DigitalCare, Inc.
Health Care Information Technology Services
 
Home HIPAA Main Page Contact Us

Recent HIPAA News and Updates

Date Update

Jan. 16, 2003

ZDNet reports two Massachusetts Institute of Technology (MIT) graduate students have uncovered a treasure trove of personal and corporate information on used disk drives. The students at MIT’s Laboratory of Computer Science bought 158 disk drives for less than $1,000 on the Web and at swap meets. Scavenging through the drives, they found more than 5,000 credit card numbers, medical reports, and detailed personal and corporate financial information. Their findings, titled "Remembrance of Data Passed: A Study of Disk Sanitation," are being published in the January/February 2003 issue of IEEE Security and Privacy, a journal published by the IEEE Computer Society.

Jan. 15, 2003

HHS' Office of Civil Rights (OCR), charged with overseeing HIPAA Privacy Rule compliance, is looking to hire Privacy Program Specialists to provide outreach and education. The Privacy Specialists, working out of 11 Regional Offices, will fan out across the country to increase awareness of covered entities' responsibilities and the public's rights under the Rule.

As part of their duties, the regional Privacy Specialists will:

  • help conduct investigations;
  • respond to phone and written inquiries about the Privacy Rule from covered
    entities and the public;
  • present the Rule's requirements in meetings, conferences, seminars, and
    workshops; and
  • serve as subject matter experts on the HIPAA Privacy Rule.

Applications are being accepted online until the closing date of February 4,
2003.

Jan. 14, 2003

AHANews reports the Joint Commission on Accreditation of Health Care Organizations (JCAHO) has released its revised business associate agreement that hospitals must sign as part of the application process for a JCAHO survey to make the agreement workable and acceptable to hospitals and compliant with HIPAA. The American Hospital Association (AHA) says the revised agreement appropriately addresses hospital concerns about an earlier version that was posted on JCAHO's web site just before the holidays.

Jan. 14, 2003

AHANews reports the Joint Commission on Accreditation of Health Care Organizations (JCAHO) has released its revised business associate agreement that hospitals must sign as part of the application process for a JCAHO survey to make the agreement workable and acceptable to hospitals and compliant with HIPAA. The American Hospital Association (AHA) says the revised agreement appropriately addresses hospital concerns about an earlier version that was posted on JCAHO's web site just before the holidays.

Jan. 14, 2003

The Final Rules on the "HIPAA Security Standards" and "Modification to Standards for Electronic Transactions and Code Sets" were received by the White House Office of Management & Budget, Office of Information and Regulatory Affairs (OMB/OIRA) yesterday for review. Final clearance takes between two weeks and 90 days, at which point, the final version of the regulations are placed on display at the Government Printing Office (GPO) in Washington, DC, and then published in the Federal Register.

Jan. 14, 2003

HHS will be holding four national one-day conferences, two in February and two in March, on the HIPAA Privacy Rule. The conferences are designed to provide an opportunity to hear from and interact with officials who developed the Privacy Rule and will be responsible for interpreting and enforcing the rule. The HHS Office for Civil Rights (OCR) will provide an expert faculty who will answer questions from attendees during question-and-answer sessions following their presentations.

The conferences will go over:

  • The principles underlying the Privacy Rule.
  • How the preemption rules create a national floor of privacy protections.
  • Who is a covered health care provider.
  • The implications of being an affiliated covered entity, a hybrid, or in an
    organized health care arrangement.
  • * "Business associate" issues.
  • What type of information is protected under the HIPAA Privacy Rule and what is meant by the terms "use," "disclosure," "minimum necessary," and "incidental disclosures."
  • The Notice of Privacy Practices requirement.
  • When it is necessary to obtain an authorization to use or disclose PHI and what constitutes a valid authorization.
  • The right of patient to access, amend, and obtain an accounting of disclosures of patient health information.
  • When to use an authorization for research and when research may be conducted without an authorization.
  • How research authorizations pre-dating the compliance date are treated.
  • Appropriate administrative, technical and physical safeguards.
  • The requirements to train the workforce on covered entity policies and procedures.
  • The OCR complaint investigation and compliance review authority.

Jan. 6, 2003

TechRepublic reported last month on Gartner's 6th HIPAA panel study, to assess how the healthcare industry is responding to current and impending HIPAA-compliance regulations. The survey, finished in August 2002, looks at how healthcare organizations are responding to the challenges of HIPAA over time by studying a representative sample of 172 randomly-selected providers and payers. The survey found for the first time that most have embarked on tasks such as assigned privacy and security officers, testing systems, identifying formal employee training methods, and implementing privacy and security policies and procedures.

Most respondents are working on privacy; 85 percent report having at least started developing revised policies and procedures. Although almost 70 percent of respondents report that they have begun implementing the transactions standards, organizations are largely at the mercy of their software vendors, most of whom are still working on their compliance upgrades. For this reason, HIPAA.org launched last October an online directory of software products and what HIPAA transactions that product supports now.

Dec. 27, 2002

Comments are being requested on a proposed project of the Office for Civil Rights (OCR) to automate its forms for discrimination and medical privacy complaints. Effective April 14, 2003, OCR has jurisdiction over certain health plans, health clearinghouses and healthcare providers with respect to enforcement of the standards for privacy of individually identifiable health information rule issued pursuant to HIPAA. OCR wants to develop an automated complaint submittal process for individuals to file written complaints with OCR when they believe that on or after April 14, 2003, their right to the privacy of protected health information has been violated. OCR estimates that there will be approximately 21,710 complaints concerning medical privacy (16,283 burden hours annually).

Send comments, which should be received within 60 days of this notice, via email to Geerie.Jones@HHS.gov or mail to:

OS Reports Clearance Office,
Room 503H, Humphrey Building,
200 Independence Avenue SW
Washington, DC 20201

Dec. 27, 2002

Under the auspices of URAC (also known as the American Accreditation HealthCare Commission) and the National Institute of Standards and Technology (NIST), the Security Healthcare Certification and Accreditation Workgroup will bring together members of the public and private sectors to develop a uniform approach to the identification and implementation of best practices in healthcare information security. The Workgroup intends to serve as a resource for the healthcare community by developing white papers, drafting crosswalks, and participating in educational programs. Ultimately, the Workgroup hopes to promulgate a common set of healthcare security standards that will cover security policies, procedures, controls, and auditing practices.

The Workgroup will have its next meeting on January 10, 2003 at NIST in Gaithersburg, MD, where the Workgroup will facilitate a healthcare sector review of the recently released draft NIST Special Publication 800-37, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems.

Dec. 26, 2002

According to the WEDI SNIP X12N Insurance Subcommittee, most of the draft X12N implementation guides currently available for public review were posted without meeting one of the process requirements. As a result, these implementation guides will not be brought forward for a publication vote at the February 2003 X12 trimester meeting in Denver, as previously expected. Instead, X12N will finalize the necessary changes at the February meeting, then by April 2003, revised drafts will be made available for another public review period. It is expected that the impacted guides will then be moved forward for a publication vote at the June 2003 X12 trimester meeting.

The affected implementation guides, some of which are missing Appendix D, commonly referred to as the Change Log, are:

  • 834, Benefit Enrollment and Maintenance (004050X125)
  • 820, Payroll Deducted and Other Group Premium Payment for Insurance Products (004050X137)
  • 270/271, Health Care Eligibility/Benefit Inquiry and Information Response (004050X138)
  • 276/277, Health Care Claim Status Request and Response (004050X139)
  • 278/278, Health Care Services Request for Review and Response (004050X140)
  • 837, Health Care Claim: Institutional (004050X141)
  • 837, Health Care Claim: Dental (004050X142)
  • 837, Health Care Claim: Professional (004050X143)
  • 277, Health Care Claim Acknowledgment (004040X167)

The current online conferences for these guides will be kept open and comments received during this period may be considered in the development of the next draft. The deadline for comments has been extended by one week for all implementation guides to January 8, 2003 except for the X167 – Health Care Claim Acknowledgement. The end date for the X167 guide public review will remain January 13, 2003.

Dec. 19, 2002 HHS officials, Jared Adair, director of the newly formed Office of HIPAA Standards, and Karen Trudel, deputy director, told Health Data Management in a recent interview that HHS expects to publish the proposed claims attachment rule by mid-2003. The department expects in early spring 2003 to publish the final provider and proposed payer identifier rules.
Dec. 18, 2002 The National Committee on Vital and Health Statistics (NCVHS) sent a letter Nov. 25 to HHS, asking for more education, outreach, and technical assistance to the health care industry regarding HIPAA administrative simplification. As part of its responsibilities under HIPAA, NCVHS monitors the implementation of the HIPAA Administrative Simplification provisions. NCVHS' Subcommittee on Privacy and Confidentiality held several hearings this Fall to learn about the implementation activities of covered entities.
Dec. 17, 2002 The semiannual regulatory agenda describing regulatory actions federal agencies are developing appeared in the Federal Register last week. The agenda published Dec. 9 confirms HHS' affirmation that the security rule remains on schedule for publication this month, giving the projected date for the Security Standards Final Rule as 12/00/02.
Dec. 13, 2002 Despite recent rumors that the Final Security Rule will not be published on December 27 as previously indicated, Health Data Management reports that the final HIPAA data security rule remains on schedule for publication on that date. Health Data Management quotes Karen Trudel, deputy director of the new Office of HIPAA Standards in the Centers for Medicare and Medicaid Services (CMS).
Dec. 13 2002 The Confidentiality Coalition, a 130-member organization representing the health care industry and a part of the Healthcare Leadership Council, announced their sponsorship of a state preemption analysis resource for HIPAA privacy rules. The group recognized the need for an industrywide analysis for covered entities, business associates and other impacted by the rules and all 54 states and jurisdictions. The analysis will cover:
  • Providers, including institutional and professional;
  • Hospitals, clinical labs, long term care and SNFs, clinics, pharmacy, medical groups, physicians, pharmacists, nurses, lab technicians, podiatrists, certified nurse midwives, doctors of osteopathy, nurse practitioners, speech therapists, physical therapists, occupational therapists, physician assistants;
  • Health plans;
  • Third party administrators and utilization review organizations;
  • Business associates and other downstream users: PBMs, device manufacturers, eHealth entities, underwriters;
  • Researchers; and
  • Hospitals, medical colleges, teaching hospitals, pharmaceutical and biotech, medical technology companies.

The analysis is expected to be made available online as soon as February 2003. The tool will allow users to select the states and types of entities covered under the analysis and to subscribe just to the information pertinent to their organization. Updates will be provided annually.

Dec. 9 2002 The Centers for Medicare and Medicaid Services (CMS), charged with enforcing the HIPAA electronic transactions and code set standards, has posted on its site an Online Complaint Submission Form. The form allows complaints to be submitted about covered entities' non-compliance with the HIPAA transaction standards. Complaints can also be submitted on a paper-based form available by download from the site. CMS' form is not to be used to file complaints regarding the privacy of health information, as HHS' Office for Civil Rights (OCR) will enforce the HIPAA privacy standards.
Dec. 9 2002 Modern Physician reports CMS officials say the more than 1 million covered entities that missed the October 15 deadline to apply for the ASCA extension will not be actively pursued, but that enforcement will be "complaint driven." In the event a complaint is filed against a covered entity, that entity will either have to demonstrate compliance or be prepared to submit a corrective action plan. Fines for noncompliance can be as high as $100 per offense, with a maximum of $25,000 per year.
Dec. 5 2002 Yesterday, the Department of Health & Human Services' (HHS) Office of Civil Rights (OCR) released guidance on the final modified Privacy Rule that explains key elements of HIPAA Privacy Rule requirements. HHS published the Privacy Rule on December 28, 2000, and adopted modifications of the Rule on August 14, 2002. The guidance is meant to communicate as clearly as possible the privacy policies contained in the Privacy Rule.

The Privacy Rule Standards addressed are:

  • Incidental Uses and Disclosures
  • Minimum Necessary
  • Personal Representatives
  • Business Associates
  • Uses and Disclosures for Treatment, Payment, and Health Care Operations
  • Marketing
  • Public Health
  • Research
  • Workers’ Compensation Laws
  • Notice
  • Government Access
  • Miscellaneous FAQs
Dec. 5 2002 The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) has released its business associate (BA) agreement for accredited organizations to use in order to release protected health information to the JCAHO during the survey process. Under the regulation accreditors are considered "business associates" of covered entities and are required to have BA agreements to ensure that the business associate will safeguard patients' personal health information (PHI).
Nov. 14, 2002 Privacy & American Business (P&AB) has developed a new searchable Privacy Policy Database, which will allow those managing privacy to benchmark their own privacy policy status. The database is a compilation of consumer privacy policies from companies across different industries including banking, credit and consumer cards, consumer reporting, health, insurance, investments, pharmaceuticals, and telecommunications. The database will not only house privacy policies, but will also include vital information on the legislation that drives privacy policies like GLB, HIPAA, and COPPA. Guides to writing privacy policies and using the database will also be provided to users. The web-based database, available beginning in December, will be updated quarterly and housed at the Privacy & American Business web site at pandab.org.
Nov. 14, 2002 The Denver Post reports some of the nation's largest employers are borrowing technology from managed care plans that extracts the details of patients' medical records. The technology's price is privacy, say critics, who warn that as employers gain access to the intimate details of workers' lives, they also gain a tool for discrimination. Even with a host of new federal privacy laws prohibiting personally identifiable information from being released to the wrong hands, lawmakers and health management program developers are interpreting the law as one that allows employers to see reports detailing the age and gender of their most expensive medical cases and assign those employees to medical caseworkers, a concept known as outcomes management.
Nov. 14, 2002 The New York Times reports the Pentagon is constructing a computer system that could create a vast electronic dragnet, searching through personal information in government and commercial databases in the US and around the world. The Information Awareness Office aims to develop new technologies to sift through "ultra-large" data warehouses and networked computers in search of threatening patterns among everyday transactions, such as credit card purchases, travel reservations, suspicious emails, and improbable medical activity, such as the treatments of anthrax sores.

Formidable foreign policy and privacy hurdles remain before any prototype becomes operational. In order to deploy such a system, new legislation would be needed, some of which has been proposed in the Homeland Security bill that was approved by Congress yesterday and which is expected to soon pass the Senate. That legislation would amend the Privacy Act of 1974, which was intended to limit what government agencies could do with private information.

Nov. 11, 2002 Speaking at the e-Pennsylvania Alliance Summit on November 7, Stanley Nachimson, CMS Senior Technical Advisor, said the expected date of publication in the Federal Register for the final HIPAA Security Rule and the final Rule on the Addendum to the HIPAA Transactions and Code Sets will be December 27, 2002. Also, the final national Provider Identifier is expected in early 2003 and the proposed Health Plan (Payer) Identifier is expected in early Spring 2003.

The Final HIPAA X12N Addenda for the nine May 2000 X12N Implementation Guides have now been published. These should be incorporated by reference into the new final addenda rule to be published December 27. The May 2000 X12N Implementation Guides and their associated October 2002 X12N Addenda
are available from the Washington Publishing Company.
Nov. 11, 2002 According to AMNews, a lackluster response to the first major milestone in HIPAA implementation shows just how unprepared many physicians and others are for meeting HIPAA requirements. The American Medical Association (AMA) is urging all physicians who didn't file for the extension to become compliant as soon as possible. "There's been a tremendous effort to get the message out both from the government and the American Medical Association," said Donald J. Palmisano, MD, AMA president-elect. However, he added, "obviously, there are hundreds, if not thousands, of physicians who did not file for the extension."

Modern Physician reports CMS officials say the more than 1 million covered entities that missed the October 15 deadline to apply for the ASCA extension will not be actively pursued and may not have to pay fines at first. Karen Trudel, director of the HIPAA project staff at CMS, says fines for noncompliance can be as high as $100 per offense, with a maximum of $25,000 per year, but they "are not going to automatically be imposed on anyone," and enforcement will be "complaint driven." CMS' HIPAA FAQ states that a covered entity that did not submit an extension request should come into compliance as soon as possible, and should be prepared to submit a corrective action plan in the event a complaint is filed against them.
Nov. 11, 2002 According to iHealthBeat, a Frost & Sullivan report found health care organizations (HCOs) may constrain their information technology budgets due to Medicare cuts, increasing operating expenses and a struggling economy, despite next year’s HIPAA compliance deadline. The report, “Effects of HIPAA in the US Healthcare Markets,” found hospitals and care providers have been forced to keep IT spending low because of the economic downturn.
Nov. 7, 2002 Sen. Bill Nelson (D-FL) introduced a bill on October 7 to prohibit the use of patient databases for marketing without the express consent of the patient. The bill entitled, "Health Records Confidentiality Act of 2002" (S.3064), was read twice and referred to the Senate Health, Education, Labor, and Pensions (HELP) Committee currently headed by Sen. Edward Kennedy (D-MA).

With the return of a Republican majority in the Senate, Judd Gregg of (R-NH) will take over from Kennedy as the HELP Committee Chairman. The New York Times reports "the new lineup, which must be approved by Republican senators next week, would considerably alter the approach of the various panels."
Nov. 1, 2002 Federal Computer Week reports a privacy study ordered by Sen. Joe Lieberman (D-CT) shows that government agencies are generally conscientious about following privacy laws, but it also reveals the extended range personal electronic information can travel once it is submitted to a federal agency. For example, medical records of a government worker seeking compensation for a work-related injury or illness may end up in 18 other locations. Not surprisingly, "the American public is increasingly concerned about protecting its privacy," said Lieberman.
Nov. 1, 2002 California and Minnesota protect the privacy of their citizens better than any other states, while the federal government does a poor job, according to a study by Privacy Journal. The survey ranks states on whether they have privacy guarantees in their constitutions, laws protecting financial, medical, library and government files, and have fair credit reporting laws stronger than federal legislation. States are given extra credit when their highest courts have strong records on privacy and receive deductions for antiprivacy actions by state agencies or legislatures. The journal ranked states in five tiers. The federal government would have been ranked in the fourth tier of privacy protectors if it were a state. At the moment, the federal government has no regulation for medical records privacy, and the regime
scheduled to go into effect next year is "weak."
Oct 31, 2002 The Wall Street Journal reports government and private-health groups meeting yesterday at the 2002 Health Legacy Partnership (HELP) Conference at the National Press Club "insist that without jeopardizing privacy, a person's medical history and drug allergies should be accessible from one database."
Oct 31, 2002 As part of its System Certification and Accreditation Project, the National Institute of Standards and Technology (NIST) has posted Special Publication 800-37, proposed guidelines for performing security checkups. The second set of guidelines, 800-53, will describe the first-ever minimum-security requirements for federal online systems. The third, 800-53A, will detail techniques for measuring a system’s security level. Those two publications will be released next spring. The three-part series is designed to bring consistency to certifying and accrediting systems security. NIST will accept public comments on 800-37 for three months. NIST is gearing the guidelines to federal agencies but hopes they will appeal to state and local governments and private industry, where information security is no less a concern.

Read the NIST Security draft guidelines.
Oct 23, 2002 Several House Democrats introduced a bill last week that would restore patient consent provisions in the HIPAA Privacy Rule and require health providers to notify consumers when they receive payment from drug companies to send unsolicited marketing material. The bill would also limit how FDA-regulated companies could use or disclose personal medical information.

The bill, called the Stop Taking Our Health Privacy Act, was introduced by Reps. Ed Markey (D-MA), John Dingell (D-MI), Henry Waxman (D-CA), Howard Berman (D-CA) and Michael Capuano (D-MA).
Oct 17, 2002 CMS Logs Half-Million Applications for ASCA Extension. AHANews reports the Centers for Medicare & Medicaid Services said yesterday it had received more than 500,000 applications for a one-year extension of the Oct. 15 deadline for complying with HIPAA's transactions and code sets standards. HIPAA-covered entities that did not apply for the extension are now expected to be in compliance with the transactions and code sets regulation.
Oct 17, 2002 The New York Times reports New York State's highest court ruled yesterday that prosecutors cannot demand hospital medical records in their efforts to seek criminal suspects who have been wounded, because doing so infringes on patient confidentiality. The decision affects only cases that involve a doctor's medical judgment. Where information about a possible crime is apparent to anyone prosecutors may enforce a subpoena for records, the court noted in its unanimous decision.
Oct 17, 2002 The Washington Post reports today on how a DC area hospital protected the identity of a 13-year-old high-profile patient. The boy, one of two wounded in the sniper attacks that have left nine others dead (one of them a member of the FBI's cybersecurity division) over the past two weeks in the Washington, DC suburbs, was admitted to Children's Hospital as a VOV -- victim of violence. For his protection, he was assigned an alias, which became the name all staffers would use, and which anyone seeking information about him would have to know. A bogus file was created in the computer system to throw potential hackers off the trail.

Meanwhile Montgomery County, MD officials said it is too early to know what long-term changes could be made to improve public security, such as expanding Montgomery's state-of-the-art network of traffic cameras or lobbying for a new national fingerprint database, reports the Montgomery Gazette.
Oct 15, 2002 HHS Secretary Tommy G. Thompson announced today that the Centers for Medicare & Medicaid Services (CMS) will be responsible for enforcing the HIPAA transaction and code set standards. The HHS Office for Civil Rights (OCR) will enforce the HIPAA privacystandards. CMS and OCR will work together on outreach and enforcement and on issues that touch on the responsibilities of both organizations - such as application of security standards or exception determinations. Ruben J. King-Shaw Jr., CMS deputy administrator and chief operating officer, said CMS will create a new office to bring together its responsibilities under HIPAA, including enforcement.
Oct 15, 2002 A new survey finds HIPAA Privacy Compliance is the biggest issue faced by compliance officers today. The fifth annual “2002 Profile of Health Care Compliance Officers,” released October 1 by the Health Care Compliance Association (HCCA) and Indianapolis-based Walker Information, indicates the top goals are:
  • monitoring and auditing,
  • staff compliance training,
  • compliance program effectiveness,
  • and of course, HIPAA compliance.

According to the survey results, the trend is clear that compliance programs are an accepted part of the health care organization’s framework. The survey also includes data on compensation, benefits, staff size and other issues.

Read the survey results (PDF).
Oct 9, 2002 Yesterday, HHS' Office of Civil Rights released new frequently asked questions about the HIPAA Privacy Rule as well as an unofficial version of the complete regulation text for the privacy rule (Parts 160 and 164), as modified (05/31/02, 08/14/02).
Oct 9, 2002 IHealthBeat reports the Centers for Medicare & Medicaid (CMS) announced its plans yesterday to implement an electronic record management system as part of its compliance with the HIPAA medical privacy rule and the Privacy Act of 1974. The system, called the Privacy Accountability Database, will track access to CMS’ health care data, which holds information on more than 74 million Americans. The system will help CMS administrators protect health information and monitor disclosure of the information, which is used for reimbursement, regulatory compliance and to support litigation involving CMS. CMS administrators plan to have the system in place by the April 2003 HIPAA privacy rule compliance deadline.
Oct 8, 2002 The Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics (NCVHS) heard from witnesses throughout New England on September 10 and 11, 2002 in Boston as part of its duty monitoring covered entities' HIPAA implementation. Although additional hearings are scheduled in late October and early November in Baltimore and Salt Lake City, the NCVHS was so troubled by the Boston testimony that it sent its initial findings and recommendations to HHS Secretary Tommy Thompson in a letter dated September 27, 2002.

The witnesses at the Boston hearing expressed widespread support for the goals of the Privacy Rule. Some providers, especially larger ones, reported making progress toward compliance. There was also praise for the guidance provided by the Office for Civil Rights (OCR) in July 2001.

Overall, however, the NCVHS was both surprised and disturbed at the low level of implementation and the high levels of confusion and frustration. Some covered entities decided to wait until the final Privacy Rule amendments were published in August 2002, and only now are beginning to think about their compliance duties. Many physicians, dentists, and other health care providers, especially those in small towns and rural areas, have never even heard of HIPAA, do not think it applies to them, or are confused by the various standards. State and local governments reported lacking the budget or personnel to draft their own HIPAA documents and design training programs to comply with the Privacy Rule. NCVHS goes on to state, "The failure of the OCR to make available sample forms, model language, and practical guidance has left covered entities at the mercy of an army of vendors and consultants, some of whose expertise appears limited to misinformation, baseless guarantees, and scare tactics."
Oct 1, 2002 A proposed rule before the Minnesota legislature would require Minnesota hospitals, insurers, and health plans to electronically transmit the private individually-identifiable health data of most Minnesota residents to the health department without patient or parent consent. The Minnesota Department of Health informed Citizens' Council on Health Care (CCHC) that enough letters requesting a hearing on the proposed health data collection rule were received to require a hearing this Friday before an administrative law judge.
Sept. 25, 2002 The House Judiciary Subcommittee held a hearing on September 12th regarding Medical Privacy.  Witnesses described gaps in the HIPAA medical privacy rule and the Americans with Disabilities Act.  According to privacy advocates, these laws leave genetic information susceptible to misuse by insurers and employers.
Sept. 17, 2002 The National Institute of Standards and Technology (NIST) has released final publications of four computer security guidelines. Special Publication (SP) 800-46, Security for Telecommuting and Broadband Communications, provides security and policy information to assist users, sysadmins and management in better securing telecommunications resources. SP 800-47, Security Guide for Interconnecting Information Technology Systems, addresses interconnections between IT systems that are owned and operated by different organizations. SP 800-40, Procedures for Handling Security Patches, addresses the problem of ignored or improperly applied fixes for vulnerabilities and recommends ways to develop a patching and vulnerability policy using a systematic, accountable and documented process. Finally, SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, recommends that federal agencies make use of CVE designations when acquiring or using CVE-compatible security-related products and services. The scheme also can help admins monitor systems for vulnerabilities.
Sept. 11, 2002 The House Judiciary Committee yesterday approved legislation that would require government agencies to analyze how proposed regulations would affect personal privacy. The bill, called the Federal Agency Protection of Privacy Act, would require federal agencies to include a privacy impact analysis at the time regulations are proposed. The bill, sponsored by Congressman Bob Barr (R-GA), will now goes to the full House for consideration.

“Americans deserve to know how government regulations will impact their personal privacy, and this legislation reforms the regulatory process make sure that occurs,” Barr said today. “This bill will not only make the federal government more accountable to the American people, but it will also serve to slow the growing erosion of citizens’ privacy rights.”
Sept. 11, 2002 The American Bankers Association and the National Automated ClearingHouse Association (NACHA) are encouraging banks to seek a one-year extension to the HIPAA transactions compliance date.

The HIPAA Transactions Rule applies to all healthcare providers, plans and “healthcare clearinghouses” as well as their third-party “business associates.” According to the Department of Health and Human Services (HHS), banks could be considered “healthcare clearinghouses” if they process certain payments (e.g., provide lockbox services) or other transactions for doctors, pharmacies, hospitals, etc. that include personally identifiable “protected health information” (PHI).

HHS has not yet determined whether certain bank payment processing activities make banks subject to the HIPAA rule. Nonetheless, the compliance deadline for the HIPAA Transactions Rule of October 16, 2002 is looming, and HHS expects banks to take action.

Sept. 9, 2002 A federal court ruled last month that Pharmatrak Inc., a now-defunct company that tracked visits to pharmaceutical company Web sites using "cookies" and "Web bugs," did not violate federal wiretap, computer hacking or privacy statutes, reports Reuters Health. The August 13, 2002 ruling by Judge Joseph L. Tauro of the US District Court for Massachusetts found in favor of Pharmatrak and its pharmaceutical clients, including Pfizer Inc., Pharmacia Corp. and American Home Products.
Aug. 26, 2002 AHANews reports the Centers for Medicare & Medicaid Services announced yesterday that of all covered entities under HIPAA, less than 3% have filed for an extension to the Transaction and Code Sets Standards compliance deadline of October 16 - just under 50 days away. In a statement, Ruben King-Shaw Jr., CMS chief operating officer, reminded hospitals that the Administrative Simplification Compliance Act (ASCA) allows covered entities a one-year extension, as long as they submit a compliance plan by October 15, "either by paper or, preferably, electronically at:
http://www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp." The extension allows
hospitals and other covered entities until October 16, 2003, to become HIPAA
compliant. Shaw said CMS is encouraging everyone to submit their compliance
plans now, and implement and test the new standards as soon as possible,
noting that electronic filing is fast, easy, and will inform filers immediately that the extension has been received.
Aug. 26, 2002 A federal judge has dismissed a lawsuit filed by the South Carolina Medical Association (SCMA) and a Louisiana state medical society challenging the privacy rule's constitutionality. According to the SCMA, the court ruled on August 14 that although Congress did not specify privacy rights and policies in the privacy section of the statute, general congressional intent could be gleaned from the statutory framework as a whole, that HHS was within its discretion to draft a very broad rule, and that a person of normal intelligence could ascertain from the 400-page regulation what was criminally punishable and which state laws would be preempted by the federal regulations. The SCMA is studying the viability of an appeal. Last week, the SCMA Executive Committee voted to appeal the US District Court’s decision in the SCMA’s suit against HHS.
Aug. 19, 2002 iHealthbeat reports that the new Privacy Rule modifications are being strongly criticized by many patient and privacy advocacy groups, including The Citizens' Council on Health Care, the Institute for Health Freedom, the American Psychoanalytic Association, and the Health Privacy Project. The groups are particularly concerned over the elimination of the prior consent requirement and new loopholes in the marketing provisions.
August 14, 2002

According to iHealthBeat, CongressDaily reports Sen. Edward Kennedy (D-MA) and House Democrats are considering a legislative response to the final HIPAA privacy rule. Democratic members of Congress have criticized the Bush administration's changes to the final privacy rule, particularly the elimination of the prior consent requirement, which would have required patients' written consent for use or disclosure of personal health information before treatment, payment or health care operations.

 
August 12, 2002

The American Hospital Association (AHA) is recommending several changes to the Joint Commission on Accreditation of Healthcare Organization's proposed business associate agreement, reports AHANews. Under the HIPAA privacy rule, JCAHO cannot receive protected health information from a hospital it is surveying for accreditation unless it enters into a business associate agreement with the hospital. JCAHO has proposed adding such an agreement as a uniform addendum to its accreditation agreements for all health care organizations. However, according to AHA, some of the proposed provisions in the JCAHO model associate agreement are outside the scope of privacy rule requirements and "would impose unwarranted burdens and needless liabilities in hospitals." AHA also expressed concern that pending final changes to the privacy rule may impact the rule's business associate agreement requirements. It urged JCAHO to reexamine the model agreement and revise it with those final changes in mind.
August 12, 2002

According to the Washington Post, the final HIPAA privacy rule issued Friday offers weaker safeguards than those sought by consumer advocates. The final regulations omit a requirement that patients' written consent must be obtained before their personal health information can be handled by doctors, hospitals, pharmacies and insurance plans -- a protection that lawmakers and two White Houses have contemplated for years.

The rules go further than the administration previously considered to rein in the use of medical information for the marketing of products, particularly prescription drugs, by companies that gain entree into individuals' records. Critics in Congress and elsewhere said, however, substantial marketing loopholes remain.
August 9, 2002

Final Privacy Rule Filed

The final HIPAA Privacy Rule 400-page document was filed at 2:00 PM today at the National Archives; the "Privacy Standards for Individually Identifiable Health Information" are scheduled for publication in the Federal Register on Wednesday, August 14. By law, the rule had to appear in the Federal Register by Wednesday, eight months ahead of the April 14, 2003, HIPAA privacy compliance date.

Read the final changes to the Privacy Rule on HIPAAdvisory:

Read the HHS Press Release and Fact Sheet.

 
August 1, 2002

The University Health Network of Toronto, Canada plans to take extra efforts to protect patient confidentiality after staffers were caught earlier this year looking at the private medical records of former Canadian prime minister Brian Mulroney and Toronto Maple Leafs coach Pat Quinn. The Province of Ontario's Information and Privacy Commissioner, Ann Cavoukian, conducted an independent assessment of the hospital's privacy protections after the "two well-known individuals" had their privacy breached last May.

July 24, 2002 According to Karen Trudel, Director of the Centers for Medicare and Medicaid Services' (CMS) HIPAA Project Staff, the final security rule will not be published in August.

Trudel said, "It is probably going to be in the fall. It will be on the regs [publication] agenda for October. One of the things we are doing is making sure that privacy and security are linked. We definitely need to take another look at it, in light of the private rule modifications, before it goes out the door."
July 18, 2002 Two state medical societies a year ago filed suit in U.S. District Court in Columbia, S.C., challenging the constitutionality of the medical privacy rule. Now, oral arguments in the case are expected in early August, says Terry Richardson, attorney for the plaintiffs. Regardless of the final ruling, the case likely will land in the 4th Circuit Court of Appeals, predicts Richardson, partner in the Barnwell, S.C.-based law firm Richardson, Patrick, Westbrook & Brickman LLC.

The South Carolina Medical Society, its Physicians Care Network PPO subsidiary, six individual South Carolina physicians and the Louisiana State Medical Society filed suit against the Department of Health and Human Services on July 16, 2001. No other plaintiffs have joined the suit, but many state medical societies and hundreds of physicians have expressed support, according to Richardson. He expects some societies to file supporting briefs at the appellate level.

The lawsuit, available at www.healthdatamanagement.com/html/news/compliant.doc, challenges the privacy rule on three grounds:

* Section 264 of the Health Insurance Portability and Accountability Act, under which Congress authorized HHS to promulgate privacy regulations if lawmakers did not enact a privacy law, violates the separation of powers clause of the U.S. Constitution, plaintiffs allege. “The statute allowed HHS, an executive agency, to act as federal legislators in drafting and enacting the executive regulations,” according to the suit. “As enacted by Congress, Section 264 contains no intelligible principle to guide or limit HHS in the drafting of the regulations.”

* The rule’s state preemption clause is so vague it violates the due process guarantee of the Fifth Amendment, according to the lawsuit. “As drafted, the preemption clause of Section 264 is impermissibly vague because a person of ordinary intelligence is unable to determine whether state privacy protections are ‘more stringent’ than the HHS Privacy Regulations,” the suit contends.

* Even if the Court upholds the constitutionality of Section 264, the regulations promulgated thereby are unconstitutional because HHS did not have the constitutional authority to expand the privacy rule to include all communications, not just electronic transactions governed under HIPAA, according to the suit.

July 17, 2002 The nonprofit Privacy & American Business (P&AB) announced yesterday the first national online privacy and privacy-related job employment website Corporations, federal and state governments, and other privacy-conscious organizations may target their search for privacy officers and other privacy positions to those qualified candidates who know the privacy arena. Set to launch in early September, the Privacy Job Opportunity Boards will be divided into three levels, one of which will advertise mid to high level positions relating to privacy including HIPAA administration.

The Privacy Job Opportunity Boards will be divided into three levels. The first, PJOBs, will advertise mid to high level positions relating to privacy including HIPAA administration, HR administration, database management, legal counsel, marketing, corporate communications, new product development, and information security. PJOBs Plus may be used to target those with the qualifications necessary of a high level privacy executive or CPO who is responsible for overseeing privacy for the entire organization. Companies may post listings on Ptemps to fill the need for temporary positions, such as consultants.

July 16, 2002 Health Data Management reports the Workgroup for Electronic Data Interchange (WEDI) is asking the Department of Health and Human Services to reconsider use of a hyphen in the recently adopted employer identifier number. The Standard Unique Identifier for Employers final rule, published in May, adopts the Internal Revenue Services' Employer Identifier Number (EIN) as a standard identifier for health care. The nine-digit identifier includes a hyphen after the first two digits. In recently submitted comments, WEDI argues the hyphen could create data transmission problems and cause unnecessary burdens, defeating HIPAA's administrative simplification goals.
July 9, 2002 The Health Privacy Project has published revised summaries of health privacy statutes for the following states: Maryland, Massachusetts, Missouri, Montana, Nebraska, Pennsylvania, Utah, Washington, and Wyoming.  The recent publications incorporate changes in state privacy laws made since the Health Privacy Project's initial report, "The State of Health Privacy: An Uneven Terrain," was written in 1999.
   
July 8, 2002 In Broward County, FL, a woman received an unsolicited trial sample of the antidepressant drug Prozac.  She has filed a lawsuit against her doctors, the Walgreen pharmacy chain, and the pharmaceutical manufacturer Eli Lilly & Co., charging invasion of privacy and violations of Florida state law.
   
July 2, 2002 Rick Pollack, Executive Vice President of the American Hospital Association, submitted a letter to HHS today urging that the Transactions and Code Sets regulation adopt specific business rules for standard HIPAA transactions.  Additionally, AMA stated that it supports repealing the requirement to use National Drug Codes for transactions other than at retail pharmacies.
   
July 1, 2002 According to the HIPAA Weekly Advisor, covered entities who communicate with Medicare can begin testing their electronic transactions.  CMS requires testing through a Claredi system, which tests incoming and outgoing transmissions such as health-care claims, remittance advice, coordination of benefits, and status inquiry/response regarding claims.  Prior to testing, patient information must be de-identified using Claredi software. Access to the Claredi testing system will cost most providers about $600 for a one-year subscription.  For additional information, see CMS' Program Memorandum A-02-051, released June 18.
   
June 21, 2002 According to John Hoff, HHS deputy assistant secretary, The Department of Health and Human Services will publish the new final privacy rule in August.  This will make the proposed modifications to the final privacy rule effective.

HHS officials recently said the department expects that month to publish the final data security rule along with proposed rules for a health plan identifier and claims attachment standard.

   
June 18, 2002 A federal judge in Houston has dismissed a lawsuit to overturn federal medical privacy regulations as unconstitutional. The lawsuit was filed by US Rep. Ron Paul (R-TX) and the Association of American Physicians and Surgeons (AAPS) against HHS and Secretary Tommy Thompson. The judge determined that the plaintiffs had not suffered actual or imminent injury by enforcement of privacy regulations in health care.
   
June 14, 2002 According to Health Data Management, provider and payer organizations must implement significant portions of the security rule--final or not--to fully comply with the privacy rule, which has an April 14, 2003, deadline. “You can have security without privacy, but you cannot have privacy without security,” says Thomas Walsh, principal consultant at CTG HealthCare Solutions, Cincinnati. “By default, you need some minimum security in place by April.” Walsh spoke at the Healthcare Information and Management Systems Society’s (HIMSS) inaugural Summer Conference this week in Las Vegas. He gave attendees a HIPAA Security Readiness checklist of 36 tasks, some of which should be completed now and others which should be in progress.
   
June 14, 2002 JCAHO Will Not be a HIPAA Enforcer

Two common misconceptions concerning the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) were clarified at the HIMSS' Summer Conference this week. Speaking at the conference, Richard Croteau, M.D., executive director for strategic initiatives at JCAHO, said that JCAHO will not enforce HIPAA requirements, despite what some attorneys and consultants have been purporting in recent years. "We will survey compliance with accreditation standards, not HIPAA regulations." Another misconception, according to Croteau, is that HIPAA and JCAHO requirements conflict with each other. "There are no contradictions between HIPAA and JCAHO standards," contends Croteau.
   
June 7, 2002 HHS Receives Thousands of Requests to Extend Compliance Deadline

According to AHANews, more than 13,000 companies and organizations are seeking an additional year to comply with HHS' rule on electronic data interchange, Elizabeth Holland of HHS' Centers for Medicare & Medicaid Service told a regulation compliance conference this week. Affected entities have until Oct. 15 to submit a compliance plan or ask for an extension under the Administrative Simplification Compliance Act (ASCA).
   
May 31, 2002 Three HIPAA Regs Published Today

The following three HIPAA regulations were published in the Federal Register today:

The concurrent comment periods for the NPRM's are 30 (as opposed to the usual 60) days. The initial compliance date for the Employer Identifier will be approximately July 30, 2004 (July 30, 2005 for small health plans).