Rx2000HIPAA Digest, Volume 30 #1 From: Thomas.Sadauskas@tma.osd.mil Subject: RE: Transmitted vs. Stored #2 From: Patricia.Carter@gpmlaw.com Subject: RE: Transmitted vs. Stored #3 From: Patricia.Carter@gpmlaw.com Subject: RE: Transmitted vs. Stored #4 From: Sslazarus@aol.com Subject: Re: ICF-DD #5 From: Sslazarus@aol.com Subject: Re: Transmitted vs. Stored #6 From: jeanace@hotmail.com Subject: RE: ICF-DD #7 From: jeanace@hotmail.com Subject: RE: Transmitted vs. Stored #8 From: John_Poole@providentcompanies.com Subject: Accountability of Insurance Companies ********** Message #1 ********** From: Thomas.Sadauskas@tma.osd.mil To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored Date: Fri, 16 Jun 2000 13:59:34 -0400 I have to agree with Steve Lazarus on this one. The HIPAA security requirements apply to electronic health information whether or NOT the information has been transmitted electronically between covered entities. The following quotes from the Security NPRM dated August 12, 1998 support this position: Federal Register/Volume 63, No 155, August 12, 1998, Pg 43245 II. Provisions of this Proposed Rule - 2nd paragraph, 2nd sentence This rule would establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted. A. Applicability - same page, next section With the exception of the security provisions, section 262 of HIPAA applies to any health plan, any health care clearinghouse, and any health care provider that transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The security provisions of section 262 of HIPAA apply to any health plan, any health clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual. To me it's clear that if you maintain the individual health data in electronic form, HIPAA security provisions apply whether you ever do an EDI transaction or not! Even that solo practitioners still running a 286 PC will have to comply. Tom Sadauskas, FHFMA, CHE, CPA HIPAA Compliance Program Logicon, A Northrop Grumman Company Voice - 703-575-0119 (NEW) Fax - 703-575-0215 (NEW) thomas.sadauskas@tma.osd.mil -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Thursday, June 15, 2000 10:48 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored Clarification: The security regulation applies [to all health information] whether data are transmitted or only stored. But a provider is not subject to the security regulation simply by maintaining health information, unless that information has been used in an electronic transmission between covered entities. See Section 142.302(b)(2). Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: June 15, 2000 12:11 AM To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD The security regulation applies whether data are transmitted or only stored. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #2 ********** From: Patricia.Carter@gpmlaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored Date: Sat, 17 Jun 2000 14:07:05 -0500 Counterpoint: Your position relies on the language of the preamble, not the regulation itself. While the comments in the preamble are very useful, they are not the law. The regulation itself, which I cited below, is more precise and, IMHO, section 142.302 requires a transmission between some combination of covered entities to trigger application of the law to a provider. There are inconsistencies among the various HIPAA administrative simplification rules, and for some of the proposed regulations, even between the preamble and the rule itself on some points. In these cases, we need to focus on the language of the regulation itself. Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: June 16, 2000 1:00 PM To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored I have to agree with Steve Lazarus on this one. The HIPAA security requirements apply to electronic health information whether or NOT the information has been transmitted electronically between covered entities. The following quotes from the Security NPRM dated August 12, 1998 support this position: Federal Register/Volume 63, No 155, August 12, 1998, Pg 43245 II. Provisions of this Proposed Rule - 2nd paragraph, 2nd sentence This rule would establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted. A. Applicability - same page, next section With the exception of the security provisions, section 262 of HIPAA applies to any health plan, any health care clearinghouse, and any health care provider that transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The security provisions of section 262 of HIPAA apply to any health plan, any health clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual. To me it's clear that if you maintain the individual health data in electronic form, HIPAA security provisions apply whether you ever do an EDI transaction or not! Even that solo practitioners still running a 286 PC will have to comply. Tom Sadauskas, FHFMA, CHE, CPA HIPAA Compliance Program Logicon, A Northrop Grumman Company Voice - 703-575-0119 (NEW) Fax - 703-575-0215 (NEW) thomas.sadauskas@tma.osd.mil ********** Message #3 ********** From: Patricia.Carter@gpmlaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: RE: Transmitted vs. Stored Date: Sat, 17 Jun 2000 14:17:24 -0500 Because of the inconsistencies you mention, I believe it is all the more important to focus on the language of the regulation itself, and not rely too much on the more general language and comments of the preamble. With regard to your comment regarding internal network transmissions: Even if these are within the definition of an electronic transmission, are they transmissions BETWEEN covered entities, as required by Section 142.302 of the security regulation? Sorry to split hairs, because I actually do believe that from a practical standpoint and for implementation purposes, it is probably wise for providers to take a broader view of the requirements. At the same time, it is important to bear in mind the distinction between what is legally required and what may merely be a good idea. Patricia I. Carter Gray, Plant, Mooty, Mooty & Bennett 33 South Sixth Street 3400 City Center Minneapolis, MN 55402-3796 (612) 343-2800 patricia.carter@gpmlaw.com The opinions stated are mine and mine alone, and not necessarily those of my employer. I am a lawyer, but whatever I said above was not legal advice. -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: June 16, 2000 10:50 AM To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored You are correct, but we have to be very careful with this because the language is vague and somewhat inconsistent. According to HIPAA an "electronic transmission would include transactions using all media, even when the information is physically moved from one location to another using magnetic tape, disk, or compact disk media. Transmissions over...networks are all included." This indicates that transmissions across internal networks would constitute a transmission for applicability purposes. So, anywhere networks are used the data would be subject to HIPAA security standards. Also, under Section II, Provisions of this Proposed Rule, A. Applicability, it says "The security provisions of section 262 of HIPAA apply to any health plan, any health care clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual." This indicates electronically stored information is covered. Considering the intention of the legislation, conventional wisdom suggests, and it would be prudent, that any health care data that is electronically stored should be protected according to the security standards. Rick Richard J. Telesca ePractices Research Giga Information Group 54 Lavender Lane Rocky Hill, CT 06067 860.257.8527 (phone) ********** Message #4 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD Date: Sun, 18 Jun 2000 21:42:11 EDT We had a clarification on this issue by DHHS at the Security HIPAA Workgroup at the WEDI SNIP meetings last week. The Security HIPAA Regulation only applies to providers who transmit one or more of the standard transactions electronically. The SNIP (Strategic National Implementation Process) meetings at WEDI began an industry led process (with several Federal and State government staff actively participating) to plan the HIPAA implement the HIPAA implementation, including timing, sharing of experiences, documenting best practices, and developing industry supported work arounds to the gaps when they are discovered. More providers need to participate if the provider prospective is going to be reflected in the roll out. At least 3 SNIP LISTSERVs will be launched by WEDI by July 1. Over 150 people began the process last week. Get involved if you want to learn from others and share your best practices. For more information, look at www.wedi.org. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group and Chair Elect, WEDI 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #5 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: Transmitted vs. Stored Date: Sun, 18 Jun 2000 21:49:49 EDT With regard to best practice, you are correct. Most of us at the Security Workgroup at the WEDI SNIP thought that this was the case. The technical answer lies in the preamble of the HIPAA legislation. Participating the WEDI SNIP is a great opportunity to share with colleagues and learn the DHHS and WEDI interpretation of these complex issues Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #6 ********** From: jeanace@hotmail.com To: Rx2000HIPAA@rx2000.org Subject: RE: ICF-DD Date: Mon, 19 Jun 2000 14:03:59 PDT No, not so. ----Original Message Follows---- From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org To: Rx2000HIPAA@rx2000.org Subject: RE: ICF-DD Date: Thu, 15 Jun 2000 00:59:24 -0700 Right, but if you are a provider you are only a covered entity if you transmit in connection with a standard transaction, not so? -----Original Message----- From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] Sent: Wednesday, June 14, 2000 10:11 PM To: Rx2000HIPAA@rx2000.org Subject: Re: ICF-DD The security regulation applies whether data are transmitted or only stored. Steven S. Lazarus, PhD, FHIMSS President Boundary Information Group 4401 S. Quebec Street - Suite 100 Denver, CO 80237-2644 303-488-9911 sslazarus@aol.com ********** Message #7 ********** From: jeanace@hotmail.com To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored Date: Mon, 19 Jun 2000 13:57:15 PDT Exactly! Well said. Jean Acevedo, CPC, LHRM VP Product Management Cybear, Inc. ----Original Message Follows---- From: Rx2000HIPAA@rx2000.org Reply-To: Rx2000HIPAA@rx2000.org To: Rx2000HIPAA@rx2000.org Subject: RE: Transmitted vs. Stored Date: Fri, 16 Jun 2000 13:59:34 -0400 I have to agree with Steve Lazarus on this one. The HIPAA security requirements apply to electronic health information whether or NOT the information has been transmitted electronically between covered entities. The following quotes from the Security NPRM dated August 12, 1998 support this position: Federal Register/Volume 63, No 155, August 12, 1998, Pg 43245 II. Provisions of this Proposed Rule - 2nd paragraph, 2nd sentence This rule would establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted. A. Applicability - same page, next section With the exception of the security provisions, section 262 of HIPAA applies to any health plan, any health care clearinghouse, and any health care provider that transmits any health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. The security provisions of section 262 of HIPAA apply to any health plan, any health clearinghouse, and any health care provider that electronically maintains or transmits any health information relating to an individual. To me it's clear that if you maintain the individual health data in electronic form, HIPAA security provisions apply whether you ever do an EDI transaction or not! Even that solo practitioners still running a 286 PC will have to comply. Tom Sadauskas, FHFMA, CHE, CPA HIPAA Compliance Program Logicon, A Northrop Grumman Company Voice - 703-575-0119 (NEW) Fax - 703-575-0215 (NEW) thomas.sadauskas@tma.osd.mil ********** Message #8 ********** From: John_Poole@providentcompanies.com To: rx2000HIPAA@rx2000.org Subject: Accountability of Insurance Companies Date: Wed, 21 Jun 2000 12:03:06 -0400 I have a question that I hope someone has an opinion on. I work for a large insurance company that, among other products, does a large disability insurance business. One of the key components in evaluating a disability claim is the claimants medical information. Obviously this information is coming from a covered entity (e.g. Doctor, Hospital, etc). However, we are not obtaining this information in order to ".....carry out, assist with the performance of, or perform on behalf of, a function or activity..." for this covered entity. We are performing a service for the client of the covered entity. My question is are we considered a business partner by extension because our client is a client of the covered entity? Or is this addressed in the regulation and I have simply overlooked it (it seems that this situation would be covered in some fashion since it involves the transfer of information)? Any opinions or facts would be greatly appreciated! Thanks John Poole 423-755-3316 John_Poole@Providentcompanies.com