HIPAA news: Archives - August 2005

August 26, 2005 WEDI Launches NPI Outreach Initiative The Workgroup for Electronic Data Interchange (WEDI) announced yesterday the launching of its National Provider Identifier Outreach Initiative (NPIOI). The intent of the WEDI NPIOI is to create a national coordinated strategy that 1) helps ensure early awareness across all covered entities and affected organizations; 2) provides a consistent level of understanding regarding the regulations; and 3) promotes the sharing of information regarding NPI planning, transition and implementation experiences, approaches and timelines. As part of this Initiative, WEDI is creating the National NPI Resource Center, a dedicated website where all NPI-related information, documents, Policy Advisory Group (PAG) reports, WEDI Strategic National Implementation Process (SNIP) NPI white papers, web links and other NPI resources will be consolidated.

August 22, 2005 OCR Posts New Privacy Rule FAQ on Disclosing PHI for the Retiree Drug Subsidy The Office for Civil Rights posted a new Frequently Asked Question (FAQ) on on its web site, clarifing the conditions under which a group health plan or health insurance issuer may disclose protected health information (PHI) to a plan sponsor for purposes of the Retiree Drug Subsidy. The FAQ asks, "Can a group health plan, or health insurance issuer with respect to a group health plan, disclose to the plan sponsor the protected health information (PHI) required by the Centers for Medicare and Medicaid Services (CMS) for the retiree drug subsidy, without obtaining the individual’s authorization?"

The answer is, "Yes, when the conditions set forth in 45 CFR 164.504(f) of the HIPAA Privacy Rule have been met. Specifically, 45 CFR 164.504(f)(3)(i) allows a group health plan or a health insurance issuer with respect to the group health plan – or its business associate – to disclose PHI to a plan sponsor to carry out plan administration functions as long as it meets the requirements of 45 CFR 164.504(f)(2). As such, where the plan sponsor is carrying out the plan administration function of submitting to CMS the PHI required by 42 CFR 423.884 for the retiree drug subsidy, 45 CFR 164.504(f)(2) sets forth how the group health plan’s plan documents are to be amended to allow the group health plan to permit its health insurance issuer (or business associate, such as a third party administrator) to disclose PHI, without the individual’s authorization, to the plan sponsor of the group health plan. As with other disclosures for plan administration functions, the PHI disclosed must be limited to the minimum necessary to fulfill the requirements of 42 CFR 423.884."

August 22, 2005 Healthcare Organizations Lead Push for Medical Device Security Healthcare industry organizations earlier this month sent a letter to HHS Secretary Michael Leavitt asking for the government to provide guidance on ways to secure medical devices, reports Healthcare IT News. The Healthcare Information and Management Systems Society (HIMSS), the American College of Clinical Engineering (ACCE), and ECRI, a not-for-profit health services research agency that advises hospitals protecting computer-based medical devices, say that medical devices have become more vulnerable to threats such as viruses and hackers as healthcare IT systems are increasingly integrated with medical devices. Explains Steve Grimes, president-elect of the American College of Engineering and chair of the HIMSS Medical Device Security Workgroup, “Medical devices represent 75 percent of what carries healthcare information. It is a critical area for security."

August 18, 2005 CMS Releases Sixth HIPAA Security Educational Paper The Centers for Medicare and Medicaid Services (CMS) has released the sixth paper, "Basics of Risk Analysis and Risk Management," in its series of seven-planned HIPAA Security Educational Papers. The paper reviews security rule implementation specifications and the basic concepts of risk analysis and management, and general steps to conduct assessments. The papers, most of which were released shortly before or after the April 20 compliance deadline, are designed to explain specific requirements of the rule from those who will enforce it, the thought process behind the requirements, and possible ways to address the provisions. The other papers in the series are:

August 16, 2005 AHA Warns Hospitals: Look Out for ID Theft High-profile cases of multiple identity theft aren't only problems for firms such as Citibank, Bank of America and Lexis Nexis - hospitals are vulnerable, too, as demonstrated by a recent crime in the suburbs of Washington, DC, reports the American Hospital Association (AHA). AHA is urging its members to review their privacy policies and procedures for protecting patients' personal information. In the Northern Virginia incident, a hospital employee was arrested for allegedly stealing personal information from 35 patients and seven nurses and using that information to open fraudulent credit card accounts. The employee has been charged with conspiring to commit identity theft and violations of HIPAA's privacy provision on disclosing medical information.

August 16, 2005 NIST Creates Online Cybersecurity Database The National Institute of Standards and Technology (NIST) has launched a comprehensive cybersecurity database that is updated daily with the latest information on vulnerabilities in popular products, reports Federal Computer Week. The National Vulnerability Database (NVD) integrates all publicly available US government vulnerability resources and provides references to industry resources. The database contains about 12,000 vulnerability entries and about 10 new ones are added each day.

August 12, 2005 Patient ID is Trouble Spot for Federal Commission In its last in-person meeting, a federal advisory commission on interoperability among health information systems was unable to agree on whether to recommend issuance of national health identification numbers for Americans, reports Government Health IT. Although members of the Commission on Systemic Interoperability earlier had tentatively agreed that such an ID number would be the "most direct" way to link patients' records residing in doctors' offices, hospitals, pharmacies and health plans, they backed off the recommendation Wednesday and were considering what recommendation they could agree on.

August 9, 2005 Private Practices & Unauthorized Use or Disclosure of PHI Top OCR's Privacy Rule Complaints As of June 30, 13,733 complaints alleging Privacy Rule violations have been filed with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), reports the Fort Wayne News-Sentinel. Two-thirds of them have been resolved in one way or another, and the other third are open cases. So far, 217 cases have been sent to the US Department of Justice for criminal investigation. According to OCR, the top five entities, ranked in order, against which HIPAA complaints have been filed are:

The top five allegations, ranked in order, raised most frequently in complaints are:

August 5, 2005 CMS Ending Contingency Plan Oct. 1 for Non-HIPAA-Compliant Medicare Claims Centers for Medicare & Medicaid Services (CMS) Administrator Mark McClellan formally announced yesterday that beginning Oct. 1, CMS will not process electronic Medicare claims for payment unless they comply with HIPAA. Non-compliant claims will be returned to the filer for re-submission as compliant claims. CMS had said in its Transmittal 450, dated January 31, 2005, that effective July 1, it intended to discontinue its contingency plan allowing providers to transmit non-compliant Medicare transactions. As of June, only about 0.5 percent of Medicare fee-for-service providers submitted non-HIPAA-compliant electronic claims. The highest rate of non-complaint claims as of May was from clinical laboratories, 1.72 percent. Only 1.45 percent of claims from hospitals were non-compliant and 0.45 percent from physicians. Although the contingency continues for other electronic healthcare transactions, CMS expects to end the contingency plan for those transactions in the future, beginning with the remittance advice transaction.

Read more.

August 4, 2005 AHIMA Calls for ICD Code Updates The American Health Information Management Association (AHIMA) is calling on the Department of Health and Human Services (HHS) to update the set of codes that designate diagnoses and treatments for medical records and billing, reports Federal Computer Week. The association may have found some support in Congress. Linda Kloss, executive vice president and chief executive officer of the association, told a House subcommittee last week that the US is the only major industrialized nation still using the 30-year-old code set known as the International Classification of Diseases, Ninth Revision, Clinical Modification (ICD-9-CM). The old set, which HHS agencies developed, "is not meeting current healthcare data needs and cannot support the transition to an interoperable health data exchange in the US," Kloss said in her testimony before the House Ways and Means Committee's Health Subcommittee.

August 3, 2005 Health Network Costs Projected at $156 Billion The price tag to develop the National Health Information Network (NHIN) is estimated at $156 billion in capital costs over a five-year period, according to a study published this week in the Annals of Internal Medicine, reports Government Health IT. The study pegs the network's annual costs at $48 billion. Although these costs estimates appear staggering, the report, "The Cost of a National Health Information Infrastructure," states that the $156 billion in capital costs represents 2 percent of annual health care spending.

August 3, 2005 Bill to Further Health IT Would Allow HIPAA to Supersede State Laws Rep. Nancy Johnson (R-CT) is crafting healthcare IT legislation, bolstering the chances for Congress to pass a bill aimed at encouraging widespread use of technology in healthcare, reports Healthcare IT News. Johnson, chair of the House Ways and Means Subcommittee on Health, plans to introduce a bill that would allow federal HIPAA privacy and security regulations to supersede any state privacy and security laws. The federal government has announced plans to study how state privacy laws could hamper healthcare IT uptake.

Dr. David Brailer, National Coordinator for Health IT at the Department of Health and Human Services (HHS), told members of the committee last week that a drive to increase interoperability and the drive to use electronic health records would help get information where it is needed when it is needed, reports UPI. "The challenge here is how to adapt security/privacy issues with sharing information," Brailer said in response to a question posed by Rep. Pete Stark (D-CA) about his opinion of HIPAA.

August 3, 2005 Semi-Annual HIPAA Survey Finds No Pain, No Gain on HIPAA Compliance With all three major HIPAA deadlines now officially passed, a large percentage of covered healthcare organizations have yet to achieve many HIPAA basics, according to the results of the US Healthcare Industry HIPAA Survey, sponsored by the Healthcare Information and Management Systems Society (HIMSS) and Phoenix Health Systems. For the first time in the survey's six-year history, results indicated that many healthcare organizations have simply chosen not to implement many, if not all, HIPAA requirements. The two most reported "roadblocks" to HIPAA compliance in the Summer 2005 survey were "no public relations or brand problems anticipated with noncompliance" and "no anticipated legal consequences for non-compliance."

According to the Workgroup for Electronic Data Interchange's (WEDI) Synopsis of July 14, 2005 (Volume 6, Issue 7), the Centers for Medicare and Medicaid Services (CMS) has received 13 Security Rule complaints as of June 15, 2005. This includes complaints submitted to CMS and Privacy complaints shared by the Office for Civil Rights (OCR) which may involve Security Rule issues. OCR has received 13,000 complaints as of May 2005.

August 2005 News Archives

News Archives

Go to TOP