March 2005 News Archives

March 29, 2005 CMS & SHARP Workgroup Sponsor Free HIPAA Security Teleconferences The Southern Healthcare Administrative Regional Process (SHARP) Workgroup & the Dallas and Atlanta Centers for Medicare and Medicaid Services' (CMS) Regional Offices IV and VI present free security teleconferences:

• April 6, 2005, 1:00 - 2:00 PM ET
  "Are You on Track with HIPAA Security Compliance? How to Gauge Your Progress" will aid covered entities in gauging their progress toward HIPAA Security compliance to ensure that you are not wasting energy or taking unnecessary steps.
  Call 877-203-0044 about 15 minutes prior to start time and provide the conference ID number 4880424.

• April 20, 2005, 1:00 - 2:00 PM ET
  "HIPAA Security Open Forum for Rural Hospitals" during which experts will respond to rural hospitals’ HIPAA Security compliance issues.
  Call 877-203-0044 about 15 minutes prior to start time and provide the conference ID number 4880442.

• May 11, 2005, 1:00 - 2:00 PM ET
  "HIPAA Security Maintenance" will provide tips on how to keep your HIPAA Security Plan up to date after the April 20th compliance date.
  Call 877-203-0044 about 15 minutes prior to start time and provide the conference ID number 4880444.

• May 25, 2005, 1:00 - 2:00 PM ET
  "Are We There Yet? Auditing your HIPAA Security Program" will guide participants to measure and verify their HIPAA Security compliance on an ongoing basis.
  Call 877-203-0044 about 15 minutes prior to start time and provide the conference ID number 4978453.

PowerPoint presentations for the teleconferences are available at www.sharpworkgroup.com.

March 29, 2005 NIST Offers HIPAA Security Guidance The National Institute of Standards and Technology (NIST) has issued the final version of its Special Publication 800-66, "An Introductory Resource Guide for Implementing the HIPAA Security Rule," the draft of which was released in May 2004. The guide identifies resources relevant to the specific security standards included in the HIPAA security rule and provides implementation examples for each. The guide also lays out similarities between the HIPAA security rule and the Federal Information Security Management Act (FISMA) of 2002, which all federal government agencies must fulfill.

Read "An Introductory Resource Guide for Implementing the HIPAA Security Rule" (PDF).

More NIST publications related to HIPAA Security.

March 28, 2005 CMS Sets Forth Procedures for HIPAA Complaints; Offers Security Guidance On March 25, the Centers for Medicare and Medicaid Services (CMS) published a Notice in the Federal Register regarding its HIPAA enforcement procedures. The notice sets forth the procedures for filing with the Secretary of Health and Human Services (HHS) a complaint of non-compliance with HIPAA Administrative Simplification provisions (except privacy). It also describes the Department's procedures in reviewing the complaints.

CMS also published last week the third in its series of seven educational papers on the HIPAA Security Rule. CMS recommends that covered entities read the first paper in this series, “Security 101 for Covered Entities” before reading the other papers. The first paper clarifies important Security Rule concepts that will help covered entities as they plan for implementation. This third paper in the series is devoted to the standards for Physical Safeguards and their implementation specifications and assumes the reader has a basic understanding of the Security Rule.

Additionally, CMS will host a National HIPAA Security Roundtable conference call on April 13, 2005 at 2:00 PM ET. The call-in number is 1-877-203-0044 and the identification number is 4587639. There is no cost and registration is not required.

Read CMS' "Security Standards: Physical Safeguards" paper (PDF).

Read CMS' “Security 101 for Covered Entities” paper (PDF).

Read the "Procedures for Non-Privacy Administrative Simplification
Complaints Under HIPAA" (PDF).

March 28, 2005 Appeals Court Hears Arguments Over HIPAA Privacy A three-judge panel of the US Court of Appeals for the 3rd Circuit heard testimony March 9 to determine to what extent patient information can be shared under HIPAA, reports the Philadelphia Inquirer. Does it provide "broad protections" for patients wanting to keep their records private, as Charles Scarborough, attorney for the US Department of Justice, contends. Or does it open the gates for personal information to be widely shared without patient consent, as plaintiffs' attorney James Pyles insists. Pyles represents Citizens for Health, an advocacy group that sued then-Secretary of Health and Human Services Tommy Thompson over the 2003 rule. A federal judge in Philadelphia dismissed the suit last year, finding that privacy rights were not violated. The appeals court, which did not say when it would rule in the case, has wide latitude. It could let the lower court decision stand, declare the new privacy rule unconstitutional, or send the case back to a US District Court for more review.

Read more.

March 16, 2005 New Study Shows Limited Use of Electronic Medical Records Less than a third of the nation's hospital emergency and outpatient departments use electronic medical records, and even fewer doctors’ offices do, according to a report released yesterday by the Centers for Disease Control and Prevention (CDC). About 31 percent of hospital emergency departments, 29 percent of outpatient departments, and 17 percent of doctors’ offices have electronic medical records to support patient care, as reported in CDC's ambulatory medical care surveys, conducted from 2001 to 2003.

Read more.

March 16, 2005 CMS Chooses National Provider ID Enumerator The Centers for Medicare and Medicaid Services (CMS) has chosen Fox Systems Inc., Scottsdale, Ariz., as the enumerator for the national provider identifier (NPI). As enumerator, Fox Systems will process applications from covered entities and assign new national standard provider identification numbers in accordance with HIPAA. The NPI must be used by most covered entities for all electronic HIPAA-compliant transactions by May 23, 2007. Assignment of NPIs is scheduled to begin May 23, 2005.

Read more about the National Provider ID.

March 15, 2005 NCVHS Calls for Study of HIT Security The National Committee on Vital and Health Statistics (NCVHS), in its March 4 recommendations to the Department of Health and Human Services (HHS) on electronic signatures, asked HHS to address future security risks stemming from the use of electronic prescriptions and, more broadly, healthcare IT. The draft recommendations note that while HIPAA includes provisions covering data security, the regulations do not set a minimum security standard that healthcare organizations should provide, reports Healthcare IT News.

Read more.

Read NCVHS' 2nd set of recommendations on e-prescribing standards.

March 15, 2005 HIPAA Security Crosswalk Tool Now Available A crosswalk of matrix documents has been developed to help healthcare organizations map existing policies and technologies to requirements of the HIPAA Security Rule. The Healthcare Information and Management Systems Society (HIMSS), in conjunction with the NIST/URAC/WEDI Security Health Care Certification and Accreditation Workgroup, created the crosswalk focused on mapping to the HIPAA security rule the best practices or requirements of:

• International Organization for Standardization (ISO) 17799
• Centers for Medicare and Medicaid Services (CMS) Core Security Requirements (CSR)
• Federal Information Security Management Act of 2002 (FISMA)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) HIPAA

March 11, 2005 140 Kaiser Patients' Private Data Put Online Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her blog, reports Silicon Valley's Mercury News. Kaiser learned of the breach from the Office for Civil Rights (OCR) in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the internet service provider hosting the blog to remove the information. Kaiser will take legal action against the woman if warranted, Schiffgens said. Under HIPAA, the woman could face up to $250,000 in fines and 10 years in prison for unauthorized disclosure of patient information.

Read more.

March 10, 2005 OCR Answers When is Authorization Not Required for an Interpreter On March 8, the Office for Civil Rights, in charge of enforcing the HIPAA Privacy Rule, posted a new FAQ on its web site. In response to the question of whether a covered healthcare provider must obtain an individual's authorization to use or disclose protected health information (PHI) to an interpreter, OCR posted:

No, when a covered healthcare provider uses an interpreter to communicate with an individual, the individual’s authorization is not required when the provider meets the conditions below. Covered entities may use and disclose protected health information for treatment, payment and health care operations without an individual’s authorization, 45 CFR 164.506(c). A covered health care provider might use interpreter services to communicate with patients who speak a language other than English or who are deaf or hard of hearing, and provision of interpreter services usually will be a health care operations function of the covered entity as defined at 45 CFR 164.501.

Read more of OCR's FAQ regarding authorization to use or disclose PHI to an interpreter.

March 8, 2005 Proposal to Update ICD-10 Codes Remains Stalled A proposal to update healthcare coding standards appears to be stalled, reports Healthcare IT News. The government had been considering a proposal that healthcare providers adopt the ICD-10 CM classification system. Currently, providers use ICD-9 CM codes. But groups such as the American Health Information Management Association (AHIMA) and the American Hospital Association (AHA) say a move toward the ICD-10 clinical coding system would provide more accurate data that is better suited to electronic health records. According to AHIMA Vice President Dan Rode, the proposal is stalled. "They’re not moving forward with it," Rode said. "Until the government gives us a green light, we're not going to have vendors implement it." HHS did not respond to requests for comment. At issue are some of the potential costs involved with a shift to ICD-10 codes.

Read more.

March 7, 2005 OCR: How May a Health Plan Disclose PHI for a National Medical Support Notice? On February 25, the Office for Civil Rights, in charge of enforcing the HIPAA Privacy Rule, posted a new FAQ on its web site. In response to the question of whether a health plan may disclose protected health information to a State child support enforcement (IV-D) agency in response to a National Medical Support Notice, OCR posted:

The Privacy Rule permits a health plan to respond to a request for information by a IV-D agency pursuant to a National Medical Support Notice (NMSN), as described below.

The Privacy Rule at 45 CFR 164.512(f) permits a covered entity to disclose protected health information to a “law enforcement official” for law enforcement purposes in compliance with court orders, grand jury subpoenas, or certain written administrative requests. 45 CFR 164.512(f)(1)(ii). As defined in 45 CFR 164.501, a “law enforcement official” means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or to prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. An employee of a IV-D agency, including a contract employee, who is empowered by state or federal law to enforce a medical child support order, meets this definition of a law enforcement official.

The NMSN, a nationally uniform form which is sent by the IV-D agency to the employer and health plan for completion, constitutes a written administrative request by a law enforcement official. As such, the Privacy Rule allows a health plan to disclose protected health information in response to the NMSN, provided it includes or is accompanied by written assurances by the law enforcement official that (1) the information sought is material and relevant to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope; and (3) de-identified information cannot reasonably be used. 45 CFR 164.512(f)(1)(ii)(C).

The Privacy Rule requires the covered entity to verify that these three conditions are met, as well as the identity and authority of the public official making the request, unless already known to the covered entity. The covered entity must also limit the disclosures to the minimum necessary for the purpose. To meet these requirements, the covered entity may reasonably rely on the following:

• the NMSN, or a separate written statement that, on its face, demonstrates that the three assurances required for these disclosures have been met. 45 CFR 164.514(h)(2)(i)(A).
• the NMSN is sufficient to verify the identity and legal authority of the public official requesting the protected health information. 45 CFR 164.514(h)(2)(ii) and (iii).
• the NMSN is sufficient as a request from a public official for the minimum information needed to meet the law enforcement purpose of the request. 45 CFR 164.514(d)(3)(iii)(A).

Read OCR's HIPAA Privacy FAQ.

March 7, 2005 US Divided on Privacy Risks of Electronic Medical Records US adults are divided right down the middle on whether the potential privacy risks associated with a patient electronic medical record system outweigh the expected benefits to patients and society, according to testimony given recently before the National Committee on Vital and Health Statistics (NCVHS) of the Department of Health and Human Services (HHS). The testimony was based on results of a new national Harris Interactive telephone survey on the American public's views regarding Electronic Medical Records (EMR). Majorities are worried that sensitive health information might leak because of weak data security; that there could be more sharing of patients' medical information without their knowledge; that computerization could increase rather than decrease medical errors; that some people won't disclose necessary information to health care providers because of worries that it will go into computerized records; and that existing federal health privacy rules will be reduced in the name of efficiency.

Read more.