Rx2000HIPAA Digest, Volume 8 > > > > > > #1 From: erose@fmh.org Subject: Vendor Compliance > > #2 From: meyerp@ihhs.org Subject: RE: Vendor Compliance > > #3 From: brider@jhmi.edu Subject: Re: Vendor Compliance > > #4 From: ConnieMyers@hertzlerclinic.com Subject: RE: Vendor Compliance > > #5 From: dtefft@mchs.com Subject: RE: Vendor Compliance > > #6 From: JLEIGH@CONNECTICARE.com Subject: Information Security > Officer > > #7 From: Woodsp@towers.com Subject: Re: Vendor Compliance > > #8 From: Patricia.Carter@gpmlaw.com Subject: RE: Vendor > Compliance/Contracts > > > > > > ********** Message #1 ********** > > From: erose@fmh.org > > To: > > Subject: Vendor Compliance > > Date: Tue, 11 Apr 2000 10:57:50 -0400 > > > > As we obtain quotes and purchase new technologies, I would like to begin = > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is = > > it somewhat premature given that the final rules are not out yet? Does = > > anyone have specific wording that they would like to share related to = > > addressing this issue with potential suppliers? > > > > Eileen Rose, RHIA, RN > > Information Security Manager > > Frederick Memorial Hospital > > Frederick, MD > > erose@fmh.org > > > > ********** Message #2 ********** > > From: meyerp@ihhs.org > > To: "'Rx2000HIPAA@rx2000.org'" > > Subject: RE: Vendor Compliance > > Date: Tue, 11 Apr 2000 15:21:18 -0500 > > > > We are advising hospitals in Iowa to hold off until final regulations are > > published. > > > > Perry Meyer > > Iowa Hospital Association > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > Sent: Tuesday, April 11, 2000 9:58 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: Vendor Compliance > > > > As we obtain quotes and purchase new technologies, I would like to > > begin querying vendors re HIPAA compliance. Has anyone begun doing this? > > Is it somewhat premature given that the final rules are not out yet? Does > > anyone have specific wording that they would like to share related to > > addressing this issue with potential suppliers? > > > > Eileen Rose, RHIA, RN > > Information Security Manager > > Frederick Memorial Hospital > > Frederick, MD > > erose@fmh.org > > > > > > ********** Message #3 ********** > > From: brider@jhmi.edu > > To: Rx2000HIPAA@rx2000.org > > Subject: Re: Vendor Compliance > > Date: Tue, 11 Apr 2000 16:26:01 -0400 > > > > I don't think its premature to begin asking. The vendors need=20 > > to be planning as much (if not more) than we do. I have been=20 > > asking them if they are "HIPAA Compliant" to see what there=20 > > response is. Their response gives me an idea of their level=20 > > of understanding regarding HIPAA. If they respond 'Yes" then=20 > > I ask them to explain how and in what areas. If they respond 'No'=20 > > then I ask them to explain how they are planning on getting=20 > > compliant. There are areas where we all have the potential to > > be compliant...even the vendors. If, for instance a clearinghouse=20 > > has been using the EDI transactions prescribed by HIPAA - then=20 > > they are already compliant, IN THAT AREA. If a provider is already=20 > > using the appropriate drug or diagnostic codes (whether coincidentally > > or not) then they are compliant IN THAT AREA. It's in the area of > > Privacy, Confidentially and Chain of Trust where I see us all bogging > > down a little.=20 > > > > >>> 04/11/00 10:57AM >>> > > As we obtain quotes and purchase new technologies, I would like to begin = > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is it > = > > somewhat premature given that the final rules are not out yet? Does = > > anyone have specific wording that they would like to share related to = > > addressing this issue with potential suppliers? > > > > Eileen Rose, RHIA, RN > > Information Security Manager > > Frederick Memorial Hospital > > Frederick, MD > > erose@fmh.org=20 > > > > > > > > ********** Message #4 ********** > > From: ConnieMyers@hertzlerclinic.com > > To: "'Rx2000HIPAA@rx2000.org'" > > Subject: RE: Vendor Compliance > > Date: Tue, 11 Apr 2000 17:00:09 -0500 > > > > I would like to know as well. We are in the process now of looking at > this. > > > > > > Connie Myers > > Business Service Manager > > Hertzler Clinic, PA > > Halstead, KS > > conniemyers@hertzlerclinic.com > > > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > Sent: Tuesday, April 11, 2000 9:58 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: Vendor Compliance > > > > As we obtain quotes and purchase new technologies, I would like to begin > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is it > > somewhat premature given that the final rules are not out yet? Does > anyone > > have specific wording that they would like to share related to addressing > > this issue with potential suppliers? > > > > Eileen Rose, RHIA, RN > > Information Security Manager > > Frederick Memorial Hospital > > Frederick, MD > > erose@fmh.org > > > > << File: ATT00002.htm >> > > > > ********** Message #5 ********** > > From: dtefft@mchs.com > > To: "'Rx2000HIPAA@rx2000.org'" > > Subject: RE: Vendor Compliance > > Date: Wed, 12 Apr 2000 09:55:16 -0400 > > > > Along the same line of thought, I ask the following questions: > > Are healthcare software vendors "business partners" in the HIPAA > definition? > > > > Do they receive "protected health information" to perform a function for a > > "covered entity"? > > > > The answers to those questions will greatly affect contractual language > > within RFP's and final contracts. > > Opinions anyone? > > > > David Tefft > > Mount Carmel > > Columbus, Ohio > > > > > -----Original Message----- > > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > > Sent: Tuesday, April 11, 2000 10:58 AM > > > To: Rx2000HIPAA@rx2000.org > > > Subject: Vendor Compliance > > > > > > As we obtain quotes and purchase new technologies, I would like to begin > > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is > it > > > somewhat premature given that the final rules are not out yet? Does > > > anyone have specific wording that they would like to share related to > > > addressing this issue with potential suppliers? > > > > > > Eileen Rose, RHIA, RN > > > Information Security Manager > > > Frederick Memorial Hospital > > > Frederick, MD > > > erose@fmh.org > > > > > > > ********** Message #6 ********** > > From: JLEIGH@CONNECTICARE.com > > To: "'Rx2000HIPAA@rx2000.org'" > > Subject: Information Security Officer > > Date: Wed, 12 Apr 2000 10:55:15 -0400 > > > > Does anyone developed a job description or roles & responsibilities > document > > for an Information Security Officer yet that you'd care to share? > > > > Jeffrey W. Leigh > > Dir. Of Technology > > ConnectiCare, Inc. > > 30 Batterson Park Rd. > > Farmington, CT 06032 > > (860) 674-2221 (Voice) > > (860) 678-5222 (Fax) > > jleigh@connecticare.com (e-mail) > > www.connecticare.com (web site) > > > > > > ********** Message #7 ********** > > From: Woodsp@towers.com > > To: Rx2000HIPAA@rx2000.org > > Subject: Re: Vendor Compliance > > Date: Wed, 12 Apr 2000 11:28:48 -0500 > > > > > > > > We have been on the receiving end of several RFIs from Blues plans and > others. > > At this point, these solicitations tend to be focused on the general > > administrative aspects of privacy/security and standardized transactions. > The > > word being used by both vendors (us) and those solicitating help is a 'gap > > analysis'. > > > > > > > > ********** Message #8 ********** > > From: Patricia.Carter@gpmlaw.com > > To: "'Rx2000HIPAA@rx2000.org'" > > Subject: RE: Vendor Compliance/Contracts > > Date: Thu, 13 Apr 2000 10:05:28 -0500 > > > > Some thoughts on the vendor contract issues: > > > > Standard Transactions > > If a provider is licensing software that it will rely on to generate > > "standard transactions" under HIPAA, the provider may want to ask for a > > provision in the agreement wherein the vendor warrants that the software > is > > HIPAA compliant with regard to transaction formats, code sets and unique > > identifiers, and will maintain the software so as to remain compliant as > the > > regulations change (e.g., final regs adopted, a shift from ICD9 to ICD10 > dx > > codes). > > > > Security/Privacy > > It's more difficult to draft a contract at this stage to address security > > and privacy issues. Because the requirements are "scalable and flexible," > > there will not be uniformity in what the vendor is asked for by its > clients, > > so as to allow the client/covered entity to comply with the law. Also, at > > this stage, the provider is likely to be unsure of what its precise > > implementation strategy will be, so the provider may not have specific > > requirements yet. A standard "change of law" provision may not be > > sufficient in these circumstances. Case-by-case analysis will be > required. > > What will the vendor provide as a standard upgrade and at what cost to the > > client? What security/privacy features would be considered custom for the > > client? Are there features that the vendor would never implement, even on > a > > custom basis? Depending on the nature of the final regulations, > > renegotiation may be required before the end of the contract term. In > > anticipation of this possibility, care should be taken with the > termination > > provisions of the agreement. > > > > Access to PHI by Vendor > > There is a separate issue with regard to "business partners" (privacy > regs) > > or "chain of trust" partners (security regs), if the vendor will have > access > > to protected information -- common in the process of installation, > testing, > > upgrades and troubleshooting for the client. The standard confidentiality > > clause of the contract may be sufficient for now. IMHO, specific HIPAA > > requirements, especially third party beneficiary rights should not be > > included at this stage -- this is a very controversial area and very > subject > > to change in the final regs. More general wording - that the parties > agree > > to amend the contract to comply with HIPAA, as and when appropriate, could > > be included. > > > > > > > > The opinions stated are mine and mine alone, and not necessarily those of > my > > employer. I am a lawyer, but whatever I said above was not legal advice. > > > > Patricia I. Carter > > Gray, Plant, Mooty, Mooty & Bennett > > 33 South Sixth Street > > 3400 City Center > > Minneapolis, MN 55402-3796 > > (612) 343-2800 > > patricia.carter@gpmlaw.com > > > > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > > Sent: April 12, 2000 8:55 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: RE: Vendor Compliance > > > > > > > > Along the same line of thought, I ask the following questions: > > Are healthcare software vendors "business partners" in the HIPAA > definition? > > > > Do they receive "protected health information" to perform a function for a > > "covered entity"? > > > > The answers to those questions will greatly affect contractual language > > within RFP's and final contracts. > > Opinions anyone? > > > > David Tefft > > Mount Carmel > > Columbus, Ohio > > > > > -----Original Message----- > > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > > Sent: Tuesday, April 11, 2000 10:58 AM > > > To: Rx2000HIPAA@rx2000.org > > > Subject: Vendor Compliance > > > > > > As we obtain quotes and purchase new technologies, I would like to begin > > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is > it > > > somewhat premature given that the final rules are not out yet? Does > > > anyone have specific wording that they would like to share related to > > > addressing this issue with potential suppliers? > > > > > > Eileen Rose, RHIA, RN > > > Information Security Manager > > > Frederick Memorial Hospital > > > Frederick, MD > > > erose@fmh.org > > >