 Over 10,000
HIPAA Complaints Filed |
|
|
|
Since the Privacy Rule went into effect
in April of 2003, the Office for Civil Rights, responsible for the enforcement
of HIPAA, received and initiated reviews of 10,785 HIPAA complaints through
January 31, 2005. 62% of the complaints have been resolved. In the majority of
cases, the complaint was either dismissed because the incident occurred prior
to the compliance date, the agency determined that no violation occurred, or it
was able to resolve the matter through voluntary compliance. Other common
complaints involved: (1) impermissible uses or disclosures of health
information; (2) absence of adequate safeguards to protect health information;
(3) failure to provide patients with access to records; (4) disclosing more
information than is minimally necessary; and (5) making disclosures without a
valid authorization when an authorization is required. |
| DHHS Announces
HIPAA Regulatory Updates |
| 5/16/2005 |
|
The Department of Health and Human
Services (DHHS) today published its semi-annual summary of rulemaking actions
under consideration. Included were the following announcements:
- A Notice of Proposed Rulemaking (NPRM) is
expected to be released in September 2005 proposing "an electronic standard for
claims attachments required by HIPAA. It would be used to transmit clinical
data, in addition to the data contained in the claims standard, to help
establish medical necessity for coverage and payment."
- A Notice of Proposed Rulemaking (NPRM) is
expected to be released in November 2005 implementing "a standard identifier to
identify health plans that process and pay certain electronic healthcare
transactions. It would implement one of the requirements for administrative
simplification that have a national scope beyond Medicare and Medicaid."
- A Notice of Proposed Rulemaking (NPRM) is
expected to be released in February 2006 that "would revise the electronic
transactions and code sets standards mandated by HIPAA."
- A Notice of Proposed Rulemaking (NPRM) is
expected to be released in April 2006 that "would revise the adopted
transactions and code sets standards detailed in regulations specified by HHS
on August 17, 2000, and February 20, 2003. The Secretary intends to propose any
replacements for specific code sets."
- Final action on the Notice of Proposed Rulemaking
(NPRM) issued April 18, 2005, is expected to be released in August 2006 that
"would seek to establish a framework for enforcing compliance with the
'administrative simplification' provisions of HIPAA".
- Final action on the interim final rule issued
August 15, 2003, is expected to be released in December 2006 that
"implements the requirements for electronic submission of Medicare claims,
submitted on or after October 16, 2003. In addition, this rule also implements
the conditions upon which a waiver could be granted for these
requirements".
- Final action is expected to be released in
February 2008 on the Medicare Modernization Act, which "requires Medicare
Part D plans and Medicare Advantage Plans to enable transmission of basic
prescription data to and from doctors and pharmacies, and to adopt a number of
the initial standards required for electronic prescribing".
|
| DHHS Publishes
Draft HIPAA Enforcement Rule |
| 4/18/2005 |
|
|
Today the DHHS released a Notice of
Proposed Rulemaking (NPRM) of the HIPAA Enforcement Rule in the Federal
Register. Comments from the public are requested, and must be submitted before
June 17, 2005. The current enforcement regulations related to the investigation
of noncompliance apply only to the Privacy Rule. The proposed new rule would
amend the existing rule to include all of the HIPAA Administrative
Simplification regulations, not just to the Privacy regulations. It would also
amend other existing enforcement regulations including the process for the
determining monetary penalties. Read the Draft
Rule |
| Providers Soon
Can Apply for ID |
| 4/12/2005 |
|
|
The Centers for Medicare and Medicaid
Services has announced that health care providers can start applying for a
national provider identifier on May 23, 2005. The identifier is mandated under
the HIPAA Administrative Simplification provisions. Providers on or after May
23 can electronically apply online for the identifier at
http://nppes.cms.hhs.gov. Providers also can apply
via postal mail or telephone, with contact information to be available on the
Web site. Applying for an identifier does not replace any health plan
enrollment or credentialing process, according to the government’s letter.
Most payers must use the national provider identifier by May 23, 2007; very
small health plans have an additional year. After those compliance dates,
health care providers may use only their NPIs to identify themselves in
standard transactions where the NPI is called for. Additional information on
the national provider identifier is available at
cms.hhs.gov/hipaa/hipaa2.
Read more. |
| Proposed "SAFE
ID Act" in Congress to Revise HIPAA |
| 4/14/2005 |
|
Today Rep. Edward J. Markey (D-MA) and
Sen. Hillary Rodham Clinton (D-NY) introduced the "Safeguarding Americans from
Exporting Identification Data (SAFE ID) Act" in the US House of Representatives
and the Senate. House Bill HR1653 and Senate Bill S810 have been referred to
the House Committee on Energy & Commerce and the Senate Committee on the
Judiciary. The legislation is intended to place restrictions and establish
prohibitions on health care organizations that have medical information
processed overseas. It would also establish a civil right of action allowing
parties to sue for injuries resulting from a HIPAA violation. It also includes
a proposal to include language within the covered entity’s Notice of
Privacy Practices notifing patients of sending individually identifiable
protected health information (PHI) outside of the US . A covered entity's
Notice of Privacy Practices would be required to:
- Provide notice that the covered entity outsources
PHI to business associates outside of the US;
- Must provide a description of the privacy laws of
the country where PHI is sent;
- Define risks and consequences that arise from
processing such information in a foreign country;
- Define the measures the covered entity has
implemented to protect PHI outsourced and processed outside the
US;
- Provide notification that PHI will not be
outsourced outside the US if the consumer objects;
- Provide a certification that the covered entity
“has taken reasonable steps to identify outsourcing by business
associates; attests to the privacy and security of PHI that would be
outsourced; and defines the determination of the covered entity that privacy
and security of information is maintained".
Read the Text of
HR1653
Read the Text of S810
|
| Complaints to
Drive HIPAA Security Enforcement |
| 4/12/2005 |
|
|
The Centers for Medicare and Medicaid
Services, the federal agency responsible for enforcing the Health Insurance
Portability and Accountability Act Security regulations, is likely to take a
soft approach when it comes to governing compliance with the rules. Read More |
| The National
Committee on Vital and Health Statistics Calls For Study of HIT
Security |
| 3/20/2005 |
|
|
An influential government panel is
calling on the federal government to take a closer look at security practices
as the nation seeks wide implementation of electronic medical records. In draft
recommendations to HHS that primarily deal with electronic signatures, the
National Committee on Vital and Health Statistics is calling on the government
to address future security risks stemming from the use of electronic
prescriptions and, more broadly, healthcare information technology. Read More |
| CDC Survey
Finds Few Hospitals (And Even Fewer Small Doctors' Offices) Use Electronic
Medical Records |
| 3/18/2005 |
|
|
Less than one-third of hospital
emergency and outpatient departments, and even a smaller proportion of
physicians' offices, are using electronic medical records, according to a
recent survey conducted by the Center For Disease Control (CDC), CQ HealthBeat
reports. Between 2001 and 2003, agency researchers found that 31% of hospital
emergency departments, 29% of outpatient departments and 17% of doctors'
offices had electronic medical records, according to CDC. CDC officials also
found that about 8% of physicians used an electronic system to order
prescription drugs and diagnostic tests. According to the survey, physicians
younger than age 50 are twice as likely to use electronic systems to order
prescriptions as physicians older than age 50. Read More |
| Kaiser
Patients' Info Posted Online By Disgruntled Employee |
| 3/11/2005 |
|
|
In a troubling episode involving medical
privacy in the digital age, Kaiser Permanente is notifying 140 patients that a
disgruntled former employee posted confidential information about them on her
Weblog. The woman, who calls herself the "Diva of Disgruntled", claims it was
Kaiser Permanente that included private patient information on systems diagrams
posted on the Web, and that she pointed it out. Read More |
| Survey Finds
Less Than 20% of Health Care Providers Ready for HIPAA's Security Rule
Deadline |
| 2/16/2005 |
|
|
According to respondents to a recent
survey conducted between January 4th and January 20th 2005, only 18 percent of
health care providers are compliant with HIPAA's Security requirements despite
the looming deadline of April 20, 2005. Only 74% said they would be ready by
the April 20th deadline. Even more alarming is the finding that, after nearly
two years since the Privacy Rule deadline, 22% of health care providers are
still not compliant with the Privacy Rule requirements. Establishment of
Business Associate Agreements and the monitoring of Privacy compliance remain a
particular problem among providers. Additionally, 73% of health care provider
respondents reported that they had experienced one or more privacy breaches
over the past six months, and 27% percent had at least one formal complaint of
privacy violation filed against them, either with the Federal government or in
a civil proceeding. The survey was conducted by the Healthcare Information and
Management Systems Society and Phoenix Health Systems. Results should be taken
with a grain of salt, however, since only 2% of "health care industry
representatives" invited to participate in the survey actually responded (400
repspondents out of nearly 20,000 invitees). Medium-sized physicians group
practices (11 to 29 physicians) and small physician group practices (10 or
fewer physicians) accounted for 24% of the respondents. |
| Health Care
Industry Groups Call on DHHS to Eliminate HIPAA's Disclosure Requirements for
Gov't Entities |
| 2/10/2005 |
|
|
A coalition of professional health
organizations led by the American Hospital Association (AHA) are appealing to
the Department of Health and Human Services (DHHS) to exempt all disclosures to
government entities from the accounting of disclosures requirement contained in
HIPAA's Privacy Rule. In a letter sent to DHHS Secretary Mike Leavitt, the AHA
and members of another group called The Confidentiality Coalition pointed out
that in September of 2004 the Government Accountability Office (GAO) also
recommended exempting such disclosures from the rule. The groups sited HIPAA's
current accounting of disclosures requirement as being extremely burdensome and
costly, and said the burden and costs were likely to become even more so with
the development of inter-operable electronic health records. |
| Leavitt
Confirmed as Secretary of DHHS |
| 1/26/2005 |
|
|
Senators approved by voice vote the
confirmation of Mike Leavitt to be Secretary of the Department of Health and
Human Services. He is replacing Tommy Thompson. He faced confirmation hearings
in committees in the last week or so. The DHHS has ultimate management control
of the HIPAA rules. A former Utah governor, Leavitt, 53, came to Washington,
D.C., in 2003 to replace Christine Whitman as head of the Environmental
Protection Agency (search). In his new post, he will run the $550 billion,
66,000-employee Health and Human Services Department, which includes the FDA,
the Centers for Disease Control and Prevention and the National Institutes of
Health. |
| Boxer Sues
Over Unauthorized Release of Personal Protected Health
Information |
| 1/18/2005 |
|
|
Heavyweight boxer Joe Mesi is suing a
New York medical clinic and the New York State Athletic Commission for
allegedly disclosing to the media the results of five MRIs without his consent,
according to USA Today. The records indicated that Mesi suffered multiple brain
bleeds in his most recent fight, a detail that could threaten his fighting
eligibility. Nevada state law prohibits fighters who experience brain bleeds
from fighting in the state, and requires all other states to honor the
suspension. The lawsuits do not seek monetary damages, reported USA Today.
However, they do state that the release of the information caused Mesi
humiliation, public scorn, and financial loss, and that the information without
the expertise of a neurologist unnecessarily tainted Mesi's reputation to the
pubic, the media, and possibly the Nevada State Athletic Commission (the group
that will decide Mesi's fighting fate). The commission will likely hold a
hearing within the next few months to determine Mesi's fighting
eligibility. |
| HIPAA Privacy
Complaint Filed Against LA Times & County Health Dept. |
| 1/17/2005 |
|
|
The nonprofit organization Friends of
King Drew filed a complaint against the Los Angeles Times and the county health
department, stating that both violated HIPAA by revealing, in a series of
articles, confidential information about patients treated at the Martin Luther
King Jr./Drew Medical Center in Los Angeles, according to the Associated Press
(AP). The Times articles looked at patients and family members who alleged
mistreatment and problems with patient care at the medical center. John
Wallace, spokesman for the county, told the AP that the newspaper collected the
information for the articles using public records, and that no HIPAA violation
took place. "I can state categorically that at least anybody working for the
department in an official capacity did not violate HIPAA," he said. "A lot of
the patients who were identified were identified through court documents and
settlement documents." Friends of King Drew plans to file a defamation lawsuit
if the Times doesn't print a retraction within 21 days, reported the AP.
Read More |
|
