|
|
|
Online Security, a global provider of computer forensics and information technology risk mitigation since 1997
|
|
Go back
| |
 |
The HIPAA Implementation Newsletter Issue - #38 - July 26, 2002
|
|
| |
The HIPAA Implementation Newsletter
Issue #38 – July 26, 2002
| Security Delayed | Documentation | Project Contingency Planning | Transactions |
Posted: Aug 23 2002
Hal Amens
The HIPAA Implementation Newsletter
Issue #38 – July 26, 2002
| Security Delayed | Documentation | Project Contingency Planning | Transactions |
We have published The HIPAA Implementation Newsletter every other week on schedule for 17 months. We had a “client crisis” before we left for vacation and missed the issue due July 12. We had a great two weeks bicycling in France lpf.adventure/france.com and are now back on schedule.
HIPAA Webinar
The last two issues have included an announcement that we would host a HIPAA Webinar produced by SearchSecurity and sponsored by BindView on July 2. There were almost 500 people online for the event. For those of you who joined us, thanks! The “silent screen” version (slides only) is at lpf.com/hipaa
The “talkie” version is at:
searchsecurity.techtarget.com
Security: Delayed Again?
“In an exclusive interview this month with Theresa Defino, Editor of Ingenix's ‘Practical Guidance on HIPAA and E-Health for the Physician Practice’ newsletter, Karen Trudel, director of the Centers for Medicare and Medicaid Services' (CMS) HIPAA project staff, says the final security rule will not be published in August as promised. Asked when she expects the final security rule to be released, Trudel said, ‘It is probably going to be in the fall. It will be on the regs [publication] agenda for October. One of the things we are doing is making sure that privacy and security are linked. We definitely need to take another look at it, in light of the private [sic] rule modifications, before it goes out the door.’ “Speaking with Health Data Management on July 22, Stanley Nachimson, senior technical advisor in CMS, said, ‘I would not expect to see it in August.’ Nachimson is part of the team within HHS responsible for promulgating HIPAA administrative simplification rules. Nachimson declined to say when the rule would be published or why it could be further delayed. The rule remains in the clearance process, he adds.”
More at: www.hipaadvisory.com
Documentation
What you do is important. What you document is almost as important, i.e., what you have done and why. The essence of the HIPAA regulations is “reasonableness.” Your privacy and security systems and your policies and procedures will come under intense scrutiny if there is a breach. There will be two basic questions: Why did you do this? Why didn’t you do that? Good formal documentation and contemporaneous notes will be critical to demonstrating why you did what you did and why that was reasonable under the prevailing circumstances and at that time.
Project Contingency Planning
Based on several recent conversations with health care leaders and two requests for proposals from organizations that are just getting started, it is time to look at project contingency planning. Of course you are planning operational contingency planning as part of becoming HIPAA compliant; it is required by the regulations. Over the next several issues we will be looking project contingency planning. What will you do if there are areas where you will not be compliant by the applicable deadline?
We will be looking at a number of topics and from two points of view. One point of view is: You have a plan and based on progress to date and the work to be done – by you or a vendor – there may not be enough time to assure compliance. The other point of view is: You haven’t even developed a definitive plan; you don’t know whether or not you can be compliant in time.
Does the world stop if you are not compliant? No. You are at risk for penalties and if there is a violation of privacy or security, you are at risk of larger damages in a lawsuit.
One of the most used words in the regulations is “reasonable.” If you are going to be late, the only reasonable course of action is to develop a plan to get compliant as soon as you know you have a problem and work according to plan as hard and fast as you can.
Project Contingency Planning: Transactions
One of the longest lead-time elements of HIPAA is transactions. If you are relying on a vendor, you need to be taking reasonable steps to assure that they will deliver a system or system upgrade in time for you to be compliant. That means you have to be ready to test transactions by April 16, 2003. To test a system, it must have completed its system testing and been installed by then.
If there is a risk you will not be ready to begin testing by April 16, 2003, review your plans and look for opportunities to begin training or other tasks before implementation. Look for ways to conduct some tasks in parallel to reduce the required calendar time. See if you need to hire temporary staff so that your experienced people have the time they need to work on compliance.
Review your vendor’s plans and performance to date and make a judgment about their ability to execute future plans in time to assure timely compliance. If there is any doubt, you need to make different arrangements with them – pay overtime, bring on additional people (although that is sometimes counterproductive), defer unnecessary modules – or make arrangements with someone else.
It is probably too late to find a new system vendor. But you could start the process of identifying and evaluating the use of a clearinghouse. Don’t wait too late. The best clearinghouses may be booked up early.
You also need to identify and contact your trading partners – organizations with which you will be conducting transactions – to determine their testing plans and expected compliance date. They may not be available to conduct tests with you and you need to know that; they may want to conduct tests with you before you will be ready and you need to let them know that. Testing, like tango, takes two. You will need to develop processes to keep trading partner schedules up to date. Ask them about their project contingency plans and be ready to share yours, just in case.
If you have done all of this and are still at risk, develop contingency plans, break them into phases and set trigger dates when each phase must be set in motion. Schedule progress reviews before those trigger dates so you have the information you need to determine whether you need to “pull the trigger.” As an example of phases and trigger dates, if you may need to go to a clearinghouse, phase 1 may be to identify clearinghouses you may be able to use – set an early trigger date so you have time to can conduct a thorough search. Phase 2, with a second trigger date, may be to contact several of them for availability, services and costs and select those that could be acceptable. Phase 3, with a third trigger date, may be to initiate contract negotiations. Plan to review your trigger dates at each phase depending on what you learn. As an example, if phase 1 shows there are only two available options, you may want to move direct to phase 2 and then quickly to phase 3.
Transactions: Standard vs. Web Based
There have been a number of recent articles about health plans using Web portals to allow providers to check eligibility and perform other functions covered by standard transactions. As an example: “United Healthcare Tennessee last month launched an Internet portal that allows network physicians to file and amend claims, verify member eligibility for benefits, and check claims status online. The service, which is free to physicians, is intended to reduce delays in claims processing and improve the health plan's relationships with network physicians.”
More at: www.ihealthbeat.org [registration required]
This sounds like a good idea but what about HIPAA? The transaction final rule says: “…If a person desires to conduct a transaction … with a health plan as a standard transaction--…"(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information. [SEC. 1175. (a)] A later section of the rule provides more definition and an exception: “(a) General rule. Except as otherwise provided in this part, if a covered entity conducts with another covered entity … using electronic media, a transaction for which the Secretary has adopted a standard under this part, the covered entity must conduct the transaction as a standard transaction. (b) Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard.” [Sec. 162.923]
Regulations at: aspe.hhs.gov
WEDI/SNIP has reviewed this in a paper titled, “Impact on DDE Services” and concluded that, generally, the use of the Web for “direct data entry” is allowed. However, they raise a number of issues that must be addressed by a direct data entry or Web transaction. The paper concludes, “DDE services are popular with providers; however, provider systems are evolving such that the EDI systems in provider offices or their service providers (e.g. billing services, ASPs) will become full function, automatic systems.” We disagree. There are some transactions that lend themselves to EDI and others that lend themselves to the familiar format and interactivity of the Web. We suspect that providers will use both depending on availability and their specific needs. And, payers have Web sites for multiple purposes so the marginal cost of providing Web based inquiry is small. We expect to see widespread use of both formats.
More at: snip.wedi.org
Privacy Rule, Transactions, HIPAA Applicability
We have seen a number of articles, newsletters, etc., that suggest that the privacy regulations do not apply unless a provider transmits one or more standard transactions. This is consistent with a simple reading of the regulations. However, applicability is expanded in the HHS discussion of comments. We offer quotations; not legal comment. If in doubt, consult legal counsel.
“Section 160.102 Applicability. (a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter [Privacy] apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
More at: aspe.hhs.gov
Under the heading, “Part 160 - Subpart A - General Provisions Section 160.103 – Definitions - Covered Entity, … Lastly, we clarify that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to a contractor.”
More at aspe.hhs.gov
Updates
We have added a new category to the and Privacy and Security page: Check Lists.
lpf.com
HIPAA Conferences
The Centers for Medicare & Medicaid Services has announced the planned broadcast of "Meeting the HIPAA Challenge: Implementing the HIPAA Standards and the Administrative Simplification Compliance Act." This program will be a satellite broadcast and Webcast. The Webcast will be available for 90 days after the initial broadcast, which occured on June 18, 2002.
More at: www.hcfa.gov
The HIPAA Colloquium at Harvard University, August 19 - 23, 2002 in Cambridge, MA presents a special breakfast briefing on 'Privacy and the National Strategy for Securing Cyberspace' presented by Andy Purdy, Senior Advisor, IT Security and Privacy, The President's Critical Infrastructure Protection Board, Washington, DC. The HIPAA Colloquium is well known for it intensity and advanced approach. … this summer's Colloquium focuses on practical workshops to assist organizations in meeting HIPAA compliance deadlines. The Colloquium is also offering special registration rates for groups of three or more from an organization's HIPAA compliance team.
www.HIPAACOLLOQUIM.com
The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore, MD,
www.HIPAASummit.com
___________
Go Top
|
|
|
|
