The HIPAA Implementation Newsletter Issue #37 - June 28, 2002 --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The HIPAA Implementation Newsletter Issue #37 - June 28, 2002

The HIPAA Implementation Newsletter Issue #37 – June 28, 2002 | Status: Rules | Privacy | Security | Transactions
Posted: Jul 01 2002
Hal Amens

The HIPAA Implementation Newsletter
Issue #37 – June 28, 2002
| Status: Rules | Privacy | Security | Transactions

Status: Privacy and Security Regulations

The Department of Health and Human Services will publish the new final privacy rule in August according to John Hoff, HHS deputy assistant secretary. … August could be a busy time for HIPAA rules. HHS officials recently said the department expects to publish the final data security rule along with proposed rules for a health plan identifier and claims attachment standard next month.

www.healthdatamanagement.com

~=~=~=~=~=~=~=~=~=~=
On July 2, we will be asking and answering the questions: What is HIPAA? And what do you need to know? in an online event produced by SearchSecurity at 01:00 PM EDT This will be a high level presentation that may be of interest to some of your associates.

searchsecurity.techtarget.com
~=~=~=~=~=~=~=~=~=~=

Privacy: Applicability to Health Care Providers

Which health care providers are “covered entities” for purposes of the [first] final Privacy rules? The simple answer is: “A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.” Essentially the same wording is used in the Act and the rules for transactions and privacy. However, the Preface to the Privacy rules say: “We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. A provider could not circumvent these requirements by assigning the task to its business associate since the business associate would be considered to be acting on behalf of the provider.aspe.hhs.gov This expands the definition to include essentially any health care provider who receives any payment as a result of or via an electronic transaction. Even if a health care provider does not fit the strict definitions of HIPAA, it is likely that the courts would apply the privacy standards of HIPAA to any breach of privacy. As a practical matter, every health care provider should assume they are subject to the privacy standards imposed by HIPAA. And, they must comply with the privacy regulation by April 14, 2003. We are not attorneys; if there is any doubt, providers and their advisors should review the impact of HIPAA with legal counsel.

Privacy: Divorce and Restrictions on Disclosure

An attorney we know has a case where one partner in a divorce has obtained the medical records of their partner and is using those records as a basis to argue that their partner should not be given child custody. The privacy rules require notice to patients about their rights including a right to request restrictions on disclosures. That raises the possibility that divorce lawyers will begin their case preparation by contacting all of their client’s providers and plans and requesting a restriction on disclosure “to a family member, [or] other relative.”

HIPAA requires that providers and plans have a policy and procedures dealing with restrictions on disclosures. They are not required to agree to a restriction, but a refusal could lead to a request for a court order and bad publicity for the provider or plan. This type of request also provides a form of radar for plaintiff’s attorneys who are looking for providers and plans that may not be HIPAA compliant. If you need a triage plan, you should probably give this set of policies and procedures a high priority. Again, if there is any doubt, review this with legal counsel.

Privacy regulations at aspe.hhs.gov
164.510(b) and 164.522

Security: Developing Policies

"Creating a security policy is really, really hard,’ said Chris Christiansen, IDC's program vice president for e-business infrastructure and security software. ... ‘Getting it right is increasingly difficult.’

“An effective policy will take lots of heated discussion among all the involved parties. No one wants to be inconvenienced by security. Plus, different areas of the enterprise have different conceptions of what security really is. ‘There's a lot of back and forth between the three groups (HR, legal, business unit),’ said Lewis Kok, an administrator with Zurich Insurance. ‘There's some arguing, but it's necessary to have a strong policy in place. Though such a process isn't pleasant; it's imperative to create a policy that addresses security in a workable fashion. A policy that isn't followed is worthless.’

“‘Security policies for hospitals also have special requirements. They cannot tell doctors what they should do. Not like a bank would tell what their tellers what to do,’ said J.D. Hedgespeth, information security officer for Catholic Healthcare Partners in Cincinnati. A policy cannot impede doctors from treating patients. ‘Just the process of logging in and out takes time away from treatment. Some may say, What does it take? 10 seconds? Well, yes, but in some cases, 10 seconds may be too long,’ Hedgespeth said.

searchsecurity.techtarget.com

Security: People, Processes to Supersede Technology

“Giga Information Group vice president and research leader Steve Hunt espoused the theory … that security in the enterprise is a people and process problem, with technology trailing in third on the list of priorities for security officers. ‘Effective people and processes equal good security,’ Hunt said.

“A solid starting point for most big business is the appointment of a chief security officer (CSO), a coordinator of security efforts in the enterprise that is on a par with other senior management and reports to the CEO. … Hunt expects CSOs to have a difficult future, especially if enterprises don't appoint them as frontline executives in the corporate structure.

“The security process, meanwhile, measures the effectiveness and efficiency of security in an enterprise. ‘Identify the current and desired state of enterprise security and the gap between them,’ Hunt said. ‘Measure the time it takes to create a policy or push it to users. Also, measure the time is takes to deploy and test technology and the time it takes to respond to incidents.’

“Fundamentally, IT and security are at odds, Hunt said. ‘IT security staffs are doomed from the start,’ ... IT security is handcuffed because they have the directive of throughput, first and data protection second. Availability is mandated by business.’”

searchsecurity.techtarget.com

Transactions: Niche Vendors of Direct 837 Transaction Services

Gartner has a study about software packages that can be used instead of a clearinghouse to take billing formats from patient accounting systems and perform the necessary 837 format changes, payer edits and communication links. The report sells for $95.

www3.gartner.com

Transactions: Status of Requests for Extensions

Are you planning on filing for the Transactions and Code Sets extension?

Healthcare providers - 386 responses:

Yes: 333 or 86%
No: 53 or 14%

This poll began on Thursday, June 13, 2002 and will end Monday, July 1, 2002. Data is as of June 28.

www.hipaadvisory.com

Resources: CalHIPAA.com

There is a great deal of information about HIPAA on the Internet. One of the roles of this newsletter is to find material that is useful for the planning and management of HIPAA implementation. The other day we found another resource that provides access to information and professional support: CalHIPAA.com. They have a well defined focus: “We offer information about the Health Care Portability and Accountability Act (HIPAA) to individual and small & medium size group practice health care providers nationwide.” A focused intention but a broad base of information. Sort of a well organized reference library. Some material is free; there is a one-time $59 fee to access the entire site.

www.calhipaa.com

HIPAA Conferences

The Centers for Medicare & Medicaid Services has announced the planned broadcast of "Meeting the HIPAA Challenge: Implementing the HIPAA Standards and the Administrative Simplification Compliance Act." This program will be a satellite broadcast and Webcast. The Webcast will be available for 90 days after the initial broadcast, which occurred on June 18, 2002.

www.hcfa.gov

“HIPAA -- What it is, and what you need to know” Online event July 2, 2002 at 01:00 PM EDT (17:00 GMT) Speaker: Hal Amens is the President of Lyon, Popanz & Forester and the publisher of this newsletter.

searchsecurity.techtarget.com

The HIPAA Colloquium at Harvard University, August 19 - 23, 2002 in Cambridge, MA, The HIPAA Colloquium is well known for it intensity and advanced approach. … This summer's Colloquium focuses on practical workshops to assist organizations in meeting HIPAA compliance deadlines. The Colloquium is also offering special registration rates for groups of three or more from an organization's HIPAA compliance team. www.HIPAAColloquium.com

The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore,MD, www.HIPAASummit.com

___________

Go Top