RE: Medicare says 'no' to using the open internet

[Stahlecker,Chris]

To those interested: While the presentation I made includes a bullet as stated to emphasize the point made during the presentation, the dialog went on to explain the difference between the open internet, use of the internet as a private network when the appropriate security is used, and how confusing this all is to the lay person.  The dialog continued to say that Medicare does allow their contractors to offer the use of the internet protocols (not 'open internet') but there are some steps (e.g. 128-bit encryption) to follow before transactions containing PHI can be sent over the internet.  These steps assure the secured transmission while using internet protocols, and are specified by CMS for Medicare.   The point is that telecommunication exchange of HIPAA transactions is not specified by the regulation and industry interpretation of 'over the internet' is inconsistent.   We would all benefit from some consistency here, even if only to understand the terms, our options of 'over the internet', when to secure, how to tell, and perhaps specific design issues/solutions.  I applaud the efforts regarding telecommunications - past and in progress.  I think this could be a 'sleeper' issue when considering the full suite of HIPAA transactions and workload/workflow transitioning from today's telecommunication networks that are based on direct connections between payer-provider to browser-based connections.     -----Original Message----- From: Rishel,Wes [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 4:04 PM To: 'WEDi/SNIP ID & Routing' Subject: RE: Medicare says 'no' to using the open internet   Rachel, you probably know more about this than I, but here is what I have heard:   a) the policy exists you cite exist, but   b) program directives from CMS tell Medicare contractors to follow a different approach ...   c) contractors except transactions over a CMS-built private IP-network that providers connect to by dialing into a modem bank which uses PPP.   Going beyond what I have heard into speculation: Thus providers get to (maybe are required to) use IP-based protocols, but various security concerns are alleviated because the CMS IP network is not actually interconnected with the Internet. Among the requirements that would be removed would be the HIPAA requirement for encryption.   (Hopefully, this note will be close or will stimulate someone telling us what the real situation is.)   -----Original Message----- From: Rachel Foerster [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 12:34 PM To: 'WEDi/SNIP ID & Routing' Subject: RE: Medicare says 'no' to using the open internet     Wes, et al,   I would agree that the need to be able to specify a variety of transport methods and protocols goes beyond just what CMS requires....but it's incorrect to presume that CMS prohibits the use of the Internet. See my other post with CMS' current Internet policies.   Rachel   -----Original Message----- From: Rishel,Wes [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 2:18 PM To: WEDi/SNIP ID & Routing Subject: RE: Medicare says 'no' to using the open internet     Since many payers will follow the CMS lead, the need is broader than only for Medicare.   -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 11:39 AM To: WEDi/SNIP ID & Routing Subject: Medicare says 'no' to using the open internet     I came across Christine Stahlecker's presentation entitled "Telecommunication and HIPAA: Issues, Concerns, Recommendations," given at the HIPAA SUMMIT WEST II on March 13 in San Francisco, at http://www.ehcca.com/presentations/HIPAAWest2/stahlecker.ppt.  In there, she gives some "buzz" to our modest little work effort. Clearly, Chris shares our vision of Open-EDI and frictionless trading using the Internet, while still accommodating the important role of Clearinghouses in supporting providers and payers.   Unfortunately, from what I can gather from one of Chris' bullets, a fly in the ointment is Medicare's (CMS) refusal to entertain use of the Internet for the exchange of standard EDI transactions because of real or perceived security concerns.  Unless and until CMS changes its mind and authorizes the use of the Internet to exchange HIPAA transactions with Medicare contractors, we might have to provide some capability in our Delivery Channel ("EDI Address") to accommodate dial-up or leased line protocols -  regardless of what I said in "Should we even waste time defining Delivery Channels (EDI Addresses) to accommodate non-IP protocols?" last Tuesday.   Does anyone have any inside insight on CMS' resistance to using the Internet for the exchange of standard transactions?   William J. Kammerer Novannet, LLC. +1 (614) 487-0320