This is a cross post from HIPAA Alert. I do not normally cross post but felt that there are many on EDI-L that could use this information and become part of the HIPAA discussion on "HIPAAlive". This is a U.S. Legislative Issue in the Healthcare Health Insurance sectors. Jonathan Showalter Omaha NE ------------------( Forwarded letter 1 follows )--------------------- Date: Tue, 19 Sep 2000 17:55:59 -0400 To: HIPAAlert.Newsletter[hipaalert]@lists.hipaalert.com From: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: [hipaalert] HIPAALERT Volume 1, No. 10 ================================================================= H I P A A L E R T Volume 1 No. 10 September 19, 2000 >> From Phoenix Health Systems -- HIPAA Knowledge...HIPAA Solutions << ================================================================= HIPAAlert is published monthly in support of the healthcare industry's efforts to stay on top of issues related to HIPAA security and privacy. Current subscribers total over 7000. Do you have interested associates? They can subscribe free at: http://HIPAAlert.com IF YOU LIKE HIPAALERT, YOU'LL LOVE HIPAAdvisory.com, the most comprehensive HIPAA resource site on the web. Visit: http://www.HIPAAdvisory.com ================================================================= T H I S I S S U E 1. From the Editors: Fall Brings New HIPAAfeatures! 2. HIPAAliteracy: When the Going Gets Tough 3. HIPAAnews: New HIPAA Cost Estimates, Update on Privacy Rule, & more 4. HIPAAdvisor: Transactions and Code Sets 5. HIPAAlinks: Off-the-Beaten-Track to Privacy and Security ================================================================= 1 / F R O M T H E E D I T O R S: This Fall the HIPAAlert / HIPAAdvisory.com staff will begin serving up two exciting new service features: FIRST, our regular quarterly HIPAA survey will go online and interactive! Beginning with this month's HIPAA Progress Survey, you will be able to quickly complete a database-driven interactive questionnaire with no FAX muss or E-mail fuss. The Survey will be online at HIPAAdvisory.com, beginning this Thursday, September 21. Based on your recommendations, we've extensively customized the questionnaire. All participants will be asked to complete some broad, basic questions. In addition, depending on whether you represent a payor, provider, vendor or a clearinghouse, you will be asked to answer several questions specific to your role in healthcare. The survey should take about 5 minutes to complete. Once again, your participation will be invaluable in tracking the healthcare industry's efforts towards HIPAA compliance. Deadline for completion of the Fall survey is Friday, October 6. Results will be published in our mid-October issue of HIPAAlert. Once the new survey is online, we'll send you a quick reminder to participate, along with directions. SECOND, our staff is putting the final touches on our new "HIPAAnotes," a unique E-mail HIPAA knowledge tool that will be published weekly, beginning in October. The free "HIPAAnotes" will be a quick E-mail page of 2 or 3 concise knowledge bytes culled from the megabytes of HIPAA information we've developed at HIPAAdvisory.com. Achieving internal HIPAAwareness continues to be a challenge for most healthcare enterprises. Designed to be conveniently passed on to anyone with a HIPAA "need to know," HIPAAnotes will help compliance staffs regularly and painlessly keep their associates aware of HIPAA and its implications. Stay tuned for more on HIPAAnotes! Diane Boettcher, Editor [EMAIL PROTECTED] D'Arcy Guerin Gue, Publisher [EMAIL PROTECTED] ================================================================= 2 / H I P A A l i t e r a c y...When the Going Gets Tough In HIPAAlert's last industry survey, no one was surprised that over 50% of healthcare executives had little if any knowledge of HIPAA or its implications. And 75% of provider respondents said that HIPAA hadn't yet hit their managers' radar screens. With the recent announcement of HIPAA's first final rule, our Fall quarterly survey may show that more provider leaders have begun to tune in. Nevertheless, continuing reader comments (and often, complaints) suggest that a surprisingly staunch cadre of "HIPAA-illiterates" remains alive and well. At Phoenix, we've had to address this reality with several clients, and chances are you have too, within your own organization. As a result, we and many of you have developed -- sometimes just stumbled upon -- effective tactics that address this stubborn knowledge gap. Here are some of the best: 1. THE HIPAA CHAMPION > Find and cultivate an internal champion, preferably on the Executive team, preferably well-liked and respected, who is NOT in Information Systems or Compliance. Send him or her to some variation of "HIPAA school". Then, make sure your HIPAA compliance leader enlists the champion's consistent, visible support of the organization's HIPAA awareness efforts. 2. THE FORMAL HIPAA PRESENTATION > Preferably earlier rather than later, every healthcare enterprise needs to call at least one formal, IN-HOUSE HIPAA education meeting with the entire executive and management team. Think of it from a "The first shot is probably your best shot" perspective. Invest serious time, talent, and if necessary, money in your planning and preparation, making sure that the content is customized to your organization's circumstances. Sending staff outside to public, outside conferences is useful, but not a replacement for in-house initiatives. Consistent knowledge and management buy-in across your enterprise can only be developed from within. > Make sure your initial executive and management presentations address HIPAA from the "CO" perspective. Think: bottom line, corporate strategic plans, ROI, priorities. Introduce positive implications (i.e., likely cost reductions in conducting transactions, increased systems and procedures standardization across the enterprise, etc.) > Choose your designated speaker wisely. Don't let a "techie" or security buff lead early presentations, even if he or she is the only person in the organization who understands HIPAA. Your audience will probably not understand the "tech talk" -- and may assume a credibility-threatening bias. If no internal staffer can knowledgeably and effectively do the job, bring in an outside speaker. Many healthcare consulting firms and others offer free or low-cost HIPAA presentations. Insist up front that their talk won't be a 1-hour commercial for their services. (Instead, tell them they may include only one slide on their company, and offer 30 minutes one-on-one with you before the presentation.) Once the outside speaker conducts the HIPAA tutorial, it's time for you and your champion to take the podium to cover HIPAA's implications for your particular organization. Incidentally, there's a lot of chaff shooting up next to the wheat in the HIPAA consulting field. You should require any would-be speaker to detail his or her HIPAA-related expertise. If in doubt, or if the firm is a security or MIS "expert" but has little experience in healthcare, ask for a personal pre-presentation -- or look elsewhere. > Avoid letting a major HIPAA presentation become part of a larger meeting agenda. People tune out perceived "bad" news, particularly when invited to focus on other issues at the same time. > Initial presentations should be between 60 and 90 minutes, plus time for final questions. Anything less won't begin to address the breadth and depth of the issues, and likely will leave participants confused, bored -- or worse, believing HIPAA is "no big deal" or "not our problem." Anything longer, for the first-time HIPAA audience, is probably too much to absorb. > Apply doses of humor to sweeten the "bitter pill" HIPAA may be for members of your management. For example, we often distribute "HIPAApots"-- mugs with HIPAA and our HIPAAdvisory.com hippo logo splashed across them -- before our presentations. Then we ask participants to describe their own levels of HIPAA knowledge using their HIPAApots. Are they half full, overflowing, "too hot to touch," or ?? You name it, we've heard it -- even from our most staid attendees. The atmosphere lightens up, the speaker gathers intelligence about the audience's needs, and the biggest bonus: the participants receive permanent HIPAA reminders with their daily morning coffee. > More tips for formal presentations: DO use slides with pass-outs, and take the time to include grabber graphics...Also, hold questions till the end, or you'll become derailed by challenges and objections. Finally, make sure the speaker is able to address questions that are sure to come: "Is HIPAA really real?" How much is this going to cost?" "Who's going to do the work?" "Why not remain incompliant, and just pay the penalties?" "Can we wait until all the rules are final?" 3. THE ONLINE SOAPBOX > If your organization has an intranet, use it. Set up a HIPAA page, and add news and tutorial items / links regularly. Make friends with the intranet's webmaster, so you can get top billing from the Main page. Incidentally, several HIPAAlert subscribers re-print part or all of each issue on their intranets; you're welcome to do the same, if you request permission and make appropriate attributions. > E-mail, if you haven't noticed, is a great business communication medium. Send your executive team and managers brief -- repeat BRIEF -- e-mailings with HIPAA information and news summaries, linked to details at websites like WEDI, AFEHCT, JHITA, HIPAAdvisory.com and other content sites. (See URLS below.) And, beginning October, consider sending our weekly "HIPAAnotes" out as a regular reinforcement. (See From the Editors) > Point your management group to authoritative sources it already respects. Most prominent industry associations and advisory groups, like AHA, HFMA, AHIMA, HIMSS, AMIA, AMA, JCAHO, HFMA, and CHIM have web-published statements and information on HIPAA. Pass them along. 4. INSIDIOUS MODES OF COMMUNICATION > If your leadership thinks privacy and security aren't issues in your organization, convince it to authorize a formal security audit. Some expert information security technology firms will perform an enterprise audit for as little as $20 to $30 thousand. But beware: the likelihood that significant security and privacy vulnerabilities will be exposed is high. According to CACI, our security technology partner, it's usually able to present client CEOs with their personal information like salary and health data, uncovered as a routine part of its audit. > Send your management team bad press. Kaiser Permanente recently made national news after inadvertently sending nearly 1000 patient E-mails, many with confidential medical data, to other patients. Dana-Farber Cancer Institute made headlines in August when an employee apparently stole personal records of 12,000 patients. When it comes to community and public relations, there's no news like bad news. Show your managers what can happen if significant new privacy and security measures, including HIPAA's standards, aren't implemented. > If your leadership is drawing up E-health or E-commerce plans, find and connect the dots to HIPAA and other potential security and privacy vulnerabilities. Internet users are becoming increasingly sensitized to potential threats to privacy, particularly in health and financial matters. Your organization will want to secure its major investments in Internet initiatives and reinforce the confidence of E-health users by demonstrating enthusiasm for HIPAA's objectives. > Determine how many donation dollars have come from patients who were solicited by your organization. If alternate strategies aren't created in response to HIPAA's privacy requirements, how many future donations will be lost? Communicate this to your board and senior staff -- and expect a reaction. > Keep your management on top of industry HIPAA survey results that show what organizations like yours are doing (and not doing). Several organizations have published eye-opening nation-wide polls and likely will continue to. (Expect HIPAAlert's Fall Survey results in October.) Passing on the results may help fuel a new sense of urgency among your associates. > Finally, as we at HIPAAlert like to say, make HIPAA awareness ALMOST fun! ...Schedule HIPAAbreaks...offer your own HIPAApot...publish a HIPAAmaze or HIPAAcrossword that intranet users can complete for a prize...start a HIPAAthletics tournament. The point is build on HIPAAwareness...and they will come. D'Arcy Guerin Gue Publisher, HIPAAlert URLS for above-named organizations: http://www.wedi.org/ http://www.afehct.org/ http://www.jhita.org/ http://www.aha.org/ http://www.hfma.org/ http://www.ahima.org/ http://www.himss.org/ http://www.amia.org/ http://www.jcaho.org/ http://www.chim.org/ ================================================================= 3 / H I P A A n e w s *** Industry Analyst Issues Wake-up Call on HIPAA Costs *** HIPAA implementation "could cost as much as three to four times that spent on technological upgrades associated with Y2K," according to a report released September 15th by the international rating agency Fitch. "Health care providers who fail to accurately assess and budget for the significant requirements associated with HIPAA will place themselves at risk for possible financial peril," said Fitch analyst Rebecca C. Lageman. "This is a wake-up call. Health care organizations need to prepare for HIPAA regulations now, especially those that already find themselves in financial or technological disarray." The Fitch report asserts that the severity of the financial and operational impact will be directly related to the level of disparity between that organization's current information technology, security, and communications system and those required by HIPAA. Health care systems will need to modify existing systems or purchase new IT systems, hire and retrain staff, and make significant changes to current processes. Lageman noted that while the federal estimate of HIPAA compliance costs is $5.8 billion, Fitch anticipates "an amount in excess of $25 billion." Fitch believes that health care organizations that begin preparing for HIPAA regulations now will be in a better financial and organizational position to comply with the rules as they are finalized. Those that wait until the final rules are announced will have significant time constraints for compliance. For a copy of "HIPAA: Wake-Up Call for Health Care Providers," visit http://www.fitchratings.com *** Gore Emphasizes Protecting Medical Privacy *** Vice President Al Gore unveiled his plan this week for protecting medical privacy. He has pledged to make it illegal to sell personal medical records for profit. In a Los Angeles rally Gore said, "You have a fundamental right to privacy, and no powerful interest should be allowed to sell it off or take it away." According to Gore, private medical records have been misused by "insurance companies, drug companies, employers and others to discriminate against patients or to market information." Gore said that the federal regulations that are scheduled to be released this fall (HIPAA) stop short. His plan extends coverage to paper records and to "employers, life insurance companies, health insurance companies and others." Gore said he would fight to ensure that private medical information was not released without patients' written consent, and would offer legal recourse for individuals harmed by unauthorized release of their records. He would also extend protections for genetic information and work to outlaw genetic discrimination. *** Final Privacy Rule Predicted to be Tougher *** The New York Times recently reported that the Clinton administration has decided "to beef up protections for the privacy of medical records" beyond what it proposed last year. The additions may include extending protection to many paper records. Also, while the proposed rule requires notifying patients of privacy policies, the final rule is likely to require patients to acknowledge receipt of such notices. The new standards may also allow doctors to seek the patient's consent prior to releasing information. The new rules would introduce "comprehensive federal standards requiring doctors, hospitals, pharmacists and insurance companies to limit the disclosure of medical information" about patients. The rules will not have to be approved by Congress. The Times also reported that the final Privacy rule will be issued before the November presidential elections. Quoting Chris Jennings, the White House's health policy coordinator, the article said that President Clinton is "committed to issuing the rules on medical privacy by late summer or early fall." *** AHA Announces Secure, Private National Network for Hospitals *** The American Hospital Association (AHA) and Darwin Networks have announced that they will work together to offer hospitals and health care-related customers access to a secure, reliable, high-speed data communication network. The announcement claims that by using this network instead of the Internet, hospitals and their affiliated organizations will be able to quickly and securely exchange large digital images (MRI, CT, X-ray, etc.), transfer electronic medical records; conduct videoconferences and consultations, and manage administrative data such as billing, claims, payroll and accounts receivable. The private nature of this network is also intended to help hospitals address HIPAA's patient data security requirements. "We understand the pressures that hospitals are under - given the Balanced Budget Act and the upcoming implications of HIPAA - so we found a scalable solution that works in health care organizations large and small. Importantly, this service does not require a large up-front capital investment," said Tony Burke, president and CEO of AHA Financial Solutions, Inc., the AHA subsidiary that conducted the due diligence in AHA's search for a network connectivity partner. *** Survey Shows Americans Overwhelmingly Want Privacy Online *** American Internet users emphatically want an assumption of privacy when they go online, according to national survey results published in August by the Pew Internet & American Life Project. Out of 2,117 Americans, 1,017 of whom are Internet users, 86% favor "opt in" policies that would require Internet companies to seek permission from users before they disclose personal information. Yet 56% do not know that Web sites often identify users and track their web activities by placing computer code called "cookies" on their computers. The telephone survey was conducted by the Washington D.C. based Pew Research Center as part of its mission to explore the Internet's impact on health care, the family and other segments of society. Survey results further showed that users want executives to be held personally responsible for violations of their companies' privacy policies. Americans aren't unwilling to give out their personal information, however. 64% of them have either disclosed such information in return for content they like, or are willing to do so. Maintaining control seemed to be an overriding concern. To review complete survey results, go to: http://www.pewinternet.org/reports/toc.asp?Report=19 ================================================================= 4 / H I P A A d v i s o r : Legal Q/A with Steve Fox, J.D. *** IMPLICATIONS OF FINAL TRANSACTIONS AND CODE SETS RULE *** --------------------------- QUESTION: The final rule setting forth the standards for electronic transactions has been published. Now what? ANSWER: In the interest of increasing efficiency and reducing costs associated with the electronic transfer of information, and as mandated by HIPAA, the Department of Health and Human Services (DHHS) has designated national standardized formats for use during certain electronic health care transactions. These standards are applicable to the following health care transactions: (1) health care claims or equivalent encounter information, (2) health care payment and remittance advice, (3) coordination of benefits, (4) health care claim status, (5) enrollment and disenrollment in a health plan, (6) eligibility for a health plan, (7) health plan premium payments, and (8) referral certification and authorization. Standards for electronic transactions relating to the first report of injury and health claims attachments, also required by HIPAA, as well as any other transactions that DHHS may prescribe, will be established by DHHS separately. The electronic transaction standards are applicable to health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with one of the transactions referenced above. These "covered entities" may use a "business associate" (a newly defined term), including a health care clearinghouse, to conduct a transaction covered under this rule. "Business associate" means a person who performs a regulated function or activity on behalf of a covered entity, and may itself be a covered entity. However, covered entities must require their business associates to comply with HIPAA's transaction standards and require any of the business associates' agents or subcontractors to comply with the standards as well. The standardized formats were developed in conjunction with the development of HIPAA's proposed privacy regulation. DHHS anticipates that compliance with the final privacy regulation will be required at approximately the same time as the compliance date for the electronic transaction standards (for most covered entities, October 16, 2002). However, if the privacy standards are substantially delayed, or if Congress does not pass comprehensive and effective privacy legislation that supercedes HIPAA's privacy standards, DHHS may suspend the application of the electronic transaction standards or withdraw this rule altogether. The two-year implementation period presents covered entities with the perfect opportunity to audit their internal business processes at a macro level with the mandated transaction solutions in mind and to identify opportunities to create synergy across the enterprise resulting in additional cost savings and increased efficiency. Accordingly, organizations should begin conducting internal audits to determine which of these transactions are currently supported electronically and the ratio of electronic to non-electronic transactions. If the ratio is relatively low, or transition to the mandated standards deemed too costly, it may be more cost effective to outsource the entire function to a business associate. In the alternative, an organization may find that supporting these transactions internally not only allows the streamlining of other related functions, but can also be easily achieved with the assistance of a current technology vendor. Therefore, this is a good time to establish, re-establish, or strengthen relationships with current and potential business partners and to evaluate overall HIPAA compliance planning. This article was co-authored by Rachel H. Wilson, an associate at Ober/Kaler. Steve Fox, J.D. is Chairman of the Information Systems and E-Commerce Practice Group of Ober/Kaler, a nationally recognized law firm in Baltimore. Steve is a frequent speaker on healthcare information management issues. http://www.ober.com Disclaimer: This information is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice. ================================================================== 5 / H I P A A l i n k s : PRIVACY AND SECURITY Check out these excellent, off-the-beaten-track Internet resources on information privacy and security: PRIVACY http://www.truste.org/ TRUSTe, an independent, non-profit privacy initiative, has developed a third-party oversight "seal" program. Model Privacy statements and a Web site coordinator's guide are available, as well as a privacy statement "wizard" to help create a web site privacy policy. http://www.healthprivacy.org/ The Health Privacy Project is a part of the Institute for Health Care Research and Policy at Georgetown University. It initiated and staffs the Consumer Coalition for Health Privacy which monitors related regulatory developments. Available are a set of "best principles" for health privacy and a comprehensive report on state privacy laws. http://www.epic.org/privacy/tools.html The Electronic Privacy Information Center (EPIC), a public interest research center, provides links to "practical" privacy tools. Mainly for the user. http://www.eff.org/ The Electronic Frontier Foundation, a non-profit, non-partisan organization, has the latest news in privacy and related legislation. SECURITY http://www.w3.org/Security/ The World Wide Web Consortium's resource for web security. Explanations of the different security protocols are offered, with links to cryptography resources. http://www.alw.nih.gov/Security/ National Institute of Health's security resource, with links to programs, FAQs, magazines and advisories. http://csrc.ncsl.nist.gov/ Information about a variety of computer security issues, products, and research. This site is operated and maintained by NIST's Computer Security Division. http://www.issa-intl.org/ The Information Systems Security Association has virus information, tools, advisories, awareness resources, system patches, continuity planning, etc. http://www.sans.org/ The SANS (System Administration, Networking, and Security) Institute, a cooperative research and education organization, has the latest news on computer security, articles, mailing lists, skills certification, and other general resources. LEGISLATION http://thomas.loc.gov/ Keep up on this session's privacy/security-related congressional initiatives. Federal legislative information searchable by keyword, with bill text and status available. ================================================================== BRING YOUR HIPAA QUESTIONS AND IDEAS TO LIFE AT...H I P A A l i v e! Join nearly 1700 other thinkers, planners, learners and lurkers who are already members of our sister e-mail discussion list. We almost make HIPAA fun! Almost. Subscribe now at: http://www.hipaalive.com COMMENTS? Email us at mailto:[EMAIL PROTECTED] SUBSCRIBE? Visit http://hipaalert.com ARCHIVES: http://www.hipaadvisory.com/alert/newsarchives.htm ================================================================== Copyright 2000, Phoenix Health Systems, Inc. All Rights Reserved. Reprint by permission only. http://www.phoenixhealth.com ================================================================== ============================= FORWARD this posting to interested associates, who may subscribe free to HIPAAlert by visiting: <http://hipaalert.com> SUBSCRIBE ALSO to HIPAAlert's "sister" discussion list, "HIPAAlive" -- an interactive e-mail forum enabling members from across the health industry to share questions, answers, information and support on HIPAA compliance issues. For more information or to subscribe to HIPAAlive, click on: <http://www.hipaadvisory.com/live/index.htm> You are currently subscribed to hipaalert as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] com ============================= ======================================================================= To signoff the EDI-L list, mailto:[EMAIL PROTECTED] To subscribe, mailto:[EMAIL PROTECTED] To contact the list owner: mailto:[EMAIL PROTECTED] Archives at http://www.mail-archive.com/edi-l%40listserv.ucop.edu/
