The HIPAA Implementation Newsletter - Issue #40 - Friday, August 23, 2002 --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The HIPAA Implementation Newsletter - Issue #40 - Friday, August 23, 2002

The HIPAA Implementation Newsletter Issue #40 – Friday, August 23, 2002 | 2nd Final Rule | Privacy | Strategy |
Posted: Aug 26 2002
Hal Amens

The HIPAA Implementation Newsletter

Issue #40 – Friday, August 23, 2002

| 2nd Final Rule | Privacy | Strategy |

Status: 2nd Final Privacy Rule

“The Department of Health and Human Services on August 14th … publish[ed] final modifications to the Privacy Rule…”

More: www.hhs.gov
---------------

Privacy: Table of Contents for Modifications

“The Health Privacy Project, Georgetown University has put together a table of contents for the HHS Modifications To Health Privacy Rule as published in Volume 67 of the Federal Register (Aug. 14, 2002).” This is a good place to start.

More at: www.healthprivacy.org
---------------

Business Associates: Sample Contract

HHS “provides these sample business associate contract provisions in response to numerous requests for guidance. This is only sample language. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these sample provisions is not required for compliance with the Privacy Rule. The language may be amended to more accurately reflect business arrangements between the covered entity and the business associate.”

More at: www.hhs.gov
---------------

Business Associates: Compliance Date

“HHS provides a transition period for certain business associate contracts, permitting covered entities to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003 privacy compliance date. The transition period is available for covered entities that have an existing contract with a business associate prior to October 15, 2002, provided that the contract is not renewed or modified prior to April 14, 2003. Covered entities with qualifying contracts are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner.

“This delay is not available in situations where no written contract exists as of October 15, 2002. An employer that does not have an existing written arrangement with a vendor must have a written business associate contract in place by April 14, 2003 with that vendor. Similarly, any qualifying contract that comes up for renewal or renegotiation prior to April 14, 2004 must meet the business associate requirements when the renewal or renegotiations are finalized, even if that date is prior to April 14, 2004. Evergreen or other contracts that renew automatically without any change in terms or other action by the parties are eligible for the full transition period. ...

“It is important to note that notwithstanding any available delay in signing business associate contracts, a covered entity's other obligations under the privacy rules are unaffected by this transition period. For example, a covered entity will still be responsible for ensuring that an individual can access his or her PHI as of April 14, 2003, even if that PHI is maintained by a business associate and there is not yet a business associate contract in place with that business associate, and a covered entity will still be responsible for mitigating any harmful effect of an improper use or disclosure of PHI by the business associate to the extent that the covered entity knows of the harmful effect. ...”

More at: www.pwchealth.com
---------------

Privacy: Sanctions

“Specifically, the Privacy Regulations require covered entities to apply and document ‘appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures’ or the regulations. The proposed Security Standards require the same, but also require covered entities to inform employees, agents and contractors that misuse or misappropriation and other violations may result in civil or criminal penalties and/or ‘notification to law enforcement officials and regulatory, accreditation, and licensure organizations.’

“The corrective actions initiated should be progressive as well as reasonable and commensurate to the violations. In addition to typical sanctions — verbal warning through termination — covered entities may employ system-related penalties such as removal of user account(s), system privileges and/or employee ‘perks.’

“Thoroughly document corrective or disciplinary actions taken pursuant to the policy. Finally, retain documents related to such actions in employees’ HR files or contract files/binders for at least 6 years and 10 years (after termination of the contract), respectively.”

More at: www.mintz.com
---------------

Privacy: Iowa Dead Baby

“What started as an investigation into the case of a dead infant in a small, Iowa town has turned into a question of medical privacy that is receiving national attention.

“On May 30, a dead infant was found at a recycling center in Storm Lake. During the subsequent police investigation, the Buena Vista County attorney obtained a court order seeking the records of women who took pregnancy tests at hospitals and clinics during the previous months. … a district judge has ordered Planned Parenthood to release records, but a temporary stay was subsequently issued by the Iowa Supreme Court.

“… Federal guidelines on medical privacy are detailed in the Health Insurance Portability and Accountability Act of 1996, … The Storm Lake case is one that's ripe to more clearly define the bounds of medical privacy in law-enforcement investigations.

“… But this case is no longer just about finding the mother of a dead infant. It's about the possibility of setting a precedent that allows law enforcement broad access to everyone's medical records. If a blood sample containing a certain medication is found at a crime scene, does that give police access to medical records from all the hospitals and doctors’ offices of anyone taking that medication? If police have a DNA sample in a rape, can they go on a fishing expedition for every tissue sample in local hospitals and clinics in search of a match?

“The Storm Lake case isn't about women's rights. It's isn't about dead infants. It isn't about abortion. It's about medical privacy. And it needs to be judged outside its emotionally charged circumstances.”

COMMENTARY: HIPAA is being recognized and cited by a newspaper as the standard for medical privacy. The issue of medical privacy is moving from regulatory to media and judicial. The rules for privacy will continue to evolve.

Editorial in the Des Moines Register August 16, 2002

More at:desmoinesregister.com
---------------

Privacy: Employers

“HIPAA privacy regulation may represent the most detailed set of requirements to which employee health benefits have ever been subjected, but it can be summarized generally as requiring that all employers offering health benefits implement the following measures before April 14, 2003:

· Securing (both physically and technically) records containing individually identifiable health information so that they are not readily available to those who do not need them.

· Separating benefit plan administration from other HR functions, changing plan documents accordingly, and certifying compliance to vendors.

· Providing information to employees about their privacy rights and how their information can be used or disclosed.

· Designing and adopting clear privacy procedures, and training affected employees on them.

· Designating an individual (the privacy officer) to be responsible for seeing that the privacy procedures are adopted and followed.

· Identifying and contracting with all business associates regarding adherence to privacy rules, and taking action if a violation is known.

· Establishing processes for employees to access and amend their protected health information, as well as to receive accountings of disclosures of that information.

· Providing complaint and remediation processes.

“Although there are considerable regulatory penalties for noncompliance, it is unlikely that the regulators will proactively enforce the HIPAA rules against employers outside of the healthcare and health insurance industries ... Employers are generally more concerned about civil liability in state court actions–for example, for wrongful termination or breach of fiduciary duty–using national HIPAA standards as a considerably higher “floor” for the privacy of employee health information. …

“HIPAA defines protected health information (PHI) very broadly, ... Particularly noteworthy for an employer is that such information is PHI if it is created or received either by a covered entity or by an employer. To be sure, the detailed requirements of the HIPAA rules apply only to HIPAA’s covered entities, but employers are probably right to be concerned that any individual health information created or received by an employer can be accurately characterized–in the state court actions and media pieces they anticipate–as information protected under federal law.”

More at: www.pwchealth.com
---------------

Privacy: Written Authorization

“The final revisions clarify that the minimum necessary standard does not apply to uses and disclosures made pursuant to a written authorization obtained from the individual.”

More at: www.pwchealth.com
---------------

Strategy

“For almost two years, industry surveys conducted by HIMSS indicated that HIPAA compliance was a major IT and business operations priority. During this time, providers especially have encountered other critical business priorities and financial constraints. Mergers, seismic retrofitting in California and normal drains on resources, such as state regulations and JCAHO accreditation surveys, have all prevented many healthcare systems from dedicating the resources needed to aggressively plan for reengineering business operations.

“HIPAA compliance does not appear to be considered the strategic business opportunity that many HIPAA proponents expected - and that the covered entities reported themselves in the HIPAA compliance surveys. In the spring 2002 Phoenix Health Systems and HIMSS survey, 46% of providers responded that they favored a strategic approach. Another 21% of all respondents planned to use a ‘best practices’ approach.

“Symptoms of this contention of priorities and funding limitations include the following:

Although 83% of providers represented in the March 2002 Health Care Compliance Association's HIPAA readiness survey's s preliminary findings indicated that a Privacy Officer has been designated, only 37% reported that have developed cost estimates for privacy, security and transaction requirements
Providers are demanding easy, cookie cutter, solutions for their privacy deficiencies. For instance:
o They are pushing for nominally priced or free templates of policies, procedures and forms

o To tackle the need for new business associate agreements, they are considering adding boiler plated contract addenda to contracts without thoroughly reviewing the original contractual terms and conditions

o Those who are dependent on vendor solutions appear to be willing to wait-and-see what their vendors will include in their HIPAA releases. …

Still other providers feel there will be further extensions in deadlines. They assume this because there have been significant changes in the rules, extensions in deadlines and legal cases contesting the applicability of the provisions.
Many providers view HIPAA as just another regulatory obligation. As a result, they have clearly not shared the vision of the combined industry group that pressed for the reforms in healthcare administrative simplification.

“The result of the prevailing apparent apathy and resistance to a strategic focus on HIPAA could be a series of financial failures and major disruptions to the provision of medical services. Moreover, targeting minimal compliance can result in inefficient and costly solutions.

“In that regard, the authors of the PricewaterhouseCoopers report point out ‘...compliance could be obtained while becoming less efficient and more complex.’ The cost to resolve problems post-implementation will outweigh the supposed advantages of relying on minimal, unproven and untested products…

“Completing a concerted HIPAA assessment as a strategic business initiative will uncover both direct and indirect business process benefits. Many deficiencies will surface. Some will require immediate attention. Some will be resolved by employing HIPAA-oriented best practices, and others resolved by streamlining related processes.

“The PricewaterhouseCoopers authors say that the ‘most successful and valuable HIPAA implementations we have seen to date are being performed by organizations that integrate simultaneously the requirements and opportunities of HIPAA into their strategic planning.’

“A strategic or ‘best practices’ directed compliance with HIPAA can realize significantly more tangible benefits and subjective competitive advantage than a passive plan to minimally comply. In fact, they may be the only safe means to a successful implementation.”

www.healthleaders.com
---------------

HIPAA Conferences

The HIPAA Colloquium at Harvard University, August 19 - 23, 2002 in Cambridge, MA, The HIPAA Colloquium is well known for it intensity and advanced approach. … this summer's Colloquium focuses on practical workshops to assist organizations in meeting HIPAA compliance deadlines. The Colloquium is also offering special registration rates for groups of three or more from an organization's HIPAA compliance team.

www.HIPAAColloquium.com

The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore, MD, www.HIPAASSummit.com

__________

Go Top