Rx2000HIPAA Digest, Volume 29 #1 From: SHaliloglu@wakemed.org Subject: HIPAA and SSO issues?. #2 From: randy@habsoft.com Subject: ICF/DD #3 From: Sslazarus@aol.com Subject: Re: ICF-DD #4 From: Sslazarus@aol.com Subject: Re: ICF-DD #5 From: paulsmith@dwt.com Subject: RE: ICF-DD #6 From: paulsmith@dwt.com Subject: RE: ICF-DD #7 From: Patricia.Carter@gpmlaw.com Subject: RE: Transmitted vs. Stored #8 From: RTelesca@gigaweb.com Subject: RE: Transmitted vs. Stored ********** Message #1 ********** From: SHaliloglu@wakemed.org To: < Subject: HIPAA and SSO issues?. Date: Wed, 14 Jun 2000 09:59:03 -0400 What implications would be involved for SSO (single sign on) under the proposed HIPAA regulations in respect to audit and data security.? Anyone using SSO who is concerned.? Thanks for the response. Sal Haliloglu Information Services HIPAA Project Manager Wakemed 3000 New Bern Avenue Raleigh, NC 27610-1295 Shaliloglu@Wakemed.org ********** Message #2 ********** From: randy@habsoft.com To: Subject: ICF/DD Date: Wed, 14 Jun 2000 13:52:48 -0400 The answer to this is probably the same answer as to the question "Who does the public complain to if they discover a HIPAA privacy breach?". I talked with a HCFA representative at the AAMR annual meeting recently and concluded that regular ICF/MR surveys are unlikely to become an instrument of HIPAA compliance very soon. So I think I can rule out "your ICF/MR surveyor" as an answer. ICF/MR Conditions of Participation will have a draft rewrite circulated this summer for comment, but the rep who was very involved in that rewrite was not very familiar with HIPAA. In my opinion, Congress has drafted laws that clearly state that some, if perhaps not all, ICF/MR record keeping is covered by HIPAA. Anybody want to take a crack at my substitute question from the first sentence? Randy Hersom Habilitation Software Inc. Subject: Re: ICF-DD Who/what would be the ultimate/final decision maker to confirm if the ICF/DD, ICF/DD-H and ICF/DD-N facilities in california, also known as ICF/MR under the federal government fall under the HIPPA ********** Message #3 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD Date: Thu, 15 Jun 2000 01:08:45 EDT The final decision maker would be the FBI and the Office of the Inspector General. However, I suggest that you (and your attorney) read the definition of Provider in the Privacy NPRM or the about to be issued Transaction Standard Regulation. Then you can make your own decision and avoid the fines and jail time that will come with your lack of compliance before you reach the final decision maker. Of course, if all of your patient records are paper, you have no computer printouts with patient information, and you are not concerned about timely, accurate payment; then do not be concerned about HIPAA. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #4 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD Date: Thu, 15 Jun 2000 01:10:51 EDT The security regulation applies whether data are transmitted or only stored. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #5 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: ICF-DD Date: Thu, 15 Jun 2000 00:50:43 -0700 Before one sends the questioner to jail (or, worse still, to an attorney), one has to understand that (at least in California, where I think the questioner is), most ICF-DDs are group homes with no more than six clients who are generally long-term residents receiving fixed Medicaid payments. Physicians who treat clients' medical conditions bill Medicaid independently. In practice, the records are paper--typed care plans, and handwritten notes of activities of daily living and the like. Issues of timeliness and accuracy of payment simply aren't the same as they are in a hospital, or even a doctor's office. Paul Smith Davis Wright Tremaine LLP paulsmith@dwt.com -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 14, 2000 10:09 PM To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD The final decision maker would be the FBI and the Office of the Inspector General. However, I suggest that you (and your attorney) read the definition of Provider in the Privacy NPRM or the about to be issued Transaction Standard Regulation. Then you can make your own decision and avoid the fines and jail time that will come with your lack of compliance before you reach the final decision maker. Of course, if all of your patient records are paper, you have no computer printouts with patient information, and you are not concerned about timely, accurate payment; then do not be concerned about HIPAA. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #6 ********** From: paulsmith@dwt.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: ICF-DD Date: Thu, 15 Jun 2000 00:59:24 -0700 Right, but if you are a provider you are only a covered entity if you transmit in connection with a standard transaction, not so? -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 14, 2000 10:11 PM To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD The security regulation applies whether data are transmitted or only stored. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #7 ********** From: Patricia.Carter@gpmlaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored Date: Thu, 15 Jun 2000 09:47:40 -0500 Clarification: The security regulation applies [to all health information] whether data are transmitted or only stored. But a provider is not subject to the security regulation simply by maintaining health information, unless that information has been used in an electronic transmission between covered entities. See Section 142.302(b)(2). Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: June 15, 2000 12:11 AM To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD The security regulation applies whether data are transmitted or only stored. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #8 ********** From: RTelesca@gigaweb.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored Date: Fri, 16 Jun 2000 11:49:58 -0400 You are correct, but we have to be very careful with this because the language is vague and somewhat inconsistent. According to HIPAA an "electronic transmission would include transactions using all media, even when the information is physically moved from one location to another using magnetic tape, disk, or compact disk media. Transmissions over...networks are all included." This indicates that transmissions across internal networks would constitute a transmission for applicability purposes. So, anywhere networks are used the data would be subject to HIPAA security standards. Also, under Section II, Provisions of this Proposed Rule, A. Applicability, it says "The security provisions of section 262 of HIPAA apply to any health plan, any health care clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual." This indicates electronically stored information is covered. Considering the intention of the legislation, conventional wisdom suggests, and it would be prudent, that any health care data that is electronically stored should be protected according to the security standards. Rick Richard J. Telesca ePractices Research Giga Information Group 54 Lavender Lane Rocky Hill, CT 06067 860.257.8527 (phone) -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 15, 2000 10:48 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored Clarification: The security regulation applies [to all health information] whether data are transmitted or only stored. But a provider is not subject to the security regulation simply by maintaining health information, unless that information has been used in an electronic transmission between covered entities. See Section 142.302(b)(2). Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice.