I view the problem as pretty serious," Marc Weber Tobias, a locks expert who works as a security consultant to law enforcement agencies says, adding that the technique was so simple, "an idiot could do it." January 23, 2003 Security Rule Author Predicts February Publication In an exclusive interview this month with Theresa Defino, Editor of Ingenix's "Practical Guidance on HIPAA and E-Health for the Physician Practice" newsletter, the original author of the Final Security Rule speculates it will be published in February, after the Office of Management and Budget (OMB) has cleared it. John Parmigiani, director of enterprise standards for what was then the Health Care Financing Administration (HCFA), and his staff wrote the final rule nearly four years ago. Parmigiani left the government in February 2000 and is now national practice director for HIPAA compliance services at CTG Health Care Solutions, a consulting firm headquartered in Cincinnati. The rule, which has since been rewritten and modified, finally made its way to OMB on January 13. "Once approved by OMB, the final rule then has to be published in the Federal Register for 60 days before the 24 months compliance countdown begins," Parmigiani tells Practical Guidance. "So, at the earliest, we are looking at a compliance date somewhere in the spring of 2005." Parmigiani thinks the new final rule "should not deviate substantially from the proposed rule because the proposed rule was based on good security practices for any business engaged in electronic commerce." "The same core values that were part of the proposed rule should also be integral ingredients of the final rule," Parmigiani says. Some anticipated changes from the proposed rule include:
"(I)n its attempts to synchronize the final security rule
with the privacy rule," Parmigiani adds, "OMB could very
well return the proposed final rule to HHS if it finds shortcomings
or deems modifications [are] needed." But Parmigiani warns
that it would be a mistake to wait until a compliance date passes
to implement security measures. "The publication of the final
rule is somewhat of a moot point, however, since compliance with
the privacy rule by April 14 implements the security standards,
de facto, because of the requirement that necessary administrative,
physical, and technical safeguards" be in place for protected
health information, he says. Stay on top of the HIPAA
regs publication schedule with our up-to-date Compliance Calendar. January 23, 2003 SC Physicians Appeal HIPAA Case Physicians in South Carolina, as well as the South Carolina Medical Association, were set to argue today before a federal appellate court that the HIPAA privacy regulations are onerous and unconstitutional, reports Modern Physician. Other states' medical societies are supporting the case, though the American Medical Association (AMA) and national specialty medical societies are not participating. The physicians and medical societies have no problem with the transaction rules, believing that computerized transactions actually save money. The plaintiffs say HHS has no constitutional power to develop the
massive privacy regulations that will affect an estimated 2 million
healthcare entities that handle personal healthcare information,
according to an attorney who will present the case to a three-judge
panel of the Fourth Circuit Court of Appeals in Atlanta. A federal trial court in Columbia, SC, threw the case out last August, ruling that HHS does in fact have legislative authority to create and enforce healthcare privacy regulations. January 22, 2003 Bill Would Set Infosec Standards Federal Computer Week reports Sen. John Edwards (D-NC) introduced a bill last week that is designed to better position the federal government to serve as a model in information security. The Cyber Security Leadership Act (S. 187) would direct the National Institute of Standards and Technology (NIST) to establish higher standards for federal information security. NIST would develop the standards after agencies performed comprehensive analyses of their networks and systems to discover where weaknesses lie. January 22, 2003 CDC Anthrax Study Violated Privacy Regs The United Press International (UPI) reports the Centers for Disease Control and Prevention (CDC) violated federal regulations when it failed to notify postal workers potentially exposed to anthrax in the 2001 attacks that their confidential medical information would be included in a study, medical privacy experts and postal employees told United Press International. The CDC's failure to notify the workers is a serious infraction of federal regulations set up to protect medical research participants, experts on research protections told UPI. Due to the sensitive nature of medical information, researchers are required to inform subjects why the information is being collected and how their privacy will be protected. January 22, 2003 Government Data Mining Raises Privacy Concerns According to ComputerWorld, Sen. Patrick Leahy (D-VT), the ranking Democrat on the Senate Judiciary Committee, sent a letter last week to US Attorney General John Ashcroft, asking the Department of Justice to explain the extent to which data mining tools are being used in homeland security. Specifically, Leahy expressed concern about the Pentagon's Total Information Awareness (TIA) program mining data obtained through credit card purchases and medical records. "TIA is intended, according to Department of Defense officials, to generate tools for monitoring the daily personal transactions by Americans and others, including tracking the use of passports, driver's licenses, credit cards, airline tickets, and rental cars," Leahy wrote. One TIA software tool, code-named Genoa, may have already been delivered by DARPA to the Justice Department, Leahy said. As a result, Leahy has asked for a status report on all TIA software projects, including Evidence Extraction and Link Discovery, a previously unknown tool called Genisys and a program called the Translingual Information Detection, Extraction and Summarization, or TIDES. Read Leahy's letter to Ashcroft. Read ComputerWorld's article, Government Data Mining Raises Privacy Concerns." Read the Washington Post's article, "Hearings Sought on Information Awareness Office. January 21, 2003 Los Alamos May Have Lost Hard Drive Federal Computer Week reports a computer hard drive containing classified information may be missing from the Los Alamos National Laboratory, but because of an inventory mistake, officials say they may never know. As part of an ongoing effort to put an end to management and security scandals at the lab, the staff spent much of the past two years taking inventory of the lab's equipment. Last October, workers at the lab found a security bar code that was associated with an empty metal carrier that might have held a hard drive. The worker who put the bar code on the carrier admitted he had not looked inside at the time. January 16, 2003 Old Hard Drives Yield Data Bonanza ZDNet reports two Massachusetts Institute of Technology (MIT) graduate students have uncovered a treasure trove of personal and corporate information on used disk drives. The students at MIT’s Laboratory of Computer Science bought 158 disk drives for less than $1,000 on the Web and at swap meets. Scavenging through the drives, they found more than 5,000 credit card numbers, medical reports, and detailed personal and corporate financial information. Their findings, titled "Remembrance of Data Passed: A Study of Disk Sanitation," are being published in the January/February 2003 issue of IEEE Security and Privacy, a journal published by the IEEE Computer Society. Read the report, "Remembrance of Data Passed: A Study of Disk Sanitation" (PDF). January
15, 2003 OCR Hiring Privacy Specialists for Nationwide Outreach
In an effort to allay health care industry confusion and anxiety
as the As part of their duties, the regional Privacy Specialists will:
Applications are being accepted online until the closing date of
February 4, January 14, 2003 JCAHO Revises Business Associate Agreement with Hospitals AHANews reports the Joint Commission on Accreditation of Health Care Organizations (JCAHO) has released its revised business associate agreement that hospitals must sign as part of the application process for a JCAHO survey to make the agreement workable and acceptable to hospitals and compliant with HIPAA. The American Hospital Association (AHA) says the revised agreement appropriately addresses hospital concerns about an earlier version that was posted on JCAHO's web site just before the holidays. Read JCAHO's revised BA agreement (PDF). January 14, 2003 HHS to Hold Conferences on Privacy Rule HHS will be holding four national one-day conferences, two in February and two in March, on the HIPAA Privacy Rule. The conferences are designed to provide an opportunity to hear from and interact with officials who developed the Privacy Rule and will be responsible for interpreting and enforcing the rule. The HHS Office for Civil Rights (OCR) will provide an expert faculty who will answer questions from attendees during question-and-answer sessions following their presentations. The conferences will go over:
View our February conference calendar. View our March conference calendar. January 14, 2003 Final Security Rule, Transactions Modification on Their Way The Final Rules on the "HIPAA Security Standards" and "Modification to Standards for Electronic Transactions and Code Sets" were received by the White House Office of Management & Budget, Office of Information and Regulatory Affairs (OMB/OIRA) yesterday for review. Final clearance takes between two weeks and 90 days, at which point, the final version of the regulations are placed on display at the Government Printing Office (GPO) in Washington, DC, and then published in the Federal Register. January 13, 2003 AHIMA to Feds: Need Final Security Rule Now The American Health Information Management Association (AHIMA) sent a letter last week to the Departments of Health and Human Services (HHS) and Defense (DOD), raising serious concerns with two events which occurred at the end of 2002 that highlight a need for the publication of the final HIPAA security rule. The letter, addressed to HHS Sec. Tommy Thompson and DOD Sec. Donald
Rumsfeld, and copied to officials at the White House, Office of
Management and Budget, Sens. Bill Frist, Thomas Daschle, and David
Hobson, and Reps. Nancy Johnson and Pete Stark, points out HHS'
failure to issue a final notice for HIPAA Security regulations,
as anticipated on December 27, 2002, and the theft on December 14
of thousands of health records by a DOD contractor, TriWest. Read AHIMA's letter to HHS/DOD Secretaries on Security. January
10, 2003 DOD Medical System Security to be Reviewed According
to iHealthBeat, DOD has formed a task force to review security policies
for health information systems at military medical facilities worldwide,
Federal Computer Week reports. The move follows the theft last month
of computer equipment containing the medical records of more than
500,000 military health beneficiaries. A $100,000 reward is being
offered for information that helps lead to the arrest and conviction
of the perpetrators who stole the computers from the Phoenix offices
of TriWest Healthcare Alliance, part of DOD's TriCare system. Read
the New York Times' article, "Officials Say Troops Risk Identity
Theft After Burglary." January 8, 2003 Rape Crisis Center Refuses Records Release Medical Newswire reports a rape crisis center in Massachusetts refused a judge’s order to surrender records of counseling it provided to an alleged teen victim. Superior Court judge Peter Agnes said he would take the center’s position under advisement, but also noted that he may decide to fine the center. An attorney for the center said that a rape victim’s privacy must be protected and added that the defense should only be permitted to use case data supplied at trial. January 7, 2003 White House Trims Cyber-Security Plan The Washington Post reports that the next draft of the Bush Administration's cyber-security policy, which was due to be released by the end of December, has been circulating among government offices and industry executives this week, and was obtained by the Associated Press. President Bush is expected to sign the plan, entitled the "National Strategy to Secure Cyberspace," and announce the proposals within several weeks. The administration has reduced by nearly half its initiatives to
tighten security for vital computer networks, giving more responsibility
to the new Department of Homeland Security and eliminating an earlier
proposal to consult regularly with privacy experts. However, the
draft notes that "care must be taken to respect privacy interests
and other civil liberties." It also noted that the new Homeland
Security Department will include a privacy officer to ensure that
monitoring the Internet for attacks would balance privacy and civil
liberties concerns. Meanwhile, eWeek reports an independent advisory panel, appointed by Congress and headed by former Virginia Gov. James Gilmore, issued a report that is sharply critical of the cyber-security policy, saying it is tepid and relies too much on the cooperation of the private sector. The report was highly critical of the Bush administration's information security efforts in general and specifically criticized the national strategy as being "a small step indeed." Read the Washington Post's article, "A Pared-Back Security Initiative." Read eWeek's article, "Advisory Panel Slams Bush's Cyber-security Policy." January 6, 2003 Survey: Industry Progress on HIPAA is Strong TechRepublic reported last month on Gartner's 6th HIPAA panel study, to assess how the healthcare industry is responding to current and impending HIPAA-compliance regulations. The survey, finished in August 2002, looks at how healthcare organizations are responding to the challenges of HIPAA over time by studying a representative sample of 172 randomly-selected providers and payers. The survey found for the first time that most have embarked on tasks such as assigned privacy and security officers, testing systems, identifying formal employee training methods, and implementing privacy and security policies and procedures. Most respondents are working on privacy; 85 percent report having at least started developing revised policies and procedures. Although almost 70 percent of respondents report that they have begun implementing the transactions standards, organizations are largely at the mercy of their software vendors, most of whom are still working on their compliance upgrades. For this reason, HIPAA.org launched last October an online directory of software products and what HIPAA transactions that product supports now. Take our HIPAA survey to see where your organization stands in relation to the rest of the industry. View HIPAA.org's Practice Management System Directory. January 6, 2003 Homeland Security Office Told to Answer Queries on National IDs The Office of Homeland Security lost the first round in a legal fight to keep its activities secret, reports the Washington Post. A federal judge in Washington ruled the Office will have to answer questions about its power over other federal agencies if it wants to have a lawsuit seeking access to its records dismissed. The ruling favored the Electronic Privacy Information Center (EPIC), which is trying to get Homeland Security records on proposals for a national driver's license and for a "trusted flyer" program that relies on biometric information to identify airline passengers.
|
