August 2004 News Archives

August 27, 2004 OCR Answers How Privacy Rule Relates to State Public Records Laws The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) has issued guidance on how the HIPAA Privacy Rule relates to state public records laws, also known as open records or freedom of information laws, and which provide for public access to government records. If a state agency is not a "covered entity," it is not required to comply with the HIPAA Privacy Rule. If a state agency is a covered entity, however, the situation gets complicated.

Read the full FAQ concerning state public records laws.

August 25, 2004 Feds Get First HIPAA Privacy Conviction A former employee of the Seattle Cancer Care Alliance has pleaded guilty to violating the HIPAA Privacy Rule, the first criminal conviction under the rule, reports Health Data Management. Richard Gibson pled guilty to one count of wrongful disclosure of individually identifiable health information, agreeing to accept a sentence of 10 to 16 months, plus restitution to the credit card companies and patient. Under the HIPAA Privacy Rule, criminal use of a patient's information for personal gain is punishable by imprisonment for up to 10 years and a fine of up to $250,000.

Read more.

August 19, 2004 OCR Issues New Privacy Rule Fact Sheets for Consumers The Department of Health and Human Services' Office for Civil Rights (OCR) has issued two new Fact Sheets which provide an easy-to-understand overview of what the Privacy Rule means to consumers. The first Fact Sheet, entitled, "Privacy and Your Health Information," is a general overview of the Rule, explaining that the Privacy Rule gives individuals rights over their health information, sets rules and limits on how information can be used and disclosed, and requires covered entities to take steps to protect health information.  The second Fact Sheet, "Your Health Information Privacy Rights," focuses on each of the privacy rights individuals have under the Privacy Rule.

View the "Privacy and Your Health Information" Fact Sheet (PDF).

View the ""Your Health Information Privacy Rights" Fact Sheet (PDF).

August 18, 2004 GAO Reviews HHS' HIT Efforts & Barriers to Adoption A preliminary accounting of efforts by the Government Accountability Office (GAO) for the Department of Health and Human Services (HHS) shows that the agency has about 19 major health information technology initiatives, totaling about $228 million, reports Federal Computer Week. GAO officials, who responded to a request by Sen. Judd Gregg (R-NH), chairman of the Senate Committee on Health, Education, Labor and Pensions, reviewed HHS' major activities in promoting health IT and legal barriers to providers' adoption of health IT. The report indicates beyond privacy and security that there are various laws – involving fraud and abuse, antitrust, federal income tax, intellectual property, malpractice and state licensing – that present barriers to health IT adoption.

Read more.

Read the GAO report: "HHS's Efforts to Promote Health Information Technology and Legal Barriers to Its Adoption" (PDF).

August 13, 2004 CMS Posts a Dozen New Security Rule FAQs The Centers for Medicare and Medicaid Services (CMS) yesterday posted on its web site 12 new and one updated frequently asked questions with answers regarding the HIPAA Security Rule:

1. Does the HIPAA Security Rule allow for sending electronic PHI in an email or over the Internet?
2. What does the HIPAA Security Rule mean by physical safeguards?
3. Do the HIPAA Security Rule requirements for access control apply to employees who work from home?
4. What is the difference between Risk Analysis and Risk Management in the HIPAA Security Rule?
5. How will we know if our organization and our systems are compliant with the HIPAA Security Rule’s requirements?
6. Are covered entities required to use the NIST guidance documents referred to in the final Security Rule?
7. Does the HIPAA Security Rule apply to written and oral communications?
8. Are we required to “certify” our organization’s compliance with the HIPAA security standards?
9. Does the Security Rule mandate minimum operating system requirements for personal computer systems?
10. Does the HIPAA Security Rule require the use of an electronic or digital signature?
11. What is a system vulnerability?
12. What is encryption?
13. Is mandatory encryption in the HIPAA Security Rule?

Read CMS' new & updated Security FAQ.

August 13, 2004 Medical Experts Say Yankees' First Baseman Not Obliged to Disclose Experts in medical law and ethics say Yankees' All-Star first baseman Jason Giambi is entitled to his privacy and under no obligation to tell fans details about the benign tumor that he blames for his health problems this season, reports Newsday. But the same experts said HIPAA does not govern baseball teams and does not prevent Yankees general manager Brian Cashman from discussing the tumor. Cashman had pointed to the HIPAA privacy provisions when he refused to answer reporters' questions about the location of the tumor.

Read more.

August 13, 2004 Fed-up Hospitals Defy Patching Rules Amid growing worries that Windows-based medical systems will endanger patients if Microsoft-issued security patches are not applied, hospitals are rebelling against restrictions from device makers that have delayed or prevented such updates, reports Network World. Viewing the failure to apply patches as a possible violation of HIPAA, hospital IT executives say they can't ignore the risks from computer worms and hackers getting into unpatched Windows-based devices.

Read more.

August 10, 2004 Healthcare IT Vendors Form New Alliance to Facilitate e-Prescribing A new industry initiative formed by nine healthcare IT vendors was announced today at the National Council for Prescription Drug Programs' (NCPDP) Educational Forum in San Francisco. The new Cafe Rx coalition seeks to accelerate the adoption of e-Prescribing, the ability for a physician to electronically submit a "clean" prescription directly to a pharmacy from the point of care.

To encourage the adoption of e-Prescribing, Cafe Rx will provide payers and physicians with successful strategies and best practice models; offer extensive information on e-Prescribing through its web site, CafeRx.org, launch a program to educate physicians and their office staffs about the value of e-Prescribing; and support lobbying efforts that urge federal and state governments to incent the adoption of e-Prescribing and electronic medical records

Read more.

August 5, 2004 Hospital: Worker Stole Patients' Data Almost two months ago, an administrative employee at Orlando Regional Healthcare allegedly stole hundreds of patient documents apparently intending to sell them, reports the Orlando Sentinel. But Orlando Regional discovered the scheme in late July and the worker was fired, hospital officials said Monday. The ex-employee copied about 250 patient admission records from late May to early June, and tried to sell the information to a local referral service for doctors and lawyers, the hospital said. But the referral service informed Orlando Regional, obtained the data and returned it. In addition to firing the worker, the hospital said it has notified federal authorities about possible violations of the HIPAA Privacy Rule.

Read more.

August 4, 2004 NCVHS Studying e-Prescribing Issues The National Committee on Vital and Health Statistics (NCVHS), Subcommittee on Standards and Security (SSS), will meet later this month to draft a preliminary recommendation letter for national standards for electronic prescriptions. August 17-19, the subcommittee will be presenting its findings from hearings held in late July on standards for e-prescribing to standards development organizations and terminology developers for reaction. The subcommittee will then draft a preliminary recommendation letter for possible presentation to the full NCVHS in September.

View the agenda for the meeting.

August 4, 2004 HHS: Begin Work Right Away on NHII Findings, Industry Says It Will Be Hard National Healthcare IT Coordinator Dr. David Brailer told attendees at the recent National Health Information Infrastructure (NHII) 2004 meeting in Washington, at which the Department of Health and Human Services' health IT framework was released to much fanfare, that healthcare informatics stakeholders should begin working immediately to implement recommendations made during the conference, reports Health-IT World News. The recommendations from the 10 breakout groups at the conference note the needs for interoperable systems and a certification process for health IT, particularly electronic health records. Industry and organization leaders now seeking to reach the government's goal of a wired healthcare system say the framework represents only the starting point for future investment.

Read the Health-IT World News article, "Brailer Urges 'Action' While Wrapping Up NHII 2004."

Read the Health-IT World News article, "NHII 2004 Afterglow Wears Off, Now the Hard Work Begins."

Read the NHII 2004 Conference materials.

August 4, 2004 NIST Says Data Encryption Standard Now Inadequate The National Institute of Standards and Technology (NIST) says that with the advent of parallel computing, the Data Encryption Standard (DES) is now inadequate to protect information. NIST is proposing that the government withdraw Federal Information Processing Standard (FIPS) certification for DES, a move that could have ripple effects throughout the technology sector and force a wide range of legacy systems into early retirement, reports Computerworld. NIST is proposing that federal agencies use DES only as a component of the Triple Data Encryption Algorithm, also known as Triple DES. However, NIST encouraged agencies to implement the stronger and faster Advanced Encryption Standard algorithm instead.

Read more.