June 2005 News Archives

June 29, 2005 Commission Mulls State Medical Privacy Law Overrides An advisory commission working to increase interoperability among the nation’s health information systems may ask Congress to override state and local medical privacy laws when those laws are at variance with federal law, reports Government Health IT. Differing state laws that protect the privacy of medical records is an obstacle to automated exchange of that information, according to members of the Commission on Systemic Interoperability. The 11-member commission was established in October 2004 to develop a strategy for “the adoption and implementation of health care information technology standards that includes a timeline and prioritization for such adoption and implementation.” It is scheduled to deliver a report to the Department of Health and Human Services and to Congress by October 2005. Dana Haza, commission director, confirmed that the commission is considering overriding state laws among its recommendations. She declined to speculate on the likelihood that the override would be in the final report.

Read more.

June 29, 2005 Kaiser Permanente Fined $200k for Patient Data Breach The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people, reports Computerworld. The DMHC said the information had been available on a publicly accessible Web site for as long as four years. A former web coordinator at Kaiser brought the breach to the attention of federal regulators and posted a link to the Kaiser web site on her blog last year. Kaiser then sued her for invasion of privacy and breach of contract.

Read more.

June 27, 2005 Military May Have Breached Medical Privacy At Guantanamo Military interrogators at the US naval prison camp at Guantanamo Bay, Cuba, may have breached medical privacy and encouraged doctors to violate professional and legal standards, two specialists on medical ethics said in The New England Journal of Medicine last week, reports the Boston Globe. Dr. Gregg Bloche of the Brookings Institution and a law professor at Georgetown University in Washington, and Jonathan Marks, a lawyer at Matrix Chambers in London and a bioethics fellow at Georgetown, made the allegations in a commentary in the medical journal. They said their interviews with staff members at Guantanamo, along with records from the facility, indicate that prisoners' health records could be used against them to find the most effective ways to extract information from them. Health professionals caring for prisoners at Guantanamo have been encouraged to alert military officials there about relevant health information, Bloche and Marks alleged.

Read more.

June 27, 2005 HIPAA's Unintended Consequences Generate Discussion Journalists, lawyers, privacy consultants, a clergyman, and even a choral conductor gathered last week at the First Amendment Center for a conference on HIPAA that sparked some heated discussion. The June 21 symposium, sponsored by the First Amendment Center, the Associated Press, and Vanderbilt University, was an effort to examine problems with information access caused by HIPAA and featured presentations from individuals affected in different ways by the regulation. The participants ultimately proposed possible solutions to improve the federal law, which virtually all in attendance acknowledged has had some unintended negative effects.

Read more.

June 21, 2005 FCC Reviews Lifting Cell Phone Ban on Flights, Comments Consider HIPAA Risks In response to the Federal Communications Commission's (FCC) proposal to lift the nationwide ban on using cell phones in flight, most flight attendants, passengers and various aviation industry unions say to keep restrictions in place, reports the Washington Post. According to the St. Louis Post-Dispatch, more than 7,700 emails and letters have landed on the comments tarmac since the commission started reevaluating the 14-year-old ban in December. It was passed because of concerns that the signals emitted by cell phones and other electronic devices interfere with the transmissions used to guide takeoffs and landings, but the FCC now believes that this might not be the case. Nevertheless, many of the comments say that a host of issues remain, including one from a businessman who commented, "I have, many times, heard information regarding a patient's name, medical information, etc., that would be in conflict with [federal regulations]."

Read more.

June 17, 2005 Health Plan Alleges Former Employees Hacked Computers, Took Data Computer hackers twice stole sensitive and confidential data from computers belonging to Medica Health Plans, based in Minnetonka, MN, in January and shut down parts of the company's computer system on four other occasions, reports the Minneapolis Star Tribune. In April, Medica obtained federal court orders against two former employees that it suspected of committing the security breaches. The orders required them to provide an accounting of the downloaded data and to turn over their personal computers for an inspection. Both defendants deny that they had violated Medica policies, as well as a federal law that prohibits the unauthorized use of electronic data. Medica has not referred the case to federal officials for prosecution, and the workers have not been charged with a crime. A Medica official said this week that it was unlikely that personal information about Medica's 1.2 million members had fallen into the wrong hands but that its investigation is continuing. The intruders seemed most concerned about company trade secrets and employee evaluations, a spokesman said.

Read more.

June 17, 2005 House Votes to Curb Patriot Act, Limiting FBI's Power to Seize Library, Medical Records The House voted 238 to 187 Wednesday to remove the USA Patriot Act provision giving the FBI power to seize library and bookstore records for terrorism investigations, reports the Washington Post. The provision makes it possible for the FBI to obtain a wide variety of personal records about a suspected terrorist -- including library transactions and medical records -- with an order from a secret Foreign Intelligence Surveillance Court, where the government must meet a lower threshold of proof than in criminal courts. Under the House change, officials would have to get search warrants from a judge or subpoenas from a grand jury to seize records about a suspect's reading habits. The Justice Department said in a letter to Congress this week that the provision has been used only 35 times and has never been used to obtain bookstore, library, medical or gun-sale records. It has been used to obtain records of hotel stays, driver's licenses, apartment leases and credit cards, the letter said.

Read more.

June 17, 2005 Frist, Clinton Introduce Senate Health IT Bill Senate Majority Leader Bill Frist (R-TN) and Sen. Hillary Rodham Clinton (D-NY) introduced legislation yesterday that mirrors much of the recent activity by the Department of Health and Human Services' (HHS) Office of the National Coordinator of Health IT (ONCHIT), reports Government Computer News. The two are cosponsoring the Health Technology to Enhance Quality Act that would help create an interoperable health IT system through the adoption of standards to reduce costs, enhance efficiency, and improve overall patient care. Reps. Tim Murphy (R-PA) and Patrick Kennedy (D-RI) recently introduced the 21st Century Health Information Act in Congress, which would provide funding to support the start-up of regional health networks and physician investments in administrative and clinical technology. It also calls for interoperability standards and provisions to let hospitals help fund physicians' IT adoption. The Frist-Clinton bill is the first step toward a national framework with quality indicators.

Read more.

June 15, 2005 OCR Posts New FAQ on Disclosing PHI to P&A Systems The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) has posted to its web site a new Frequently Asked Question (FAQ) on disclosing protected health information (PHI) to Protection & Advocacy (P&A) systems. The FAQ states that the Privacy Rule permits a covered entity to disclose PHI without the authorization of the individual to a state-designated P&A system where the disclosure is required by law. The FAQ goes on to say, "The Developmental Disabilities Assistance and Bill of Rights Act (DD Act) provides for each state to designate a public or private entity as the Protection and Advocacy system to protect and advocate for the rights of individuals with developmental disabilities, including investigating incidents of abuse or neglect. The P&A designated pursuant to the DD Act is also the Protection and Advocacy system for purposes of the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) and is empowered to protect and advocate for the rights of individuals with mental illness. These statutes and their implementing regulations require that access to records be provided to P&As under certain circumstances. Thus, a covered entity may disclose PHI as required by the DD and PAIMI Acts to P&As requesting access to such records in carrying out their protection and advocacy functions under these Acts. Similarly, covered entities may disclose PHI to P&As where another federal, state or other law mandates such disclosures, consistent with the requirements in such law. Where disclosures are required by law, the Privacy Rule’s minimum necessary standard does not apply, since the law requiring the disclosure will establish the limits on what should be disclosed. Moreover, with respect to required by law disclosures, a covered entity cannot use the Privacy Rule as a reason not to comply with its other legal obligations."

Read the full answer to the FAQ on disclosing PHI to P&A systems.

June 15, 2005 CMS Announces NPI Transition Plan The Centers for Medicare & Medicaid Services (CMS) this week announced its plans for transitioning to the National Provider Identifier (NPI) in the fee-for-service Medicare program. Through January 2, 2006, CMS claims processing systems will accept a current, or legacy, Medicare number and reject as unprocessable any claim that includes only a NPI. Beginning January 3, 2006, and through October 1, 2006, CMS systems will accept an existing legacy Medicare number or a NPI as long as it is accompanied by an existing legacy Medicare number. Beginning October 2, 2006, and through May 22, 2007, CMS systems will accept an existing legacy Medicare number and/or a NPI. This will allow for six to seven months of provider testing before only a NPI will be accepted by the Medicare Program on May 23, 2007. Beginning May 23, 2007, CMS systems will only accept a NPI. For more information, to complete an NPI application, and to access educational tools, visit https://nppes.cms.hhs.gov.

June 15, 2005 AHA Submits Comments on HIPAA Enforcement Rule In a letter yesterday to the Department of Health and Human Services' (HHS) general counsel, the American Hospital Association (AHA) expressed concern that the department's proposed HIPAA enforcement rule increases the potential liability exposure of all covered entities and may result in the imposition of civil money penalties that significantly exceed the statutorily permitted maximum penalty, reports AHA News. AHA said the rule's proposed methodologies for determining violations of HIPAA regulations and the amount of any penalty are not easy to understand and do not provide covered entities with sufficient information to predict and limit their liability. It said "provisions imposing liability on a covered entity for the violations incurred by individuals and organizations over whom the covered entity may be able to exercise little real control inappropriately expands the liability exposure of all covered entities." AHA also encouraged HHS not to publicize the identity of civil money penalty recipients, saying the negative and unintended effects would far outweigh any alleged benefit, and endorsed HHS' continued emphasis on voluntary compliance.

Read the letter (PDF).

June 13, 2005 CMS to Hold Conference on NPI Security Planning The Centers for Medicare and Medicaid Services (CMS) Chicago Regional Office will be hosting a one-day conference on Thursday, July 21, 2005, at the Holiday Inn Lansing South in Lansing, Michigan. This conference is designed to offer healthcare professionals timely, relevant, and practical information for fully implementing the next two areas of HIPAA: the National Provider Identifier and the Security Regulations. There is no charge for this conference, but space is limited and advance registration is required.

Read more.

June 10, 2005 FACTA Interim Rules Issued on Medical Information Privacy The federal bank, thrift, and credit union regulatory agencies of the Department of the Treasury have published interim final rules regarding medical privacy under the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The Fair Credit Reporting Medical Information Regulations create exceptions to the statutory prohibition against obtaining or using medical information in connection with credit eligibility determinations. The interim final rules also address the sharing of medically related information among affiliates.

Read the interim final rules.

June 9, 2005 CMS Publishes More HIPAA Security Guidance The Centers for Medicare & Medicaid Services (CMS) has posted three new papers in its series of HIPAA Security Educational Papers. The five papers that are currently available are:

1. Security 101 for Covered Entities (PDF)
2. Security Standards - Administrative Safeguards (PDF)
3. Security Standards - Physical Safeguards (PDF)
4. Security Standards - Technical Safeguards (PDF)
5. Security Standards - Organizational, Policies and Procedures, and Documentation Requirements (PDF)

The security series of papers provides guidance from CMS on the HIPAA Security Rule. The series will contain seven papers, each focused on a specific topic related to the Security Rule. The papers are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series explains specific requirements, the thought process behind those requirements, and possible ways to address the provisions. CMS recommends that covered entities read the first paper in this series, “Security 101 for Covered Entities” before reading the other papers, which assume the reader has a basic understanding of the Security Rule.

June 8, 2005 Senate Lawmakers to Introduce Healthcare IT Bill Lawmakers on the Senate Health, Education, Labor and Pensions (HELP) Committee are crafting legislation that would create a public-private healthcare IT collaborative to oversee uniform data standards and related policies for healthcare IT, reports Healthcare IT News. The collaborative would work with existing standards development organizations, government agencies, and health information networks, to identify uniform national policies, such as those relating to the privacy and security of personal health information. The group would also propose uniform national implementation guides for healthcare IT data standards and determine a method for certifying the standards, according to a draft of the legislation. In addition, the legislation would establish health IT network demonstration projects and offer grants to providers to acquire healthcare IT.

Read more.

June 8, 2005 Federal Law Requires Destruction of Consumer Data A new federal rule that took effect last week requires all businesses and individuals to destroy private consumer information obtained from credit bureaus and other information providers. The Federal Trade Commission's new rule requires that personal information be burned, pulverized, shredded or destroyed in such a way that the information cannot be read or reconstructed. The rule also applies to electronic files, which must be erased or destroyed, and covers credit report data, credit scores, employment histories, insurance claims, check-writing histories, residential or tenant history and medical information.

Read more about the FTC's Disposal Rule.

June 8, 2005 Laptop Theft Raises EHR Security Concerns The April theft of a laptop containing personal information for more than 21,000 beneficiaries of California's Medi-Cal system has sparked concern about public confidence in electronic health records (EHRs), reports iHealthBeat. The computer contained beneficiaries' names, Social Security numbers, and personal health information. This is the most recent of seven reported security lapses in state computer systems over the past year. In response, state Sen. Jackie Speier (D) said she will introduce a bill that would require California agencies and contractors to encrypt all personal information stored on laptops.

Read more.

June 8, 2005 HHS Releases Health IT Network RFPs The Department of Health and Human Services (HHS) released requests for proposals (RFPs) announced on Monday by Sec. Leavitt to aid in developing a national health information network infrastructure that will support the exchange of electronic health records (EHRs), reports Government Computer News. The Office of the National Coordinator for Health IT (ONCHIT) posted the multiple RFPs on FedBizOpps. Proposals are due July 7 for three of the RFPs:

• Under one RFP, ONCHIT seeks to develop and prototype a process to harmonize standards to support widespread interoperability among healthcare software applications, particularly EHR systems. The contractor will work with the National Institute of Standards and Technology (NIST) in the process of harmonizing standards.
  
• Another request requires development of an EHR compliance certification and inspection process to minimize the risk for providers that invest in EHRs.
  
• A third RFP seeks proposals for prototypes and operational models for a Nationwide Health Information Network Architecture to demonstrate how health information will be shared electronically. The contractor must provide at least two health applications, such as EHRs, that can exchange data, and one application for population health, such as biosurveillance, that is capable of data exchange. The contractor will also demonstrate the interoperable exchange of health information across three distinct healthcare markets.
  
• The final request addresses the fact that some states have more stringent privacy and security requirements for health information, such as for what is required under HIPAA. HHS' Agency for Healthcare Research and Quality (AHRQ) will seek an assessment of state laws and organizational business policies for privacy and security practices that pose challenges to automated health information exchange and determine how to coordinate them. Proposals are due July 15.

Read more.

June 7, 2005 Justice Dept. Limits Prosecutions Under HIPAA Privacy Rule The Justice Department (DOJ) has issued an opinion limiting the government's ability to prosecute people for criminal violations of the HIPAA Privacy Rule. The criminal penalties apply to insurers, doctors, hospitals and other providers, said the Department, however, people who work for a covered entity are not automatically covered by that law and may not be subject to its criminal penalties. According to the American Hospital Association, the Justice Department's Office of Legal Counsel said that the "knowingly" element of the offense requires the government to prove only that the violators had knowledge of the facts that constitute the offense, but not that they knew their conduct violated the law, the opinion adds. Depending on the case facts, directors, officers and employees of covered entities may be directly liable for HIPAA violations in accordance with general principles of corporate criminal liability. In addition, the opinion says, others who may not be directly liable may be prosecuted under principles of aiding and abetting, and conspiracy.

According to Cheryl Camin, attorney at Gardere Wynne Sewell, "The Justice Department's recent ruling, which sharply limited criminal liability for violations of the HIPAA privacy rule by individuals and companies, should not be read as letting violators off the hook completely. They may still be criminally or civilly liable under other federal and state laws. If a hospital is found liable for an employee or vendor's mistake, the hospital may seek recourse against them for breach of contract. And this announcement may not be the final word on HIPAA liability, either. Additional interpretations of this and future DOJ rulings will shed more light on who really may be held accountable under HIPAA."

The ruling could jeopardize the lone conviction obtained under medical privacy rules that took effect in 2003 and could stop federal prosecutors from pursuing some of the more than 13,000 complaints that have been filed alleging violations of those rules. The Justice Department's interpretation is set forth in an opinion written June 1 by its Office of Legal Counsel to answer questions from the criminal division of the Justice Department and the Department of Health and Human Services. According to a spokesperson, the Justice Department will publish the ruling this week on its web site under its Office of Legal Counsel component at http://www.usdoj.gov/olc/whatsnew.htm.

Read the New York Times' article, "Ruling Limits Prosecutions of People Who Violate Law on Privacy of Medical Records."

Read the Los Angeles Times' article, "US Limits Prosecutions Under Privacy Law."

June 7, 2005 Secret Senate Panel to Consider Beefed-Up Patriot Act The Senate Intelligence Committee will meet behind closed doors this week to consider legislation that could dramatically expand the government's police powers under the USA Patriot Act, reports the Boston Globe. The proposal, in a draft bill sponsored by committee chairman Pat Roberts (R-KS) would lift one of the last restrictions on special warrants the FBI can obtain through a secret court originally set up to monitor foreign spies: that the information the bureau wants must be related to international terrorism or foreign intelligence. If the bill became law, it also would give FBI agents the power to write their own subpoenas without permission from a judge, allowing them to seize records from hotels, banks, and Internet service providers. This provision would require the FBI to make periodic reports to Congress about how often it uses that power to obtain library records, bookstore and firearms sales receipts, and medical or tax records.

Read more.

June 7, 2005 HHS to Advance Health IT with National Collaboration and RFPs for Interoperability Department of Health and Human Services' (HHS) Secretary Mike Leavitt announced yesterday the formation of a national collaboration and four requests for proposals (RFPs) that will advance efforts to reach President Bush’s call for most Americans to have electronic health records (EHRs) within ten years. The cornerstone of this effort, a private-public collaboration called the American Health Information Community (AHIC), will help the nationwide transition to electronic health records -- including common standards and interoperability -- in a smooth, market-led way. The AHIC, which will be formed under the auspices of the Federal Advisory Committee Act, will provide input and recommendations to HHS on how to make health records digital and interoperable, and assure that the privacy and security of those records are protected. HHS will also issue four RFPs to pave the way for interoperability. These RFPs will create processes for setting data standards, certification, and architecture for an Internet-based nationwide health information exchange, as well as assess patient privacy and security policies.

Read more.

June 6, 2005 HHS Releases Report on Nationwide Health Information Exchange The US Department of Health and Human Services (HHS) released on Friday a report summarizing over 500 responses from individuals and private industry on interoperable health information exchange. The report is a compilation of responses to a request for information (RFI) that asked for feedback on how a nationwide health information network (NHIN) could be governed, financed, operated, and supported. A cross-section of industry stakeholders as well as private citizens submitted responses totaling nearly 5,000 pages of information. In order to utilize the federal government's technical and operational expertise on health IT, more than 120 federal officials from over 17 departments and agencies participated in a government-wide RFI review task force led by HHS to analyze the responses from the public-at-large. While the report is an illustrative summary of the RFI responses and does not attempt to evaluate or discuss the relative merits of any one individual response over another, it does provide some key findings.

Read more.

June 6, 2005 UPMC Processed 1,500 Unsecure Online Prescription Forms Over the course of two years, more than 1,500 prescription requests were submitted to the University of Pittsburgh Medical Center (UPMC) by way of an online form that collected names and Social Security numbers but lacked basic security protections, reports the Pittsburgh Post-Gazette. UPMC removed the online form from its web site recently following an inquiry from the newspaper. John Houston, the chief privacy officer at UPMC, reiterated UPMC's position that the security problem did not actually lead to a security breach. The threat is not that computer hackers could break into the UPMC system to get the information, but rather that the data wasn't encrypted -- and was therefore vulnerable -- as it traveled the Internet between patients' computers and the UPMC server.

Read more.

June 2, 2005 Brailer to Present National Health IT Action Plan After much delay and intense speculation, national health IT coordinator Dr. David Brailer next week should finally lay out a long-awaited action plan for implementing the framework for strategic interoperability that he outlined last July, reports Health IT World. Brailer's spokeswoman says that the Office of the National Coordinator of Health Information Technology (ONCHIT) is waiting for approval from the Department of Health and Human Services (HHS) and the White House before the plan can be publicly released, possibly as early as Monday or Tuesday. ONCHIT's staff also has been busy producing a final report based on a public request for information last winter.

Questions first began to surface when Brailer had to cancel a May 17 appearance at the annual Toward an Electronic Patient Record (TEPR) conference in Salt Lake City because he was called into a meeting at the White House. Administration officials reportedly were discussing the 2006 HHS budget request and other strategies to promote President Bush's health IT agenda. The administration has asked Congress for a $642 billion appropriation for HHS in fiscal year 2006, which includes $125 million in funding to help build a national, interoperable health IT network. The Bush HHS budget also requests additional funding for a program to promote the use of IT in physician practices.

Read more.

June 1, 2005 Mandatory Electronic Submission of Medicare Claims Begins in July The Centers for Medicare & Medicaid Services (CMS) has announced that effective July 1, it intends to discontinue its contingency plan allowing providers to transmit non-compliant Medicare transactions. Per CMS Transmittal 450, "paper claims received by Medicare will not be paid" as of July 5, 2005. There are some exceptions to this electronic claim submission requirement. After July 5, you can only submit a non-electronic claim if you are:

• A small provider (a provider billing a Medicare fiscal intermediary that has fewer than 25 full-time employees, or FTEs, and a provider with fewer than 10 FTEs that bills a Medicare carrier);
• A dentist;
• A participant in a Medicare demonstration project in which paper claim filing is required;
• A provider that conducts mass immunizations and may be permitted to submit paper roster bills;
• A provider that submits claims when more than one other payer is responsible for payment prior to Medicare payment;
• A provider that only furnishes services outside of the US;
• A provider experiencing a disruption in electricity and communication connections that are beyond its control; and
• A provider that can establish an “unusual circumstance” exists that precludes submission of claims electronically.

Read CMS' Transmittal 450, "Enforcement of Mandatory Electronic Submission of Medicare Claims" (PDF).

June 1, 2005 States Keep Watchful Eye on Personal-Data Firms A legislative push by states to punish companies that maintain sensitive customer data when they hide a security breach could trigger congressional intervention to set a national standard on when people must be notified that their personal information may have fallen into the wrong hands, reports the Washington Post. Seizing upon recent incidents in which companies admitted losing or failing to secure their customers' financial and personal information, nearly two dozen states are debating or have passed new legislation, including a tough North Dakota law which takes effect today.

Read more.

June 1, 2005 GAO Report Says HHS Still to Define Next Health IT Steps The Office of the National Coordinator for Health IT (ONCHIT) has taken steps to develop a national strategy for adoption of health IT, but market institutions that would support its goals currently do not exist, the Government Accountability Office said in a new report released yesterday. According to Government Computer News, the GAO's report says certification organizations, group purchasing entities and low-cost implementation support organizations are necessary to support medical providers and lower their risk as they acquire and use IT. ONCHIT has made progress in coordinating federal health IT efforts and reaching out to the private sector to develop standards and certification procedures for health IT interoperability. But ONCHIT has not defined plans for the coming phases.

Read more.

Read the GAO's report (PDF).