The HIPPA Implementation Newsletter Issue #30 - March 22, 2002 --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The HIPPA Implementation Newsletter Issue #30 - March 22, 2002

The HIPPA Implementation Newsletter Issue #30 - March 22, 2002 Second Final Privacy - Legal - Transactions - The Devil - Social Security - Nos. - Tools
Posted: Apr 23 2002
Hal Amens

The Second Privacy Final Rule

Yesterday, the U.S. Department of Health and Human Services announced
proposed changes to the final federal health privacy regulation, which was
issued in December 2000. The proposed modifications to the regulation will
be published in the Federal Register next week with a 30-day public comment
period. HHS' press release is available at
http://www.hhs.gov/news/press/2002pres/20020321a.html HHS' summary of the
proposed modifications is available at
http://www.hhs.gov/news/press/2002pres/20020321.html

------------

We spent Wednesday through Friday last week at the HIPAA Summit West II conference in San Francisco. Most of the material in this issue is from that conference. In preparing each issue of this newsletter, we read a great deal of material. We were pleased at the number of sources cited at the conference that are already included in the resources pages on our Web site.
On the other hand, we were surprised at how much we still had to learn about HIPAA.

There were two tracks we selected from a large number offered at the conference. The first was legal issues that project managers need to be aware of. We are not attorneys. The material presented here is our interpretation or quotations from material presented by attorneys or
referenced by them. CONSULT YOUR LEGAL COUNSEL. The other area was lessons learned. The devil is in the details and the “detail devil” can ruin the best-laid plans.

Legal: Security Now

HIPAA is the primary, but not the only statute that applies. It is in effect now and imposes a high standard for security. “Each [covered entity] ... who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical and physical safeguards (A) to ensure the integrity and confidentiality of the information; and (B) protect against any reasonable anticipated (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosers of the information; and (C) otherwise to ensure compliance with this part by the officer and employees of such person.” (42 USC 1320d-2(d)(2)

The first Final Privacy Rule says: “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” The rule re-enforces the requirements for security as established by HIPAA. It also establishes a standard for **security** that will be enforceable as of April 14, 2003, the rule’s implementation date. That is just over a year away. (45 CFR 164.530(c)

We encourage you to review the presentation “Essentials of HIPAA Security Litigation Risk Planning” by Richard D. Marks, Esq., with your legal counsel. Relevant case law dates back at least to 1928 and there are statutes and regulations beyond HIPAA that impact your organization’s analyses and decisions.

In a later panel, it was noted that the period for implementation just means that HHS cannot enforce a regulation. The regulation is the law and may be recognized by a court in another matter. See the following article.

More at: http://hipaasummit.com/HIPAAWest2/agenda/index.html (search on
“Marks”)

Legal: HIPAA Recognized by Court

The opening speaker on Day One of the conference was Alan S. Goldberg, Esq. He noted that at least one US court has recognized HIPAA and the Privacy
Regulations. In United States of America v. Franklin Sutherland, tried in the US District Court in the Western District of Virginia, decided May 21, 2001, the court noted: “Not only have the courts recognized the importance of the privacy of medical records, but Congress has addressed the issue as well as part of (HIPAA) ... Although the Standards were effective April 14, 2001, compliance is not required until April 14, 2003. ... Nevertheless, the Standards indicate a strong federal policy to protect the privacy of patient medical records, and they provide guidance to the present case.”

More at: http://world.std.com/~goldberg/sutherland.pdf and
http://www.healthlawyer.com/

Transactions: Testing Time

Some guidance about the amount of time required to test transactions was provided by Kepa Zubeldia, CEO of Claredi Corporation during a panel discussion. Claredi provides HIPAA EDI testing and certification. Early users of their certification program tend to be experienced testers. It is taking two to six months to complete testing and required modifications. Early testers have the luxury of time and are probably using it to minimize their costs. As the deadlines approach, it may be possible to reduce the linear time but costs will probably increase. Even after certification, he recommended planning one to three tests for each transaction with each
trading partner.

More at: http://www.claredi.com/ and
http://lpf.com/hipaa/issue14.html#t-trans-test-cert-14

The Devil and the Details

Here are a series of items identified by speakers, and in one case by a member of the audience:

A clearinghouse found that the systems it had selected worked on a Windows 2000 platform, but not Windows 98 or NT. Many of the doctor’s offices had older software that required re-entry of a password for every transaction, up to 20 times is a session. An alternative software solution had to be developed.

The same clearinghouse requested mother’s maiden name for authentication. Implementation was delayed. A significant number of users had used false names because they were concerned about the over use of their mother’s maiden name for identity. When the system was delayed, a number of them forgot the false name they had used. It took time to figure out why remote users were having problems and then their records had to be erased and reentered with new (or corrected) names.

Today, the admitting desk in a hospital takes information for admittance. Eligibility is determined later and by someone else. Online eligibility means the admitting clerk will have to deal with eligibility problems and may have to deny service. This is a significant change in roles and most admittance clerks will not be ready to handle it and some may not be able
to.

“Best practices” with regard to security in the context of federal regulations may be considered to be the practices of the National Security Administration (NSA) or those in the finance industry. NSA’s are far too strict and expensive for healthcare. The finance industry has been working on theirs for several decades. There were recommendations to avoid characterizing security plans and systems as “best practices.” Consider
“recommended,” “appropriate” or similar.

Your first encounters with EDI can be challenging. Start with your vendors, not your clients. Vendors who want your order and money will be more patient with you than people who owe you money.

Use of Social Security Numbers

A member of the audience asked if there was any possibility of a national personal identifier. Several panel members responded with a clear “no!” The question was in the context of California’s Senate Bill 168 which, among other things, “... would also provide that the prohibition on the use of social security numbers shall apply to providers of health care, health care service plans, licensed health care professionals, contractors, as defined, pursuant to delayed operative provisions.” (Various implementation dates but a common one is July 1, 2004.) Build flexibility into your systems.

More at:
http://info.sen.ca.gov/pub/bill/sen/sb_0151-0200/sb_168_bill_20011011_chapte
red.html Title 1.81.1. Confidentiality of Social Security Numbers

One Liners

* HIPAA compliance is the manifestation of good business practice

* Data well managed empowers people

* If the patient is surprised [with regard to privacy] you are probably doing something wrong

* We can’t expect privacy until hospitals give us gowns that fully close at the back

* Doctor’s don’t like technology they can’t bill for

* Policies must be implemented and enforced; they cannot be “shelfware”

* Heilman’s Mayonnaise provides the following guidance: Keep Cool Don’t Freeze

* Security is driven by liability and mandates; it is not a profit center

* The correct name for what we are talking about is the Administrative Simplification Subchapter (of HIPAA) but this is one time a federal acronym
doesn’t work

* HIPAA is a plumbing project to build the pipes to move medical information. Privacy is about assuring they don’t leak; security is about
assuring they can’t be diverted or polluted
* Being ready to test transactions before your trading partner is ready generates the sound of one hand clapping

* Don’t throw the ball until the other guy has his mitt on

* Health information on the Internet: “cyberchondria”

* HIPAA lays the foundation for the information-based future

---------
We found several vendors with tools at the conference. Inclusion here is not an endorsement. Whether or not a tool is appropriate for your particular circumstances is a decision only you are qualified to make. Whether or not a vendor is reliable is also your responsibility. We have reviewed the following material and, in our opinion, the material is relevant and is probably worthy of your further consideration.

Tools: COBOL HIPAA Modifications

“Micro Focus Revolve® Enterprise Edition is an application understanding environment for central analysis teams involved in estimating, assessing and managing inventory-wide mass change initiatives. … Our entire solution has been designed so it can be customized quickly to different mass change problems. This was the key in enabling Micro Focus, after meetings with several customers in the health care industry, to adapt our tools and processes to help them address their specific challenges related to HIPAA.

“Accurately estimating the cost of updating your IT systems for HIPAA compliance is essential in securing the appropriate budget for the project to be completed by the deadlines laid down by HIPAA and will include the level of quality required by the business. Using Revolve Enterprise Edition, a small central team can develop an automated HIPAA impact analysis and categorization process, define the effort and associated costs required for every category of change and generate accurate effort and cost estimation reports for all applications in the IT inventory.”Micro Focus was an exhibiter at HIPAA Summit II

More at: http://microfocus.com/products/revolve/revolve_ee.asp?bhcp=1 and

http://microfocus.com/files/whitepapers/Hipaa16.pdf [free registration
required]

Tools: Security Management
“The CPRI Toolkit: Managing Information Security in Health Care, outlines general principles and provides best practice and examples of how health
care providers should manage the security of their paper and electronic records. Sections of the CPRI Toolkit identify key activities to integrate into the process of managing information security, including:

* Monitoring and adjusting to the changing laws, regulations, and standards

* Developing, implementing, and continuously updating data security policies, procedures and practices

* Enhancing patient understanding of the organization's information security efforts

* Institutionalizing responsibility for information security

“Each section includes an introduction, a copy of the latest edition of the pertinent CPRI guideline, several case studies with sample policies, procedures and forms, and extensive references to print and Internet sources of more information. A consolidated annotated bibliography, a list of Web sites and a glossary of terms appear at the end of the CPRI Toolkit.”

Members of the Toolkit Content Committee are listed on the Web site. CPRI-HOST was an exhibitor at HIPAA Summit II

More at: http://cpri-host.org/ (the sponsor)

http://cpri-host.org/resource/toolkit/toolkit.html (introductory material)

http://cpri-host.org/toolkit/toc.html (the toolkit)

Tools: Online Self-Assessment
“HIPAA ‘ComplyOnline’ is a subscriber service for health care providers and health plans and provides a self-assessment and step-by-step program for compliance with the HIPAA privacy regulations. It is NOT Ohio specific and is designed for health care providers, health plans and physicians. Subscribers may access the Self-Assessment and Compliance Guide using the
appropriate link below:

· HIPAA Compliance for Health Care Facilities Sponsored by the Ohio Hospital Association

· HIPAA Compliance for Health Plans
Sponsored by the Ohio Association of Health Plans and the Association of Ohio Life Insurance Companies

· HIPAA Compliance for Physicians
Sponsored by the Ohio State Medical Association
“This site is maintained by Bricker & Eckler LLP on behalf of the Ohio Hospital Association, the Ohio Association of Health Plans, the Association
of Ohio Life Insurance Companies, and the Ohio State Medical Association and is a copyrighted, password-protected program for subscribers to the HIPAA Privacy Self-Assessment and Compliance Guides.” hipaacomplyonline.com was an exhibiter at the conference

More at: http://www.hipaacomplyonline.com/

Tools: Online Analysis & Documentation

“HIPAA ‘ComplyAssistant’ is a tool designed to guide healthcare providers through surveys, gap analysis, mitigation, and due diligence documentation. Survey questions are right from the HIPAA regulations. Answers are either yes or no. A 'No' answer is a gap to be mitigated. Gap levels (i.e., partial process in place =1) are recorded resulting in quantitative reports and graphs. HIPAA due diligence progress can, therefore, be baselined and progress can be tracked via reports and graphs… Comment fields, proposed solutions, and action history are recorded for due diligence documentation…
It is designed in MS-Access, a standard database application.

More at: http://www.blassconsultingllc.com

HIPAA Conferences

The Fourth Nationa HIPAA Summit April 24-26, 2002 Washington, D.C.
http://www.hipaasummit.com/HIPAA4/index.php3

Go Top