Rx2000HIPAA Digest, Volume 9 > > #1 From: medimage@voicenet.com Subject: Re: Vendor Compliance > #2 From: don.butler@rsacompanies.com Subject: RE: Vendor Compliance > #3 From: Mary.Cooley@rsacompanies.com Subject: RE: Vendor Compliance > #4 From: Mary.Cooley@rsacompanies.com Subject: RE: Vendor Compliance > #5 From: RTelesca@gigaweb.com Subject: RE: Vendor Compliance > #6 From: cioo@svch.com Subject: Re: Vendor Compliance > #7 From: leslie.harpe@SGMC.ORG Subject: JCAHO > #8 From: anichols@fast.net Subject: Re: JCAHO > > > ********** Message #1 ********** > From: medimage@voicenet.com > To: > Subject: Re: Vendor Compliance > Date: Thu, 13 Apr 2000 10:45:55 -0400 > > The April 10, 2000 issue of "The Industry Standard" devotes many pages to > Healthcare. > For instance, page 242-246 briefly touches on HIPAA from Healtheon/WebMD's > perspective. > Personally I think the coverage in this issue is in response to the beating > KOOP, CareInsight, MedMgr, and Healtheon/WebMD took in the market following > KOOP's "running out of money" announcement and the other announcement that > Oxford and others big providers are developing a connectivity solution that > would ultimately compete with Healtheon's vision. > > dk > > > ********** Message #2 ********** > From: don.butler@rsacompanies.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Vendor Compliance > Date: Thu, 13 Apr 2000 06:51:20 -0600 > > Everyone should certainly be reviewing their internal and external > relationships and agreements. It is never to soon to start this process. > When the final regs come, which we have been told will not change > drastically, you will be ahead of the game. The contractual piece will be a > balancing act between the things that can apply globally to vendors/trading > partners and those that need to be specific to an individual vendor/trading > partner. Not a simple task. > > > Don Butler, RSA Companies > Project Manager > Strategic Solutions > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Wednesday, April 12, 2000 10:29 AM > To: Rx2000HIPAA@rx2000.org > Subject: Re: Vendor Compliance > > > > > > We have been on the receiving end of several RFIs from Blues plans and > others. > At this point, these solicitations tend to be focused on the general > administrative aspects of privacy/security and standardized transactions. > The > word being used by both vendors (us) and those solicitating help is a 'gap > analysis'. > > > > ********** Message #3 ********** > From: Mary.Cooley@rsacompanies.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Vendor Compliance > Date: Thu, 13 Apr 2000 03:39:49 -0600 > > > I have seen the definition of "business partner" from a legal group in > Chicago. In the traditional software vendor role in which the vendor > provides software to a Payer/Provider client which is resident on the > Payer/Provider premises and the processing takes place there, they would not > be a business partner because the software vendor is not the recipient of > Private Health Information (PHI). > > You would need to be cautious to protect identifiable PHI if you were having > a vendor trouble shoot a processing problem or if they were dealing with > actual consumer data during installation. They would not have the need to > know and you cannot assume that they would not care if the PHI was > identifiable as you have in the past. Preparation of test data for use > during installation will have to be done carefully. Masking the identifiable > information before you have the vendor work with the data would probably be > the best option, but could be a "choke point" to a process that needs to be > quick and painless. > > In the new paradigm of outsourcing the actual processing of Claims and > Enrollment transactions, the software vendor could be a "business partner" > and you would need to be very cognizant of that relationship when you write > the contracts covering that relationship to specify acceptable processes and > expectations for the protection of the PHI. In that case thesoftware vendor > would have a "need to know" and the Payer/Provider would be responsible for > their actions since the Payer/Provider is the "covered entity". The software > vendor probably does not fit the definition of a "clearing house" which > would make them a "covered entity". > > Mary Cooley > RSA Companies > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Wednesday, April 12, 2000 7:55 AM > To: Rx2000HIPAA@rx2000.org > Subject: RE: Vendor Compliance > > > > Along the same line of thought, I ask the following questions: > Are healthcare software vendors "business partners" in the HIPAA definition? > > Do they receive "protected health information" to perform a function for a > "covered entity"? > > The answers to those questions will greatly affect contractual language > within RFP's and final contracts. > Opinions anyone? > > David Tefft > Mount Carmel > Columbus, Ohio > > > -----Original Message----- > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > > Sent: Tuesday, April 11, 2000 10:58 AM > > To: Rx2000HIPAA@rx2000.org > > Subject: Vendor Compliance > > > > As we obtain quotes and purchase new technologies, I would like to begin > > querying vendors re HIPAA compliance. Has anyone begun doing this? Is it > > somewhat premature given that the final rules are not out yet? Does > > anyone have specific wording that they would like to share related to > > addressing this issue with potential suppliers? > > > > Eileen Rose, RHIA, RN > > Information Security Manager > > Frederick Memorial Hospital > > Frederick, MD > > erose@fmh.org > > > > > ********** Message #4 ********** > From: Mary.Cooley@rsacompanies.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Vendor Compliance > Date: Thu, 13 Apr 2000 04:06:29 -0600 > > > The DHHS said two weeks ago that there would be no "technical changes" to > the ANSI Implementation Guides, so waiting until the rules become final to > get a "feel" from the software vendors might not be necessary. I think the > answer you get is as specific as the question you ask. If you ask > generically, "Are you HIPAA compliant?", they will respond that they are > assessing the impact etc. A better way to approach it might be to determine > a short list of specific questions, similar to the Y2k list, to identify > specific pain points to your organization and have all the software vendors > address the same questions. For instance, you probably want to know that you > want to know how the vendor will protect PHI while it is moving through the > Claims process on the internal network. > > That process will give you a way to indicate your needs and assess the > responses against each other. It will also give you a standard follow-up > point with those vendors. The sooner you determine what those pain points > are, based on your existing processes, the sooner the vendors can begin to > design an approach that meets your needs rather than their needs. > > Mary Cooley > RSA Companies > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Tuesday, April 11, 2000 2:21 PM > To: Rx2000HIPAA@rx2000.org > Subject: RE: Vendor Compliance > > > > We are advising hospitals in Iowa to hold off until final regulations are > published. > > Perry Meyer > Iowa Hospital Association > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org] > Sent: Tuesday, April 11, 2000 9:58 AM > To: Rx2000HIPAA@rx2000.org > Subject: Vendor Compliance > > As we obtain quotes and purchase new technologies, I would like to > begin querying vendors re HIPAA compliance. Has anyone begun doing this? > Is it somewhat premature given that the final rules are not out yet? Does > anyone have specific wording that they would like to share related to > addressing this issue with potential suppliers? > > Eileen Rose, RHIA, RN > Information Security Manager > Frederick Memorial Hospital > Frederick, MD > erose@fmh.org > > > ********** Message #5 ********** > From: RTelesca@gigaweb.com > To: "'Rx2000HIPAA@rx2000.org'" > Subject: RE: Vendor Compliance > Date: Thu, 13 Apr 2000 07:08:26 -0400 > > In line with this comment I have a question. Are organizations performing > risk/compliance assessments or "gap analysis" prior to inquiring about > products? Typically, without such an assessment, organizations have often > had difficulty articulating exactly what problem (or in this case area of > compliance) they were trying to address. As a result, it was hard to > determine what type of products were needed and what questions to ask. > Failure to identify gaps and objectives prior to product evaluation > invariably wasted a lot of time and effort. > > Given that HCFA has indicated the transaction and security standards will > change very little prior to final publication, I'd recommend that all > affected organizations use the proposed standards as a benchmark to perform > an assessment of their environments prior to exploring product options. > Also, I'd add that such an assessment be conducted by, or at least reviewed > by, a project group made up of a representative cross-section of the > organization, not just IT. > > Richard J. Telesca > ePractices Research > Giga Information Group > 54 Lavender Lane > Rocky Hill, CT 06067 > 860.257.8527 (phone) > > > -----Original Message----- > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org] > Sent: Wednesday, April 12, 2000 12:29 PM > To: Rx2000HIPAA@rx2000.org > Subject: Re: Vendor Compliance > > > > > > We have been on the receiving end of several RFIs from Blues plans and > others. > At this point, these solicitations tend to be focused on the general > administrative aspects of privacy/security and standardized transactions. > The > word being used by both vendors (us) and those solicitating help is a 'gap > analysis'. > > > > ********** Message #6 ********** > From: cioo@svch.com > To: > Subject: Re: Vendor Compliance > Date: Mon, 17 Apr 2000 14:48:25 -0700 > > > RE: Vendor ComplianceIt would seem less than feasible to try and protect = > or mask PHI every time a vendor performs either maintenance on a system = > or upgrades/updates their product. As is the case with our electronic = > billing vendor, the process would not be quick and painless. I think it = > would be better in the long run to pursue the contract agreement that = > HIPAA suggests between the Entity and the Business Partner. As with any = > human process, mistakes are made and oversights happen. I would think = > the contract would be an insurance policy that places responsibility and = > due diligence on the part of the vendor in case these oversights do = > occur. > > Jim Holmes > CIO/IS Manager > Sierra Vista Regional Health Center > Sierra Vista, AZ > (520) 417-3047 > cioo@svch.com > ----- Original Message -----=20 > From: Rx2000HIPAA@rx2000.org=20 > To: Rx2000HIPAA@rx2000.org=20 > Sent: Thursday, April 13, 2000 2:39 AM > Subject: RE: Vendor Compliance > > > I have seen the definition of "business partner" from a legal group in = > Chicago. In the traditional software vendor role in which the vendor = > provides software to a Payer/Provider client which is resident on the = > Payer/Provider premises and the processing takes place there, they would = > not be a business partner because the software vendor is not the = > recipient of Private Health Information (PHI).=20 > > You would need to be cautious to protect identifiable PHI if you were = > having a vendor trouble shoot a processing problem or if they were = > dealing with actual consumer data during installation. They would not = > have the need to know and you cannot assume that they would not care if = > the PHI was identifiable as you have in the past. Preparation of test = > data for use during installation will have to be done carefully. Masking = > the identifiable information before you have the vendor work with the = > data would probably be the best option, but could be a "choke point" to = > a process that needs to be quick and painless. > > In the new paradigm of outsourcing the actual processing of Claims and = > Enrollment transactions, the software vendor could be a "business = > partner" and you would need to be very cognizant of that relationship = > when you write the contracts covering that relationship to specify = > acceptable processes and expectations for the protection of the PHI. In = > that case thesoftware vendor would have a "need to know" and the = > Payer/Provider would be responsible for their actions since the = > Payer/Provider is the "covered entity". The software vendor probably = > does not fit the definition of a "clearing house" which would make them = > a "covered entity". > > Mary Cooley=20 > RSA Companies=20 > -----Original Message-----=20 > From: Rx2000HIPAA@rx2000.org [mailto:Rx2000HIPAA@rx2000.org]=20 > Sent: Wednesday, April 12, 2000 7:55 AM=20 > To: Rx2000HIPAA@rx2000.org=20 > Subject: RE: Vendor Compliance=20 > > > > > Along the same line of thought, I ask the following questions:=20 > Are healthcare software vendors "business partners" in the HIPAA = > definition?=20 > > Do they receive "protected health information" to perform a function = > for a=20 > "covered entity"?=20 > > The answers to those questions will greatly affect contractual = > language=20 > within RFP's and final contracts.=20 > Opinions anyone?=20 > > David Tefft=20 > Mount Carmel=20 > Columbus, Ohio=20 > > > -----Original Message-----=20 > > From: Rx2000HIPAA@rx2000.org [SMTP:Rx2000HIPAA@rx2000.org]=20 > > Sent: Tuesday, April 11, 2000 10:58 AM=20 > > To: Rx2000HIPAA@rx2000.org=20 > > Subject: Vendor Compliance=20 > >=20 > > As we obtain quotes and purchase new technologies, I would like to = > begin=20 > > querying vendors re HIPAA compliance. Has anyone begun doing this? = > Is it=20 > > somewhat premature given that the final rules are not out yet? Does = > > > anyone have specific wording that they would like to share related = > to=20 > > addressing this issue with potential suppliers?=20 > >=20 > > Eileen Rose, RHIA, RN=20 > > Information Security Manager=20 > > Frederick Memorial Hospital=20 > > Frederick, MD=20 > > erose@fmh.org =20 > > > ********** Message #7 ********** > From: leslie.harpe@SGMC.ORG > To: Rx2000HIPAA@rx2000.org > Subject: JCAHO > Date: Thu, 20 Apr 2000 14:24:10 -0400 > > Last year Joint Commission on Accreditation of Healthcare Organization's > (JCAHO) announced that it intends to look at the strength of security > systems in protecting health information as part of its accreditation > process. > > For those of you that have had a visit from JCAHO this year, what were their > questions regarding security? What are they expecting to see hospitals > doing at this time? > > Thank you for your comments, > Leslie Harpe > > > > ********** Message #8 ********** > From: anichols@fast.net > To: Rx2000HIPAA@rx2000.org > Subject: Re: JCAHO > Date: Thu, 20 Apr 2000 17:38:19 -0400 > > Leslie, > > In January we completed a mock survey. The survey was performed by three individuals who perform surveys for JCAHO. Two of the security areas they looked > at were > > 1) who has access to what > 2) system displays in line-of-sight of visitors, etc. > > Hope this helps. > > Al Nichols > Sacred Heart Healthcare System Inc. > Allentown, PA 18102 > > Rx2000HIPAA@rx2000.org wrote: > > > Last year Joint Commission on Accreditation of Healthcare Organization's > > (JCAHO) announced that it intends to look at the strength of security > > systems in protecting health information as part of its accreditation > > process. > > > > For those of you that have had a visit from JCAHO this year, what were their > > questions regarding security? What are they expecting to see hospitals > > doing at this time? > > > > Thank you for your comments, > > Leslie Harpe > >