| HIPAAdvisory > HIPAAnews > Archives |  |
|
March 2006 News ArchivesMarch 28, 2006 GAO: HHS Security Problems Place Medical Data at Risk Months after the HIPAA Security Rule compliance date passed, the Department of Health and Human Services (HHS) and its Centers for Medicare and Medicaid Services (CMS) still had "significant weaknesses" in controls to protect the confidentiality, integrity, and availability of sensitive information in their computer systems, reports Health Data Management. In a review by the Government Accountability Office (GAO) of the effectiveness of the HHS information security program, particularly at CMS, from June through December 2005, GAO found the department has not fully implemented its information security program. In particular, according to the report, HHS operating divisions have not fully implemented important security elements identified by HHS as core components of an effective HIPAA Security Rule compliance plan. March 28, 2006 OH Supreme Court Rules State Law Trumps HIPAA The Ohio Supreme Court ruled March 18 that Ohio's open records law takes precedence over the HIPAA Privacy Rule, reports the Cincinnati Enquirer. The decision ends a two-year court battle between city officials and the newspaper over whether the Cincinnati Health Department releasing the addresses of homes and businesses that are ordered to remove potentially hazardous lead paint violates HIPAA. The decision may be the first in the country concerning a conflict between a state’s open records law and HIPAA, and could affect other states because many have similar open records laws, reports Government Health IT. Read the Cincinnati Enquirer's article, "Lead Paint Citations Opened Up." March 23, 2006 Groups Recommend ICD-10 Adoption Transition Period Adoption of the International Classification of Diseases, 10th Edition (ICD-10) code set would ease reimbursement for laboratories, said Alan Mertz, president of the American Clinical Laboratory Association in Washington, reports Health Data Management. Mertz testified March 16 before the US House Energy and Commerce subcommittee on health in support of proposed legislation, HR 4157, which seeks to lift regulatory barriers to adoption of health information technology and authorize migration from ICD-9 to ICD-10. But while ICD-10 will enable much more specific coding, the association recommends a five-year transition period because of the complexity of the coding set. According to the Blue Cross and Blue Shield Association, the healthcare industry is woefully unprepared to adopt ICD-10 by October 2009, the date set in HR 4157. The Chicago-based association is advocating an October 2012 adoption date for ICD-10 following a two-year transition. Read Health Data Management's article, "Lab Group: We Need ICD-10." Read Health Data Management's article, "Blues: Slow Down on ICD-10." March 16, 2006 Doctor's Office Employee Convicted of Selling FBI Agent's Medical Records A Texas woman has been convicted of selling the confidential medical record information of a Special Agent with the Federal Bureau of Investigation (FBI) to a person she believed to be working for a drug trafficker. US Attorney Chuck Rosenberg announced her conviction today, and noted that Ramirez faces a maximum punishment of ten (10) years in federal prison, without parole, and a $250,000 fine at her sentencing set for June 8, 2006. At a hearing held on Monday, March 6, 2006, before US District Judge Randy Crane, Ramirez pleaded guilty to the federal felony offense of wrongfully using a unique health identifier with the intent to sell individually identifiable health information for personal gain. The US proved that during the spring of 2005, Ramirez, who was employed at a doctor's office under contract to provide physicals and medical treatment to FBI agents, offered to and agreed for a price to provide the personal and medical information of an FBI agent to a person she thought was working for a drug trafficker. March 16, 2006 Congress Tackles HIT, Privacy Issues Privacy issues took center stage yesterday during a congressional hearing on healthcare IT legislation that would create a uniform privacy standard to simplify the patchwork of state medical privacy protections, reports Healthcare IT News. Among its provisions, the bill (HR 4157), introduced by Reps. Nancy Johnson (R-CT) and Nathan Deal (R-GA), calls for HHS to recommend a single federal privacy standard. Witnesses at a House Energy and Commerce Subcommittee on Health hearing Separately, Rep. Patrick Kennedy (D-RI), who has introduced a healthcare IT bill (HR 2234) with Rep. Tim Murphy (R-PA), has argued for stronger privacy protections. “To ensure that IT enhances, rather than detracts, from patient privacy, however, we must modernize the Health Insurance and Portability and Accountability Act of 1996 for this new era. While nobody relishes re-opening the HIPAA debates about privacy, it is clear that our privacy law at least must be updated to meet the new realities of online, digital clinical health information,” Kennedy wrote in a recent opinion piece in Roll Call. March 15, 2006 OCR Posts FAQ on Health Plans Disclosing PHI to Persons Assisting Beneficiaries The Office for Civil Rights has posted a new Frequently Asked Question (FAQ) on its web site, which explains the circumstances under which a health plan may disclose protected health information (PHI) to a person who calls the plan on the beneficiary’s behalf. Citing examples, the FAQ states that a covered entity only may disclose the relevant PHI to this person if the individual does not object or the covered entity can reasonably infer from the circumstances that the individual does not object to the disclosure. Also, when the individual is not present or is incapacitated, the covered entity can make the disclosure if, in the exercise of professional judgment, it believes the disclosure is in the best interests of the individual. Read OCR's FAQ on "Health Plans Disclosing PHI to Persons Assisting Beneficiaries.” March 14, 2006 DOD, VA Exchange Patient Data After years of dragging their feet, the Defense and Veterans Affairs departments have achieved unprecedented sharing of health records. They have exchanged data on millions of patients in the past year, and the pace is accelerating, reports Government Health IT. In December 2005, VA doctors and nurses began accessing health assessments DOD made before and after deployments of active-duty personnel. This month, DOD is delivering to the VA the names of about 250,000 Reserve and National Guard members who have been deployed and then demobilized. March 14, 2006 EHRVA Releases Interoperability Roadmap Months before the first reports are due from a government-sponsored effort to design a national healthcare information network, a group of major healthcare software developers has released its own vision of the future that focuses first on achieving what is possible with today's technology, reports Modern Healthcare. The Electronic Health Records Vendors Association has released in a 46-page report, its Version 2.0 of its "Interoperability Roadmap." The roadmap calls for organizations to "acknowledge and access the experience of industry stakeholders." More specifically, it recommends both national and private-sector initiatives be evaluated and harmonized. March 14, 2006 Event to Start Patient ID Debate Believing a variety of patient identifiers is hindering information systems interoperability, the National Alliance for Health Information Technology (NAHIT) will convene a meeting to begin the work to reach consensus on the issue, reports Health Data Management. Leaders of the alliance don't think the April 26 meeting in Washington, DC will result in consensus, but they do want to bring industry stakeholders together to start the debate. David Brailer, MD, National Coordinator for Health IT in the Department of Health and Human Services, will open the meeting. An expert panel, with input from attendees, then will discuss such issues as HIPAA, legal, policy, clinical, technical and consumer privacy. Register for NAHIT's April 26 meeting. March 7, 2006 CMS Releases New NPI Resources on Subparts and EFI The Centers for Medicare and Medicaid Services (CMS) has released three new educational products on the National Provider Identifer (NPI). The two fact sheets are suitable for all healthcare providers:
The MedLearn Matters Article (SE0608), suitable for Medicare providers, takes a detailed look at Medicare's guidance on subpart designation and the impact on Medicare providers. View the Subparts Fact Sheet (PDF). View the EFI Fact Sheet (PDF). View the MedLearn Matters Article SE0608 (PDF). March 7, 2006 OCR Posts FAQ on Health Plans Reminding Enrollees About Availability of their NPP The Office for Civil Rights (OCR) has posted a new Frequently Asked Question (FAQ) on its web site, which reminds health plans that the Privacy Rule requires them to notify enrollees about the availability, and how to obtain a copy, of their Notice of Privacy Practices (NPP) no less frequently than once every three years. Thus, health plans that have not already reminded enrollees of the availability of their Notice of Privacy Practices and how enrollees may obtain a copy, must do so no later than April 14, 2006 (small health plans have until April 2007). View the FAQ on Health Plans Reminding Enrollees About the Availability of the NPP. March 3, 2006 Laptop Stolen from Cancer Center Puts Patients' Info at Risk The private health information and Social Security numbers of nearly 4,000 patients of the University of Texas MD Anderson Cancer Center are at risk after a laptop containing their insurance claims was stolen, reports the Houston Chronicle. Patients and patients' families were notified this month of the theft, which occurred in November at the Atlanta home of an employee of PricewaterhouseCoopers, an accounting firm reviewing the patient claims. Those notified were advised to monitor their credit. MD Anderson's chief privacy officer wrote in a Jan. 30 letter., "Even though it will be difficult for someone to access patient information, we feel you should be informed of this incident." On a related note, a Computerworld article discusses breach notification laws and when should companies tell all. While there appears to be growing industry consensus that security breach notification laws have forced companies to take more responsibility for the data they own, there is little agreement on exactly when companies should be required to notify consumers when a data breach occurs. Ranged on one side of the debate are those who want alerts for any breach involving the potential exposure of sensitive data. On the other side are those who say that a higher disclosure threshold is needed to avoid overnotification and needless costs. Read the Houston Chronicle's article, "Stolen Laptop Puts Patients' Info at Risk" Read Computerworld's article, "Breach Notification Laws: When Should Companies Tell All?" March 2, 2006 Payers Build a Rulebook for HIPAA Transactions An initiative to build on the HIPAA transactions standards and make them easier to use is approaching its initial goal, reports Health Data Management. More than 80 industry stakeholders, including insurers, providers, government agencies, vendors and others, are developing "operating rules" for administrative transactions. Use of the rules would be voluntary. The operating rules would establish processes and standards for exchanging data, initially eligibility/benefits determination data. The rules would govern how information is exchanged but not specify the tools or technologies to be used. The goal is to further standardize the HIPAA transactions and improve interoperability, giving providers a vendor-neutral, all-payer solution for conducting transactions using the administrative software of their choice.
|
