 Feds Get First
Privacy Conviction- Health Care Worker Gets 16 Months in Prison |
| 12/1/2004 |
|
|
A SeaTac, Wash.-based former employee
of the Seattle Cancer Care Alliance has pleaded guilty to violating the HIPAA
privacy rule, the first criminal conviction under the rule. In a plea agreement
with the U.S. Attorney's Office in the Western District of Washington, Richard
Gibson admitted to using a patient's name, date of birth and Social Security
number to obtain four credit cards between October 2003 and January 2004. He
then charged more than $9,100 on two of the cards for video games, home
improvement supplies, clothing, jewelry, porcelain figurines, groceries and
gasoline, according to federal prosecutors. Under the plea agreement, Gibson
pled guilty to one count of wrongful disclosure of individually identifiable
health information. He agreed to accept a sentence of 10 to 16 months, plus
restitution to the credit card companies and patient. U.S. District Court Judge
Richard Martinez on Nov. 5 will review the agreement and either accept the
sentence or impose his own. If Martinez rejects the plea agreement, Gibson will
have the opportunity to withdraw his guilty plea. Under the HIPAA privacy rule,
criminal use of a patient's information for personal gain is punishable by
imprisonment for up to 10 years and a fine of up to $250,000. The Seattle
Cancer Care Alliance fired Gibson after the identity theft was discovered. The
FBI investigated the case. A copy of the plea agreement is available on the
Department of Justice Web site at www.usdoj.gov/usao/waw/. UPDATE: In the first prosecution
nationally under HIPAA, US District Judge Ricardo S. Martinez on November 11,
2004 sentenced Gibson to 16 months in prison. Martinez sentenced Gibson to the
maximum allowable under federal sentencing guidelines, reports the Seattle
Times.
Read More |
| AHA Recommends
Immediate Modification of HIPAA Requirement Regarding Accounting of Disclosures
of PHI |
| 11/28/2004 |
|
|
The American Hospital Assocation (AHA)
has written the Department of Health and Human Services (HHS) Secretary Tommy
Thompson, urging swift modification to HIPAA's requirement that health care
providers keep records of mandatory disclosures of medical information to
public health authorities. In its letter of November 4, AHA cited concerns
about the burden of complying with the requirement and its potential to
interfere with important public health initiatives such as voluntary reporting
on disease patterns and quality measures. AHA noted that the Government
Accountability Office (GAO) in September urged that the rule be changed
immediately. Instead of requiring providers to track individual disclosures as
they occur, the rule should require that privacy notices inform patients that
their information will be disclosed to public health authorities when required
by law, the GAO said. AHA urged HHS to issue "without delay" a rule that is
consistent with the GAO recommendation and with an earlier AHA proposal
outlining the categories of disclosures the association believes should be
exempted from the HIPAA requirement. AHA noted that the GAO said such a
modification would ensure protection of patients' privacy "without imposing
unnecessary costs or barriers to quality health care or interfering with other
important public benefits." |
| CMS
Distributes First in Series of Guidance Papers on HIPAA
Security |
| 11/27/2004 |
|
|
The Centers for Medicare & Medicaid
Services (CMS) last week released the first in a new series of papers providing
guidance on the HIPAA Security Rule. The first paper, "Security 101 for Covered
Entities," provides an overview of the Security Rule and its intersection with
the HIPAA Privacy Rule. The series will contain seven papers, each focused on a
specific topic related to the Security Rule and designed to give HIPAA covered
entities insight and assistance with implementation of the security standards.
The series aims to explain specific requirements, the thought process behind
those requirements, and possible ways to address the provisions. Topics planned
for future papers include administrative, physical and technical safeguards;
organizational policies and procedures and documentation requirements; the
basics of risk analysis and risk management; and implementation for the small
provider.
Click Here To Access the White
Paper |
| First US HIPAA
Prosecution - Health Care Worker Sentenced to 16 Months in
Prison |
| 11/6/2004 |
|
|
In the first prosecution nationally
under HIPAA, US District Judge Ricardo S. Martinez sentenced a Seattle-area
health care worker last week to 16 months in prison for stealing the identity
of a cancer patient and running up credit-card bills in his name. Martinez
sentenced Gibson to the maximum allowable under federal sentencing guidelines,
reports the Seattle Times.
Read More |
| Expect More
HIPAA Complaints in 2005 |
| 10/20/2004 |
|
|
The Southern Healthcare Administrative
Regional Process (SHARP) Workgroup has looked at the more than 7,080 Privacy
and 147 Transactions and Code Sets (TCS) rule complaints that have been filed
up to June 2004 for HIPAA violations and it looks like there are plenty more to
come, reports HealthcareITNews. Gloria Steinberg, a member of SHARP
Workgroup’s advisory board, said the industry has been focusing on getting
the mandatory 837 form in the correct format. However, once enough of the final
rules are released and all stakeholders become better educated, she expects a
plethora of HIPAA complaints to be filed in 2005.
Read More |
| CMS Reiterates
April 20 is Security Compliance Date |
| 10/20/2004 |
|
|
During the last HIPAA Roundtable call
focusing on the Security Standards, CMS reiterated that the compliance date for
the Security Rule is April 20, 2005. There has been confusion in the healthcare
industry concerning the actual compliance date. The comment section of the
Final Security Rule indicates the date as April 21, 2005. However, section
164.318(a)(1) of the regulation text states April 20, 2005, is the compliance
date for the initial implementation of the security standards. |
| Military Cites
HIPAA in Limiting Details on Injured Troops |
| 10/5/2004 |
|
|
HIPAA is making it difficult for
military families, veterans groups and even members of Congress to get details
about America's mounting war casualties in Iraq, according to the Milwaukee
Journal Sentinel. Military officials are citing the law in refusing to identify
soldiers wounded in Iraq or disclose details about their injuries. Army
spokesman Jaime Cavazos said soldiers have the same privacy rights as civilians
under HIPAA. A spokesman for Sen. Edward Kennedy (D-MA), one of HIPAA's chief
architects, said the senator never intended the law to keep Americans from
learning about casualties in important military missions like the current war
on terrorism.
Read More |
| HIPAA
Enforcement Rule Extended |
| 9/15/2004 |
|
|
The Department of Health and Human
Services has published a notice extending by one year the interim final rule
establishing enforcement procedures for the HIPAA administrative simplification
provisions. The department published the interim rule on April 17, 2003, and it
was set to expire on Sept. 16, 2004. Now, the interim rule, covering the HIPAA
privacy, security, and transactions and code sets rules, will continue until
Sept. 16, 2005. “Notwithstanding this extension, HHS fully expects to
issue the final rule that will result from the forthcoming rulemaking as soon
as possible rather than at or near the new Sept. 16, 2005, expiration date,"
according to the notice. "However, a one-year extension should provide HHS with
a period sufficient to avoid another extension, should unexpected circumstances
delay the regulatory development process.” In April 2003, HHS called the
interim final rule “the first installment” of a HIPAA enforcement
rule to be published later. The interim rule established rules of procedure for
imposing civil penalties on entities that violate standards for the format and
protection of health information under HIPAA’s administrative
simplification provisions. The penalties include civil fines or exclusion from
federal health programs. The final enforcement rule will include, among other
provisions, a regulatory definition of what constitutes a violation and how the
penalties will be determined.
The Department published the notice of
extension Sept. 15 in the Federal Register. Click here to read
it. |
| Hospital
Janitor Offered $1000 to Access Pres. Clinton's Medical Records - 17 Employees
Suspended |
| 9/12/2004 |
|
|
Staffers at the hospital where Bill
Clinton had heart surgery recently were disciplined for trying to access his
private medical files, reports the New York Daily News. Columbia Presbyterian
Medical Center suspended 17 workers – including a doctor, several
supervisors, a lab technician and a number of clerical employees – for
attempting to view the computer records. Hospital spokeswoman Myrna Manners
would not confirm staffers tried to breach Clinton's records but said there is
a "zero-tolerance policy" on protecting patient privacy that extends to the
hospital's most senior staff.
Read More |
| Fed Govt
Explains How Privacy Rule Relates to Freedom of Information
Laws |
| 8/26/2004 |
|
|
The Department of Health and Human
Services' (DHHS) Office for Civil Rights (OCR) has issued guidance on how the
HIPAA Privacy Rule relates to state public records laws, also known as open
records or freedom of information laws, and which provide for public access to
government records. In Summary, if a state agency is not a "covered entity," it
is not required to comply with the HIPAA Privacy Rule. The situation gets
complicated, however, if a state agency is a covered entity. .
Read More |
| New Security
Rule FAQs posted on CMS Web site |
| 8/17/2004 |
|
|
CMS Posts a Dozen New Security Rule FAQs
The Centers for Medicare and Medicaid Services (CMS) yesterday posted on its
web site 12 new and one updated frequently asked questions with answers
regarding the HIPAA Security Rule.
hCheck 'Em
Out |
| Yankees' First
Baseman Jason Giambi Not Obliged to Disclose |
| 8/14/2004 |
|
|
Medical Experts Say Yankees' First
Baseman Not Obliged to Disclose Experts in medical law and ethics say Yankees'
All-Star first baseman Jason Giambi is entitled to his privacy and under no
obligation to tell fans details about the benign tumor that he blames for his
health problems this season, reports Newsday. But the same experts said HIPAA
does not govern baseball teams and does not prevent Yankees general manager
Brian Cashman from discussing the tumor. Cashman had pointed to the HIPAA
privacy provisions when he refused to answer reporters' questions about the
location of the tumor. |
| Fed-up
Hospitals Defy Patching Rules |
| 8/12/2004 |
|
|
Network World Fusion reports that amid
growing worries that Windows-based medical systems will endanger patients if
Microsoft-issued security patches are not applied, hospitals are rebelling
against restrictions from device makers that have delayed or prevented such
updates. Many hospital executives view the failure to apply the security
patches as a possible violation of HIPAA.
Read More |
| Government
Issues New Privacy Rule Fact Sheets for Consumers |
| 7/19/2004 |
|
|
The Department of Health and Human
Services' Office for Civil Rights (OCR) has issued two new Fact Sheets which
provide an easy-to-understand overview of what the Privacy Rule means to
consumers. The first Fact Sheet, entitled, "Privacy and Your Health
Information," is a general overview of the Rule, explaining that the Privacy
Rule gives individuals rights over their health information, sets rules and
limits on how information can be used and disclosed, and requires covered
entities to take steps to protect health information. The second Fact Sheet,
"Your Health Information Privacy Rights," focuses on each of the privacy rights
individuals have under the Privacy Rule. |
| Summer 2004
Results of HIPAA Compliance Survey Not Inspiring |
| 7/25/2004 |
|
Phoenix Health Systems' HIPAAdvisory
has published their latest quarterly survey of HIPAA compliance. Although the
news is bleak the survey really doesn't represent smaller health care
organizations. Only 15% of the respondents had 10 or fewer physicians in the
organization. Key findings include:
HIPAA Transactions and Code
Sets: Only 65% of Providers, 62% of Payers, and 64% of Clearinghouses
indicated that they are currently fully compliant. Less than half of Providers
and Payers are conducting all of the standard transactions required for their
business functions. Of the covered entities not yet compliant, 68% have
completed internal testing, but only 27% have completed external testing. Only
50% of Providers and 46% of Payers have completed other TCS remediation
activities not related to testing. Half (50%) of Providers and 63% of Payers
indicated that there are transactions which their information systems are
capable of producing, but that are not being conducted due to the inability of
their trading partners to accept/transmit them. When asked the reason for their
lack of full TCS compliance, most covered entities cited their trading
partners' lack of compliance and coordination as causes. Approximately 40% of
Providers, 36% of Payers, and 51% of Vendors feel that CMS should maintain its
Contingency Plan for at least another three months.
HIPAA
Privacy: Twenty-two percent (22%) of Providers and 9% of Payers reported
that they remain non-compliant with the Privacy Rule, more than a year after
its effective date (April 2003). Even among "compliant" organizations, gaps
remain in certain areas, such as establishing Business Associate Agreements and
monitoring internal Privacy compliance. Sixty-four percent (64%) of Provider
and 58% of Payer respondents reported their organizations had experienced
between one and five privacy breaches in the first six months of 2004.
HIPAA Security: Initiatives for Security Rule compliance are
moving slowly – across the industry, the majority of respondents reported
their organizations will not be fully compliant until 2005. Providers (87%),
Payers (91%), and Clearinghouses (90%) indicated they will be compliant on or
before the deadline. Thirty-one percent (31%) of total Providers, Payers, and
Clearinghouses responded that their organizations had experienced at least one
data security breach in the first six months of 2004. |
| Rep. Markey
Introduces Bill to Block Offshoring of Consumers' Personal Data |
| 6/4/2004 |
|
Representative Edward Markey (D-MA), a
senior Member of the House Energy and Commerce Committee, and the Co-Chair of
the Congressional Privacy Caucus, recently introduced the “Personal Data
Offshoring Protection Act of 2004” (H.R.4366). The bill prohibits
companies from transferring personal information, including medical records, to
any person outside the US without notice and consent. Rep. Markey said,
“The off-shoring of high-tech, call center, data processing and analysis,
and other technology-dependent service jobs poses a very real danger to the
security, confidentiality and integrity of personal financial, medical, and
other sensitive information." Senator Hillary Clinton (D-NY) recently
introduced similar legislation in the Senate. Specifically, Markey's bill
includes:
- Requires any business enterprise that transfers
personally identifiable information regarding a US citizen, such as the
citizen’s name, address, financial information, medical records, or other
personal information to first provide prior notice to the citizen;
- Requires such businesses to allow consumers to
block (or “opt out”) of information transfers to any countries that
the Federal Trade Commission (“FTC”) has determined provide adequate
and enforceable privacy protections, such as the European Union (EU);
- Requires such businesses to obtain the prior
consent of the consumer (or “opt in”) before personal data can be
sent to other countries that the FTC determines do not provide adequate and
enforceable privacy protections;
- Bars companies from refusing to provide goods or
services to consumers who elect to exercise their “opt out” or
“opt in” consent rights, or from charging consumers more if they
chose to exercise such rights;
- Provides for enforcement of the bill’s
restrictions by the FTC by defining violations of the bill as a violation of
the Federal Trade Commission Act’s prohibition on unfair and deceptive
acts or practices, thereby allowing the FTC to seek injunctions against
violators and to impose financial penalties of up to $11,000 per
violation;
- Provides for additional civil remedies against
violations, including authorization to the state attorney’s general to
bring civil actions to enjoin violations and impose monetary penalties of
actual monetary losses or up to $10,000 per violation, whichever is greater;
and,
- Provides a citizen whose privacy rights are
violated with a private right of action to sue a business who has violated the
act for actual monetary damages or up to $10,000 per violation, whichever is
greater.
|
| Kennedy
Introduces Electronic Health Records Bill |
| 5/14/2004 |
|
|
Sen. Edward Kennedy (D-MA) introduced a
bill (S. 2421) yesterday that would require healthcare providers to adopt
electronic records and claims processing by 2011 or have their reimbursements
reduced, reports iHealthBeat. The Health Care Quality Modernization, Cost
Reduction and Quality Improvement Act focuses on improving the healthcare
system through the use of information technology (IT), results-based
reimbursement, quality improvement, and disease prevention.
Read More |
| Kennedy
Introduces Electronic Health Records Bill |
| 5/14/2004 |
|
|
Sen. Edward Kennedy (D-MA) introduced a
bill (S. 2421) yesterday that would require healthcare providers to adopt
electronic records and claims processing by 2011 or have their reimbursements
reduced, reports iHealthBeat. The Health Care Quality Modernization, Cost
Reduction and Quality Improvement Act focuses on improving the healthcare
system through the use of information technology (IT), results-based
reimbursement, quality improvement, and disease prevention.
Read More |
| Two-Week
Payment Penalty Threatens as Claims Deadline Looms |
| 5/13/2004 |
|
|
Tens of thousands of doctors will soon
see their Medicare payments postponed for two weeks if they don't begin meeting
HIPAA transactions and code sets standards, reports American Medical News. The
American Medical Association (AMA) is advising physicians to contact their
software vendors and clearinghouses to check whether those firms are submitting
electronic claims that conform to the rules. In a recent communication, the
Centers for Medicare & Medicaid Services (CMS) recommends physicians put
pressure on their vendors to get compliant or consider switching to a new
company. Beginning July 1, anything received in legacy format will be treated
like paper claims and reimbursed in no sooner than 28 days. HIPAA-compliant
electronic claims, however, are reimbursed after 14 days. As of mid-April,
nearly 80% of electronic claims sent to Medicare were received in
HIPAA-standard format, leaving the remaining 20% of electronic claims to be hit
by the slowdown.
Read More |
| Many Health
Care Organizations Remain Non-Compliant With The Security Rule |
| 5/3/2004 |
|
|
In recognition of the HIPAA Security
Rule pre-anniversary deadline on April 21, 2004, the American Accreditation
HealthCare Commission (URAC) released a case study report examining the state
of preparedness in the health care industry in complying with hipaa'S Security
Rule. The report identifies four key stumbling blocks that hamper the ability
of organizations to satisfactorily meet the demands of the Rule, and finds many
health care organizations remain noncompliant. URAC's report identifies the
following as barriers to compliance: A) Incomplete or inappropriately scoped
risk analysis efforts. For example, does the health care organization
understand whether or not patient data is at risk of compromise on their
systems? B) Inconsistent and poorly executed risk management strategies. For
example, does the health care organization actively address the technical
issues and employee practices that affect security?C) Limited or faulty
information system activity review. For example, does the health care
organization actively collect data on how its systems and employees are
performing? D) Ineffective security incident reporting and response. For
example does the health care organization even detect when patient data has
been compromised (e.g., stolen by an unauthorized person) and how do they deal
with that compromise?
Read the Report
|
| Clinton Wants
Increase in Privacy Regulations For Hospitals |
| 4/29/2004 |
|
|
Sen. Hillary Clinton, D-NY, is looking
to attach an amendment to an important corporate tax bill -- the foreign sales
corporation/extraterritorial income bill -- that would increase the privacy
regulations hospitals face, in addition to rules already imposed by the Health
Insurance Portability and Accountability Act. The amendment would add new
privacy regulations over and above HIPAA, including: requiring foreign nations
to attain privacy certification from the Federal Trade Commission before
businesses in those countries can handle medical information from U.S. health
care providers; requiring hospitals to obtain written consent from patients if
the nation isn't FTC certified; and allowing patients a private right of action
to sue a hospital if there is a breach of privacy. The FSC/ETI bill is likely
to be on the Senate floor next week. |
| President Bush
Unveils Major Health Care IT Initiatives |
| 4/27/2004 |
|
|
President Bush unveiled several major
health care tech initiatives at the American Association of Community Colleges
Annual Convention in Minneapolis yesterday. In his speech, Bush said that
innovations in electronic medical records and the secure exchange of medical
information will help transform health care in America - improving health care
quality, reducing health care costs, preventing medical errors, improving
administrative efficiencies, reducing paperwork, and increasing access to
affordable health care. To achieve the President's goal of assuring that most
Americans have electronic health records (EHR) within 10 years, the federal
government is taking the following steps to urge coordinated public and private
sector efforts that will accelerate broader adoption of health information
technologies (HIT): The Department of Health and Human Services will try to
finish the uniform standards for electronic health records by the end of this
year. Money has been set aside to encourage demonstration projects that will
show health care providers the need to modernize their systems. The position of
National Health Information Technology Coordinator has been created within the
Department of Health and Human Services to coordinate these efforts with
hospitals and medical groups. The federal government will take the lead and
create the incentives for health care providers involved with the government to
use medical records. Bush also appeared at the Department of Veterans Affairs
Medical Center today in Baltimore to "talk about how to make sure the
government helps the health care industry become modern in order to enhance the
quality of service, in order to reduce the cost of medicine, in order to make
sure the patients, the customer is the center of the health care
decision-making process." |
| 2004 HIPAA
Privacy & Security Compliance Survey Completed |
| 4/14/2004 |
|
|
April 14, 2004 marked the first
anniversary of the implementation of the Health Insurance Portability and
Accountability Act (HIPAA) final privacy rule. This long-awaited regulation
represented a critical step in the development of national standards for the
use and disclosure of personal health information. Many in the health care
industry supported its development and recognized its importance in protecting
the privacy, confidentiality, and security of health information. A survey was
conducted by the American Health Information Management Association (AHIMA) to
assess the current state of HIPAA privacy and security compliance within the
health care industry. Respondents to the survey included privacy and security
officers, those functioning as privacy or security officers without the formal
titles, and those who served on the HIPAA privacy and security teams or
committees for their organization.
Read the Survey
|
| NCVHS
Recommends Changes to Privacy & Claims Attachment Rules |
| 4/1/2004 |
|
|
A coalition of health care providers,
clearinghouses, and vendors, including the American Hospital Association (AHA),
yesterday urged the Centers for Medicare & Medicaid Services (CMS) to
develop a rational plan for achieving administrative simplification under
HIPAA, reports AHANews. In a statement to the National Committee on Vital and
Health Statistics (NCVHS), the HIPAA Implementation Working Group urged that
all payers maintain contingency plans for HIPAA claims processing during the
transition to full compliance with the Transactions and Code Sets (TCS)
standards and not reject or delay claims because data not needed for
adjudication is missing. Meanwhile, NCVHS has issued recommendations for
changes in the HIPAA privacy rule and forthcoming claims attachment rule.
|
| HIPAA's
Privacy Rule Does Not Create New Physician - Patient Privilege |
| 3/26/2004 |
|
|
In the case of Northwestern Memorial
Hospital v. Ashcroft Case No. 04-1379, the US Court of Appeals for the 7th
Circuit ruled today that the HIPAA Privacy Rule does not create a new federal
physician - patient privilege. In the ongoing controversy challenging the
constitutionality of the Partial-Birth Abortion Act, the court determined that
Northwestern Memorial Hospital was not required to comply with the Justice
Department's subpoena for medical records on abortion patients. In doing so, it
rejected the lower court's reasoning that HIPAA imposed state physician-patient
privileges on federal suits. According to Joy Pritts, JD, of Georgetown
University's Health Policy Institute, the court of appeals based its decision
on the balancing of interests required by the Federal Rules of Civil Procedure
and determined that the burdens of production (including patients' sensitivity
to having their records disclosed to the government) outweighed the value that
the information would contribute to the case. The dissenting judge, relying on
the HIPAA Privacy Rule, stated that the records should be produced because
identifying information would be redacted. Northwestern Memorial Hospital
issued the following statement in response to the ruling: "Although
Northwestern Memorial Hospital has taken no position in the underlying national
lawsuit challenging the ban, we had a duty under the law to assert our
patients' privacy interests. Therefore, our hospital acted vigorously to
protect our patients' confidential health information from disclosure. Both the
United States District Court and Court of Appeals made a fundamental finding
that the significant intrusion into patient privacy outweighed the Government's
need for these records to prove its case. We are pleased with this result and
the reassurance it provides to our patients." |
| A Lesson in
Patient Privacy Rights |
| 3/16/2004 |
|
|
The California Consumer Health Care
Council has sued the Kaiser Foundation over what it says is inappropriate
disclosure of private medical records. The council contends that when Kaiser
learns of a suit or potential suit by a patient, its legal department opens and
studies that patient's private medical records without notifying the patient.
This alleged review by Kaiser's legal department is inappropriate, said the
council, because Kaiser's legal employees have no role in the patient's health
care.
Read the Story
|
| CMS Slows
Legacy Claims Payments To Encourage HIPAA Compliance |
| 3/1/2004 |
|
|
On Friday Feb. 27, 2004 CMS (the Centers
for Medicare & Medicaid Services) instructed Medicare carriers and fiscal
intermediaries to pay electronic claims that are not HIPAA compliant no earlier
than 27 days after receipt. Medicare currently pays electronically submitted
claims no earlier than 14 days after receipt. CMS ordered the slowing down of
payments on "legacy" claims as "a measured step toward ending the contingency
plan completely." The new payment structure is intended to encourage compliance
with HIPAA's Transactions and Code Sets regulations as soon as possible. The
implementation date is July 6, 2004.
Read the "Modification of CMS'
Medicare Contingency Plan for HIPAA Implementation" Program Transmittal from
CMS |
| Texas Says
State Public Info Law Overrides HIPAA |
| 2/16/2004 |
|
|
Texas Attorney General Greg Abbott has
ruled that the state's Public Information Law takes precedence over the HIPAA
Privacy Rule, according to a published report in the Dallas - Ft. Worth Star
Telegram. According to the article, his decision means Texas media outlets and
individuals will have access to public information that some hospitals and
authorities have declined to release. According to Abbott, "In Texas,
government records are presumed open unless a specific exception applies. HIPAA
is not an exception to the rule of openness in the state of Texas."
Read the Story.
|
| WebMD
Reportedly Not HIPAA Compliant |
| 2/15/2004 |
|
|
Health Data Management reports the
American Medical Association (AMA) and seven other medical societies sent a
letter in January to WebMD voicing their concerns about the vendor's claims
processing. WebMD has had difficulties handling HIPAA-compliant transactions,
according to the physician associations. The letter, sent to WebMD CEO Roger
Holstein and HIPAA enforcement staff at the Centers for Medicare and Medicaid
Services (CMS), states that claims submitted to WebMD in a HIPAA-compliant
format for processing are often resulting in delayed or denied payments to
physicians.
Read the Story.
|
| WebMD
Reportedly Not HIPAA Compliant |
| 2/15/2004 |
|
|
Health Data Management reports the
American Medical Association (AMA) and seven other medical societies sent a
letter in January to WebMD voicing their concerns about the vendor's claims
processing. WebMD has had difficulties handling HIPAA-compliant transactions,
according to the physician associations. The letter, sent to WebMD CEO Roger
Holstein and HIPAA enforcement staff at the Centers for Medicare and Medicaid
Services (CMS), states that claims submitted to WebMD in a HIPAA-compliant
format for processing are often resulting in delayed or denied payments to
physicians.
Read the Story.
|
| Hearings to be
Held on Impact of Privacy Rule on Banks, Police, and Schools |
| 2/14/2004 |
|
|
The National Committee on Vital and
Health Statistics (NCVHS), an advisory body to the Secretary of Health and
Human Services (HHS), will be holding a subcommittee meeting on Feb. 18 and 19
to receive information on the implementation of the HIPAA Privacy Rule. The
Subcommittee on Privacy and Confidentiality will hear about the impact of the
regulation on banking, law enforcement, and schools. Representatives of
affected groups will provide information about how the regulation has affected
the level of privacy and confidentiality for protected health information
(PHI), best practices for implementation of the regulation, and information
that might help to identify and resolve barriers to compliance. |
| Camera Phones
Raise Privacy & Security Concerns |
| 2/12/2004 |
|
|
The January 2004 issue of PC World
magazine reports that by 2007, it is predicted 51 million out of over 110
million cell phones will have digital camera technology. The same size as
regular cell phones, camera phones can snap photos while users appear to make
calls. Daniel Solove, a law professor specializing in privacy law, says a
camera phone's immediacy alone does not violate privacy laws, but there are
limits. Eventually, camera phones may be automatically disabled when owners
enter sensitive places, like hospitals or banks. According to Alan Reiter, a
wireless computing consultant who follows picture-phone trends in his Camera
Phone Report, "corporations and organizations that have legitimate security
concerns should ban camera phones as well as other devices that could
compromise security." |
| health care
Industry Remains Unready for TCS Compliance |
| 2/2/2004 |
|
According to a survey co-sponsored by
the health care Information Management and Systems Society (HIMSS) and Phoenix
Health Systems, the health care industry is “far from prepared” to
conduct most HIPAA standard transactions. The survey polled 631 health care
executives. health care providers are closer to compliance than other entities,
according to the findings of the survey, which were presented on Jan. 27 in
testimony before the WEDI Public Hearing on Implementation of HIPAA Regulations
in Washington, DC. D’Arcy Guerin Gue, Executive Vice President of Phoenix
Health Systems, represented and testified for her organization and HIMSS at the
hearing.
“The objective of converting to standardized Transactions
remains hampered by poor communications between covered entities and their
trading partners, confusion over specifications, and inability to complete
testing,” said Guerin Gue. “Considering the slow progress reported
since the Fall 2003 Survey, it is unlikely that we will see industry-wide
compliance within the near future.”
The survey results presented as
testimony during the WEDI public hearing represent only some of the Winter 2004
US health care Quarterly Industry HIPAA Compliance Survey results. The complete
results of the survey will be presented at the Annual HIMSS Conference &
Exhibition, taking place February 22-26, 2004 in Orlando, FL.
Click here to read the
testimony. |
| DHHS Publishes
Final Rule Adopting the National Provider Identifiers (NPI) |
| 1/23/2004 |
|
This Rule becomes effective on May 23,
2005. Providers need not take any action to apply for NPIs until that date. The
compliance date for all covered entities except small health plans is May 23,
2007; the compliance date for small health plans is May 23, 2008. When the NPI
is implemented, covered entities will use only the NPI to identify providers in
all standard transactions. Legacy numbers (e.g., UPIN, Blue Cross and Blue
Shield Numbers, CHAMPUS Number, Medicaid Number, etc.) will not be permitted.
Providers will no longer have to keep track of multiple numbers to identify
themselves in standard transactions with one or more health plans. (The
Taxpayer Identifying Number may need to be reported for tax purposes as
required by the implementation specifications.)
All entities who meet
the definition of "health care provider" at 45 CFR 160.103 are eligible for
NPIs. Providers who are "covered entities" are required to obtain and use NPIs.
Providers who are not covered entities may also apply for NPIs. An NPI is
expected to last indefinitely; it will not change over time.
Entities
who never furnish health care (such as taxi services) are not eligible to be
assigned NPIs: they do not meet the definition of "health care provider" and
any claims they submit to a health plan would not be "health care" claims and
thus would not be subject to HIPAA requirements.
In certain situations,
it is possible for "subparts" of organization health care providers (such as
hospitals) to be assigned NPIs. These subparts may need to be assigned NPIs in
order to conduct standard transactions on their own behalf or to meet
regulations that, as an example, may require them to have a billing number in
order to be paid by Medicare. The Final Rule requires covered providers to
determine if they have subparts that may need NPIs and, if so, to obtain NPIs
for the subparts or require the subparts to obtain their own NPIs. (This issue
does not pertain to providers who are individuals.)
The NPI is all
numeric. It is 10 positions in length (9 plus a check-digit in the last
position). It is easily accommodated in all standard transactions. It contains
no embedded information about the provider that it identifies. At the current
rate of provider growth, NPIs will be available for 200 years.
Providers will be assigned NPIs upon successful completion of an
application form. The form can be submitted on paper or over the Internet. Once
a provider has been assigned an NPI, the provider must furnish updates to its
data within 30 days of any changes.
The National Provider System, being
built under a Centers for Medicare & Medicaid Services (CMS) contract, will
process the applications and updates, ensure the uniqueness of the provider,
and generate the NPIs. It will also produce reports and information based on
requests from the health care industry and others.
A single entity,
known as the enumerator, and performing under a CMS contract, will operate the
NPS. The enumerator will receive applications and updates from providers. The
enumerator will assist providers in completing applications, in furnishing
updates, and will be responsible for resolving problems and answering
questions. The enumerator will notify the providers of their NPIs. The
enumerator will also process requests for, and disseminate information
containing, providers' NPIs. The HHS will prepare a Federal Register Notice
describing the NPS data dissemination policy.
Providers who are covered
entities may begin applying for NPIs on May 23, 2005, the effective date of the
Final Rule. There will be an extremely heavy workload continuing for some time
after that date as the NPS processes applications and assigns NPIs to existing
providers who are required to obtain and use NPIs by the compliance date.
Providers who are not covered entities, but who wish to apply for NPIs, may
indeed do so, but should wait at least 1-2 years after the effective date
before applying.
Information about NPI implementation, including
information on how to apply for NPIs, will be made available to the health care
industry by CMS closer to the effective date.
Click here to read the Final
Rule. |
| WEDI Public
Hearing on HIPAA Implementation Issues |
| 1/15/2004 |
|
The Workgroup for Electronic Data
Interchange (WEDI), an authorized advisor to the Secretary of the Department of
Health and Human Services (HHS), will be holding a special public hearing on
January 27 in Tampa, FL, to gather information from the health care industry on
HIPAA implementation. The hearing will allow organizations to present their
concerns and recommendations regarding implementation of the HIPAA electronic
transactions and code sets (TCS) regulation and other pending regulations. No
registration is required for the free event to be held from 8 AM to 5 PM EST at
the Grand Hyatt Tampa Bay. WEDI has formed a Task Group to collect, analyze,
and prepare recommendations to the Secretary to represent the industry
perspective. WEDI is seeking input from health care industry representatives on
the following:
- The
readiness of Health Plans, Providers, Clearinghouses for HIPAA Compliance as
well as business associates and vendor partners;
- Information regarding X12N transaction data content
concerns;
- Sequencing and strategies for the implementation of future
HIPAA regulations; and
- Obstacles
and issues the health care industry has been dealing with in achieving
compliance.
|
|
