January 2004 News Archives

January 29, 2004 Industry Groups Urge Changes in TCS Implementation Process The Workgroup for Electronic Data Interchange (WEDI) held a special public hearing on January 27 to report to the Secretary of the Department of Health and Human Services (HHS) information from the healthcare industry on HIPAA Transactions and Code Sets (TCS) implementation. The American Medical Association (AMA), the American Hospital Association (AHA), the Medical Group Management Association (MGMA), and Phoenix Health Systems on behalf of the Healthcare Information and Management Systems Society (HIMSS) testified the HIPAA standards should be consistent with the goals of administrative simplification. The groups made several recommendations to smooth the transition to compliance with HIPAA regulations.

Read the groups' recommendations and testimony.

January 29, 2004 AHA: Hospitals Experiencing HIPAA 'Burnout' as Security Rule Looms AHA News reports the American Hospital Association (AHA) testified before the National Committee on Vital and Health Statistics' (NCVHS) Standards and Security Subcommittee Jan. 27. AHA said that many hospitals are still focused on ensuring their compliance with the HIPAA transactions and code sets (TCS) standards, and do not have the energy or resources to concentrate on the newer security standards. A recent AHA poll of 475 member health care organizations found that, while more than 40% had begun their security risk analysis, only about one-quarter had begun to implement the other provisions of the security rule.

Read more.

January 27, 2004 New "Mydoom" Worm Spreading Rapidly A fast-spreading email worm is infecting computers across the globe. While the new bug targets computers running Microsoft 's Windows operating system, the issue is not necessarily security flaws in Microsoft's products so much as it is computer users who continue to ignore the advice of cyber-security experts. Aided by unwitting users, the mass-mailing worm, called " Mydoom " or "Novarg," appeared to be spreading faster than other recent viruses. "This is the first major virus outbreak of 2004," said Mark Sunner, chief technology officer of computer security firm MessageLabs.

Read more.

More from Symantec on the W32.Novarg.A@mm worm.

January 27, 2004 NIST Releases IT Security & Risk Management Drafts NIST has completed Revision A of NIST Special Publications 800-27, "Engineering Principles for Information Technology Security (A Baseline for Achieving Security)" and 800-30, "Risk Management Guide for Information Technology Systems." In response to public comments received after the release of the original document, Revision A updates SP 800-27 by grouping principles into categories to facilitate understanding and use. SP 800-30 has been updated to reflect the results of the FISMA Implementation Project, to improve internal consistency within the document, and generally improve the document readability. NIST requests comments on the draft revisions by March 20, 2004. Comments should be addressed to: gary.stoneburner@nist.gov.

View NIST'S draft publications.

January 23, 2004 CMS Posts New Provider ID Rule & TCS Complaint Filing Info In addition to officially publishing the National Provider Identifier (NPI) Final Rule in the Federal Register today, CMS posted to its website new information on how to file a HIPAA transactions and code sets (TCS) complaint in writing using the complaint form (PDF) or electronically by accessing the Administrative Simplification Enforcement Tool (ASET). CMS recommends complaints be filed electronically using the ASET tool as it will expedite the process and allow the user to track the status of the complaint online. CMS' Office of HIPAA Standards (OHS) will use the information submitted to help resolve complaints. The primary goal of the enforcement process is to foster voluntary compliance.

It is recommended that before filing a complaint, all covered entities should read OHS’ enforcement approach to TCS compliance available on the CMS HIPAA website. Filing a HIPAA transaction complaint with OHS should be a last-resort effort to resolving disputes after consulting various HIPAA resources, such as the official HIPAA Implementation Guides, the ANSI X12 transactions, and the National Drug Codes standards. Patients are advised to attempt to resolve the issue with the provider and payer prior to registering a complaint.

Read more on the NPI Final Rule published today.

View the NPI Final Rule.

January 22, 2004 CMS Announces Provider Identifier for Use in HIPAA Standard Transactions The Centers for Medicare & Medicaid Services (CMS) today announced the adoption of the National Provider Identifier (NPI) as the standard unique identifier for healthcare providers to use in filing and processing HIPAA transactions. A final rule establishing the NPI went on display today at the office of the Federal Register and will be published tomorrow, January 23. The compliance date for all but small health plans is May 23, 2007.

The NPI is a new number that will be issued through the National Provider System, which is being developed by CMS. The NPI replaces all "legacy" identifiers that are currently being used. Any healthcare provider may receive an NPI. All covered entity healthcare providers, however, must obtain NPIs. The system that will handle the assignment of NPIs will be ready to accept applications for NPIs after the effective date of the final rule, which is May 23, 2005.

Read more.

January 21, 2004 AHIMA Releases Electronic Health Record Standards The American Health Information Management Association (AHIMA) has released best practice standards for electronic health records. The standards include information on implementing electronic signatures, core data sets for the physician practice electronic health record, and speech recognition in the electronic health record. AHIMA plans to develop additional practice standards in other key electronic health record areas on a quarterly basis. The following six guidance reports are now available:

1. The Complete Medical Record in a Hybrid EHR Environment
2. Implementing E-Signatures
3. Email as a Provider-Patient Electronic Communication Medium and Its Impact on the Electronic Health Record
4. Electronic Document Management as a Component of the Electronic Health Record
5. Core Data Sets for the Physician Practice Electronic Health Record
6. Speech Recognition in the Electronic Health Record

January 16, 2004 NIST Publishes Computer Security Incident Handling Guide NIST has published its Computer Security Incident Handling Guide, SP 800-61, superceding SP 800-3, Establishing a Computer Security Incident Response Capability (CSIRC). The NIST publication helps both established and newly formed incident response teams respond effectively and efficiently to a variety of incidents. The guide covers:

1. organizing a computer security incident response capability,
2. establishing incident response policies and procedures,
3. structuring an incident response team, and
4. handling incidents from initial preparation through the post-incident lessons learned phase.

It also discusses steps (prevention, preparation, containment, eradication, and recovery) for handling a range of incidents, such as denial of service, malicious code, unauthorized access, inappropriate usage, and multiple
component incidents and potential scenarios to examine in preparation for
major incidents.

Download NIST's "Computer Security Incident Handling Guide" (PDF).

January 15, 2004 WEDI Public Hearing on HIPAA Implementation Issues The Workgroup for Electronic Data Interchange (WEDI), an authorized advisor to the Secretary of the Department of Health and Human Services (HHS), will be holding a special public hearing on January 27 in Tampa, FL, to gather information from the healthcare industry on HIPAA implementation. The hearing will allow organizations to present their concerns and recommendations regarding implementation of the HIPAA electronic transactions and code sets (TCS) regulation and other pending regulations. No registration is required for the free event to be held from 8 AM to 5 PM EST at the Grand Hyatt Tampa Bay.

WEDI has formed a Task Group to collect, analyze, and prepare recommendations to the Secretary to represent the industry perspective. WEDI is seeking input from healthcare industry representatives on the following:

• The readiness of Health Plans, Providers, Clearinghouses for HIPAA Compliance as well as business associates and vendor partners;
• Information regarding X12N transaction data content concerns;
• Sequencing and strategies for the implementation of future HIPAA regulations; and
• Obstacles and issues the healthcare industry has been dealing with in achieving compliance.

Read more.

January 13, 2004 ACLU Asks Court to Protect Confidentiality of Rush Limbaugh’s Medical Records In a motion filed yesterday, the American Civil Liberties Union (ACLU) of Florida said state law enforcement officers violated Rush Limbaugh’s privacy rights by seizing the radio talk show host's medical records as part of a criminal investigation involving alleged "doctor-shopping."

"While this case involves the right of Rush Limbaugh to maintain the privacy of his medical records, the precedent set in this case will impact the security of medical records and the privacy of the doctor-patient relationship of every person in Florida," said Howard Simon, Executive Director of the ACLU of Florida.

The ACLU’s request to submit a "friend-of-the-court" brief on behalf of Limbaugh was filed with the Fourth District Court of Appeal. The ACLU said in its motion that the state infringed on Florida’s constitutional right to privacy when it failed to follow well-established protocol, mandated by law, when confiscating Limbaugh’s medical files. The organization stated that its interest in the case was "to vindicate every Floridian’s fundamental right to privacy by ensuring that the state be required to comply" with the law.

Read the ACLU’s motion (PDF).