| HIPAAdvisory > HIPAAnews > Archives |  |
|
|
March 2003 News ArchivesMarch 31, 2003 Searchers May Google Your Patient Records According to AMNews from the American Medical Association, Wired.com recently reported that hackers used Google as a shortcut to infiltrate computer networks that were not properly secured. In one particular instance, hackers typed into Google a phrase that commonly appears in databases. While most of the databases listed were secure or contained mundane information, a few had sensitive information that hackers were able to access because users had not changed the default passwords that came with the system. For example, the hackers accessed a database containing personal and medical information of more than 5,000 neurosurgery patients at the Drexel University College of Medicine in Philadelphia by typing the name of the database product into the user ID and password fields. March 26, 2003 From HHS: New Privacy FAQs and Guidance on Disclosures During Surveys and Certification The Department of Health and Human Services recently issued new FAQs providing answers to questions concerning:
The Centers for Medicare and Medicaid Services (CMS) also issued a Review of Protected Health Information and Applicability of Business Associate Agreements Under HIPAA for the Purposes of Survey and Certification. This guidance, addressed to survey and certification regional offices and state survey agency directors, provides CMS' analysis of the allowable protected health information that can be disclosed during a Medicare/Medicaid survey and whether business associate agreements are required with the health facilities being surveyed or certified. March 25, 2003 Minnesota Health Database on Hold After weeks of debate, the Minnesota Health Department has withdrawn its proposal to create a medical database using information gleaned from medical records without patient consent or knowledge, reports the St. Paul Pioneer Press. Under the proposal, the department would collect patient billing data, including names, birthdates and diagnoses, from hospitals, clinics and doctors. The data would be encrypted to protect patients' identities and then stored on a secure computer in a locked room. Supporters claim the database is critical to protecting the public's health and could help the department track quality of care, but opponents argue that the state's proposal is an invasion of patient privacy. March 24, 2003 IN TWO DAYS: OCR & CMS Conference Call on Privacy Compliance & Enforcement OCR in conjunction with the Centers of Medicare and Medicaid Services (CMS) is conducting a HIPAA Privacy Implementation Roundtable conference call this Wednesday, March 26, 2003 from 2:00 - 3:30 PM ET. On the agenda are a brief presentation about compliance/enforcement of the HIPAA Privacy Rule followed by a questions-and-answers period. The call-in number is 1-877-381-6315. The conference identification
number is For questions concerning the Roundtable, contact Roberta Bostick by phone at 202-619-2840 or email at: Roberta.Bostick@hhs.gov. March 24, 2003 OCR Sets Privacy Complaint Process The Office of Civil Rights (OCR) has published a notice explaining how to file a complaint of an alleged violation of medical confidentiality under the HIPAA privacy rule. On March 20 the office, which will enforce the rule, published the notice in the Federal Register. The notice includes the address of the agency’s ten regional offices and an email address to which individuals can send complaints. March 24, 2003 First Federal eGov Health Information Exchange Standards Announced The three federal departments that deliver health care services, the Departments of Health and Human Services (HHS), Defense (DOD), and Veterans Affairs (VA), announced late last week the first set of uniform standards for the electronic exchange of clinical health information to be adopted across the federal government. These standards are part of the foundation of the National Health Information Infrastructure that will serve consumers, patients, health care providers and public health professionals. Standardized information exchange, with privacy and security protections, makes portable electronic medical records more likely and easily achievable. March
24, 2003 JCAHO, NCQA Mull HIPAA Business Associate Program
IHealthBeat reports the Joint Commission on Accreditation of Healthcare
Organizations and the National Committee for Quality Assurance recently
announced that they will consider collaborating on a privacy certification
program to help business associates comply with HIPAA. Health care
organizations are required to ensure that their business partners
safeguard medical data. March 19, 2003 Getting Hospital Info Gets a Lot Tougher for Reporters April 14 According to Washington state's newspaper industry, reporters accustomed to getting information from hospitals and other health care providers will experience a sea change on April 14. In Washington State, associations are working together to create a model policy in which patients are assumed to be part of the directory unless they opt out. Representatives of the Washington State Hospital Association, Washington State Medical Association, Washington Association of Broadcasters, Allied Daily Newspapers of Washington and Washington Newspaper Publishers Association met recently to update the "Guide to Cooperation" that's directed media-hospital interactions since the 1950s. Though the next opportunity to modify HIPAA will come in late summer, the department has ignored comments filed by newspaper associations for the past two years. March 19, 2003 Study: Human Error Causes Most Security Breaches Human error, not technology, is the most significant cause of information technology (IT) security breaches, according to a security survey released by the Computing Technology Industry Association Inc. (CompTIA). The survey, "Committing to Security: A CompTIA Analysis of IT Security and the Workforce," suggests more IT training and skills certification are key toward ensuring greater network security. March 18, 2003 Med Schools Now Seeking Consent for Student Exams of Unconscious Patients The Toronto Star reports some of the leading US medical schools are now asking permission before letting students perform pelvic exams on women while they are under anesthesia. Previously, these institutions routinely brought in students to conduct pelvic exams on unconscious women just before their gynecological surgeries and often without their consent. Changes took place in the last five years after complaints from students who felt the exams without consent were unethical. March 13, 2003 NEMA & AHA Release Sample HIPAA BA Agreement The National Electrical Manufacturers Association (NEMA) has released a sample HIPAA business associate agreement for use by its member medical device manufacturers that might be business associates of hospitals. AHA worked closely with NEMA to ensure the agreement incorporates properly the regulatory requirements of the HIPAA privacy rule and achieves an appropriate balance in addressing the legitimate business concerns of both hospitals and their business partners who are NEMA member organizations. NEMA expects to make no further changes to the language of the agreement at this time. AHA is advising member hospitals to work with their respective legal counsel to ensure the agreement is appropriate for the organization's unique situation and precise business relationship needs.
March 13, 2003 Payers Put Their TCS Testing Schedules Online Health Data Management reports twenty-two payers, mostly Blues plans, have published their HIPAA transactions testing and implementation schedules on a new web site. The site, created by the Council for Affordable Quality Healthcare (CAQH) and the Workgroup for Electronic Data Interchange (WEDI), intends to ease potential provider confusion related to 2003 HIPAA-mandated changes in health plan-provider electronic interactions. March 12, 2003 HHS Releases Process for Requesting State Preemption of HIPAA Yesterday's edition of the Federal Register contained a notice from the Department of Health and Human Services (HHS) outlining the process for requesting a state exemption of the HIPAA regulations. The notice also makes clear the boundaries of what HHS can exempt and the reasons that may be used to justify an exemption. Requests must be made to HHS in writing and in the format specified in the notice. Read the Federal Register Notice. March 11, 2003 CMS Issues Corrections to Recently-Released Transaction Modifications The March 10 issue of the Federal Register contains a correction notice for the Modifications to Transactions and Code Sets regulation published on February 20. The notice fixes some significant errors in the February 20 publication. A single corrected version will not be published in any individual issue of the Federal Register. When the next Code of Federal Regulations is published (towards the end of this year) it will contain the corrected version. Read the Federal Register Correction Notice (PDF). Read the Modifications
to Transactions and Code Sets regulations. March 10, 2003 URAC Releases Draft HIPAA Security Accreditation Standards For Public Comment. Seeking to help healthcare organizations, URAC (also known as the American Accreditation Healthcare Commission) has released for public comment a draft set of HIPAA Security Accreditation standards. "The purpose of this accreditation program is to verify that an organization has put in place the necessary infrastructure and implemented the necessary processes to comply with the HIPAA Security Rule," said Garry Carneal, URAC president and CEO. Comments on the draft standards are due by April 9, 2003. Read more, including the draft standards. March 10, 2003 Bush Pledges to Increase Healthcare IT Spending Modern Physician reports that more than 90 healthcare groups are praising President Bush's pledge to boost funding for healthcare IT, although the details are still vague. Bush is calling for a 53% increase in "funding to help hospitals use information technology to keep better records, to share that information with doctors so that we can continue to improve patient safety," in his 2004 budget proposal. He has not, however, specified any dollar amounts or funding sources. Read the President's speech announcing framework to modernize and improve Medicare. Read the Framework to Modernize and Improve Medicare Fact Sheet. March 4, 2003 HHS: Voluntary Compliance 'Most Effective' Way to Protect PHI Modern Physician reports Office of Civil Rights (OCR) Director Richard Campanelli attempted to allay healthcare industry fears by reiterating that HHS will not be going out of its way to hunt down and penalize healthcare organizations that violate the privacy rules. "OCR's goal is not to maximize enforcement. Our goal is to protect personal health information," Campanelli told an audience this weekend at an HHS national conference on the HIPAA privacy rule. "Voluntary compliance is the most effective way to do this," according to Campanelli. OCR's web site will soon provide further information about how to file a complaint, including a sample complaint form and an address for the public to send complaints. However, Campanelli recommends that the public complain to the covered entity first before going to federal officials about privacy breaches. March 4, 2003 Hacker Accesses 7,000 Patient Files The Indianapolis Star reports an automated probe slipped into a computer at Indiana University's Center for Sleep Disorders in late November, possibly compromising thousands of patients' personal information. The break-in was discovered January 3, according to the school's chief information officer, Vince Sheehan. University officials sent letters on February 12 to 7,000 patients who have attended the sleep center in the past 14 years. Sheehan said it took six weeks for the university to send letters to patients because some older records did not contain up-to-date address information. While the hacker's program was able to roam through patient identification files, it was not able to gain access to detailed medical information, Sheehan said. News ArchivesGo to TOP |
|
Schedule for Reg Publication/
Change Your Settings
|
