Rx2000HIPAA Digest, Volume 27 #1 From: Petehc@aol.com Subject: Re: The future of HIPAA #2 From: Petehc@aol.com Subject: Re: The future of HIPAA #3 From: dafeinberg@home.com Subject: Re: HIPAA Applicability #4 From: Woosleew@aol.com Subject: ICF-DD #5 From: paulsmith@dwt.com Subject: RE: HIPAA and military hospitals #6 From: paulsmith@dwt.com Subject: RE: Question: Audits #7 From: paulsmith@dwt.com Subject: RE: "Authorizing" access #8 From: RTelesca@gigaweb.com Subject: RE: The future of HIPAA ********** Message #1 ********** From: Petehc@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: The future of HIPAA Date: Sun, 11 Jun 2000 11:29:32 EDT You are correct. Transfer and Storage Regs are out this month. If Privacy regs are out by November there will be a new topic of discussion with the Cocktail Set. Pete Biagiotti Aon, Insurance Brokers 818-363-9435 ********** Message #2 ********** From: Petehc@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: The future of HIPAA Date: Sun, 11 Jun 2000 11:59:31 EDT Experiment? I can't comment. Stricter. HIPAA already has: CMPs, Whistleblower, Right of Private Action and Federal pre-emption provisions. Maybe more Federal Pre-Emption will come about. Application of CMPs against payors on the transfer and storage side, on a per provider basis, has to be clarified - the Feds have had so much financial success on the Fraud and Abuse, Billing Errors, side, I suspect the CMP, $25k aggregate per category of violation, will be applied against the payors on a per provider basis - those regs are out this month. "...Healthcare is footing the research and development costs of securing the internet for eCommerce, eGovernment and eMilitary..." Your point is well taken. I am not smart enought to comment. Based on your comments about "experiment" and your quote above. Having said all that I have, yes, my gut is telling me, HIPAA will become more restrictive. Some CA folks / providers are now starting to believe "...HIPAA is a good thing..." But then, what do we know in CA! Pete Biagiotti Aon, Insurance Brokers 818-363-9435 pete_biagiotti@ars.aon.com ********** Message #3 ********** From: dafeinberg@home.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA Applicability Date: Sun, 11 Jun 2000 22:09:34 -0700 The compliance rules for HIPAA are different for Transactions and Code Sets versus Privacy. The former stipulates when an organization must use Electronic Data Interchange (EDI) and particular EDI standards. The latter covers healthcare data and its "paper progeny"; whether the original data is used in EDI or just stored electronically. It's the combination of Transactions and Code Sets with Privacy that is so 'fascinating'. Dave Feinberg Rensis Corporation [A Consulting Company] 206-617-1717 DAFeinberg@computer.org Rx2000HIPAA@rx2000.org wrote: Paul, Regarding your statement that "a provider is covered by HIPAA only if it (or its agent, such as a billing agent or clearinghouse) transmits health information in electronic form in connection with a standard transaction," my interpretation of what is covered is any personally identifiable health information that has ever been maintained or stored in electronic format irrespective of the transaction sets. Example: a provider has no computer and receives a paper report of a CT scan. The information on the report is covered under HIPAA as it emanated from the CAT scanner (digital electronic form). Jean Acevedo, CPC, LHRM VP Product Management Cybear, Inc. ********** Message #4 ********** From: Woosleew@aol.com To: Rx2000HIPAA@rx2000.org Subject: ICF-DD Date: Mon, 12 Jun 2000 10:51:14 EDT In all states I know of Intermediate Care Facilities (ICF's) are licensed as healthcare providers. I would, therefore, think they would be covered under the HIPAA regs. Do you keep your vocational, recreational, social, and other habilitation records in the "medical record"? If you do, it would be part of the medical record and, again, I think would be covered by HIPAA (assuming your records are electronic and used in transactions). As I mentioned earlier, Don't split hairs. It really doesn't pay. Other's thoughts? Errick E. Woosley 3X HCSG (513) 587-3100 ********** Message #5 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: HIPAA and military hospitals Date: Mon, 12 Jun 2000 09:29:16 -0700 Interesting point. Two thoughts-- 1. HIPAA applies only to covered entities. It seems clear that if a provider does not transmit health information in electronic form in connection with a standard transaction (itself or through an agent), it is simply not covered by HIPAA, even if it receives information that would be protected by HIPAA in the hands of a covered entity. In other words, for HIPAA to apply, both the entity holding the information must be a covered entity, and the information must be protected. In your example, if the provider receiving the CT scan report is not a covered entity, the paper CT report is not covered in the hands of that provider. (This conclusion leaves out the possibility that the provider may have a business partner arrangement that would require it to protect the information.) 2. Suppose, however, that the provider receiving the paper CT report is a covered entity. Suppose that the CT report was maintained in electronic form by the provider producing the scan, and that the provider producing the scan is also a covered entity. The information in the paper CT report would be protected in the hands of the provider producing it, for the reasons you give. But would it also be protected in the hands of the entity receiving it, who never maintained or transmitted it in electronic form? The regs are not clear on this, but I think the answer has to be no, because a provider that receives paper records from another provider has no reliable way of knowing whether the other provider is a covered entity, or, if it is, whether the other provider (or perhaps some previous provider in the chain of transmission) maintained or transmitted the information in electronic form. I'd be interested in your thoughts on this. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] Sent: Friday, June 09, 2000 1:27 PM To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals Paul, Regarding your statement that "a provider is covered by HIPAA only if it (or its agent, such as a billing agent or clearinghouse) transmits health information in electronic form in connection with a standard transaction," my interpretation of what is covered is any personally identifiable health information that has ever been maintained or stored in electronic format irrespective of the transaction sets. Example: a provider has no computer and receives a paper report of a CT scan. The information on the report is covered under HIPAA as it emanated from the CAT scanner (digital electronic form). Jean Acevedo, CPC, LHRM VP Product Management Cybear, Inc. ----Original Message Follows---- From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org To: Rx2000HIPAA@rx2000.org Subject: RE: HIPAA and military hospitals Date: Thu, 8 Jun 2000 09:22:15 -0700 I haven't heard anything definitive. I should think ICF-DDs are providers under HIPAA, because a provider includes any person who furnishes health care services or supplies in the normal course of business, and I believe ICF-DDs do this for clients who have medical conditions, as most of them do. However, a provider is covered by HIPAA only if it (or its agent, such as a billing agent or clearinghouse) transmits health information in electronic form in connection with a standard transaction. I suspect most ICF-DDs don't do this. And if an ICF-DD is covered, the privacy restrictions pertain only to health information that is or has been electronically maintained or transmitted. Much has been said about the practical difficulty of distinguishing this kind of health information from paper-based information, but it may be possible to keep it separate from information relating to training and daily activities. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 08, 2000 6:20 AM To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and military hospitals On the subject of who is included, has anyone heard a definitive answer on whether agencies providing services to people with mental retardation (aka developmental disabilities), particularly those funded by Medicaid under the ICF/MR program, will have all records covered by HIPAA, or only medical records. For years, the field has been careful to make the distinction that a person with MR/DD was not sick, and therefore should not be referred to as a patient. Much of the contents of the records would involve training/education and assistance provided in activities of daily living. Usually funding is a single daily amount, but the funding is suspended for hospital stays if they occur. ----- Original Message ----- From: To: Sent: Tuesday, May 30, 2000 6:32 PM Subject: RE: HIPAA and military hospitals I suspect that there is a lot going on behind the scenes re: this subject. It was widely understood that some considerable part of the more recent delays was the realization that the MTFs may be included and that caused commensurate dismay, Joe a -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Tuesday, May 30, 2000 12:15 PM To: Rx2000HIPAA@rx2000.org Subject: HIPAA and military hospitals Can anyone tell me whether or not military hospitals will be required to comply with HIPAA regulations? I have heard both yeah's and nay's. I have also read some of the proposed regs and found nothing that seemed to explicitly exclude military hospitals. Thanks for your help with this! Lane Hatcher Systems Engineer, Wilford Hall Medical Center Lackland AFB, San Antonio, TX rhatcher@flash.net ********** Message #6 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Question: Audits Date: Mon, 12 Jun 2000 09:58:28 -0700 Did you get an answer? If not, please clarify--are you asking about a covered entity's responsibility for internal audits? A provider's responsibility to audit business partners? Some context for the question would help. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Friday, June 09, 2000 6:46 AM To: Rx2000HIPAA@rx2000.org Subject: Question: Audits Has anyone see any information on what type of audits might be required for the transactions? Including how often, data monitored, user information monitored, patient info monitored, comparisons, etc? Any information would be appreciated! -Kathrine Mancell Business Analyst MedServe Link, Incorporated kmancell@medservelink.com ********** Message #7 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: "Authorizing" access Date: Mon, 12 Jun 2000 10:16:44 -0700 There are no specific standards, except for disclosures to governmental agencies. Proposed reg 164.518(c) covers this. It requires "adequate" procedures for verifying identity and authority for access, where the identity and authority are not already known. The covered entity must use procedures that are "reasonably likely to establish that the individual or person making the request has the appropriate identity for the use or disclosure requested." However, verification is not required when the disclosure is made on a routine basis to persons or entities with whom the covered entity interacts in the normal course of business, or who are therwise known to the covered entity. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 08, 2000 7:19 AM To: Rx2000HIPAA@rx2000.org Subject: RE: "Authorizing" access I should probably clarify the context of my question. It is actually focused on what health plans, TPA's, and others who are not the employers of the individuals requiring access, and who have a contractual relationship with the entity (but not necessarily directly), need to do to verify the identify of people before issuing them the capability of reviewing eligibility information and claims status information. Both of these transactions, I believe, fall under the HIPAA definition of "patient confidential or patient identifying" data. Under those circumstances, it becomes harder for a plan to validate who the people requesting access are.... Jan -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 07, 2000 3:28 PM To: Rx2000HIPAA@rx2000.org Subject: Re: "Authorizing" access Fortunately, the government has left some of the decisions to us. Presumably a clerk in the clinic or hospital is an employee or a contractor, and HR has followed its Policies and Procedures in verifying the person's identification before authorizing the issuing of access to patient data. Some of the employer responsibilities in this regard are covered by the Department of Labor, IRS and Social Security regulations, steps which must be taken for employees now. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #8 ********** From: RTelesca@gigaweb.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: The future of HIPAA Date: Mon, 12 Jun 2000 17:00:49 -0400 We should remember that the HIPAA legislation was actually in response to requests from the health care industry for the standardization of health information. It is very unlikely that HIPAA will be repealed. I think the transaction sets and security standards will be finalized pretty much as proposed though I expect some clarifications in the security standards. The identifiers may be reworked a little, but I wouldn't count on them going away. Although implementation may require more time and effort than we would like, the standards will greatly simplify the flow of information reducing operating costs over time and improving health services. I don't think that any investment in HIPAA standards will be wasted. Another way to look at HIPAA is that it is a means to jump start eHealth initiatives, which will be crucial for success in the evolving health care industry. On the other hand, I still give the privacy standards a 50/50 chance of being superceded by a general Internet privacy standard or massaged into general privacy standards. The HIPAA privacy standards were proposed because the HIPAA legislation called for the secretary to propose health privacy regulations if congress had not acted on general privacy regulations by August of 1999. As you can see in the news, there is now increasing pressure for congress to act on general privacy regulations. However, I don't see that it is in either parties benefit to pass such legislation prior to the elections. After the elections, I think we'll see some action. Rick Richard J. Telesca ePractices Research Giga Information Group 54 Lavender Lane Rocky Hill, CT 06067 860.257.8527 (phone) -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 08, 2000 10:22 AM To: Rx2000HIPAA@rx2000.org Subject: The future of HIPAA BM__MailDataIn discussions at the hospital about preparations for HIPAA, one question keeps surfacing and wanted to see if any other organizations are having the same discussions. Since HIPAA is a compromise bill sponsored by Democrats, and since all formal rules have yet to be established, in the event of a Republican White House and Congress in 2001, how certain are we that this law will stand long enough for everyone to become compliant. Any thoughts? Phyllis Ingram Beebe Medical Center