To be removed from this list, please email [EMAIL PROTECTED]
X-ListVersion: 5
X-ListMember: archive@jab.org [[EMAIL PROTECTED]]

Kepa, 

I believe that pert of the issues, as pointed out previously, is that of
credibility.  Unfortunately, our industry and more importantly the
perception of our industry, is one of discord and confusion.  Certainly,
within the HIPAA community, and specifically within the provider
segment, it is so.  I think that's why there is only a 3% response to
the extension filling.  I don't believe that most providers are
(although with their training they should) able to ask the right
questions, they perceive this to be, primarily, an IT problem and Bobs
Computer Emporium has always taken care of the IT problem for them, so
why shouldn't they be able to "certify" the solutions.

Best practices, in other industries are not certifiable solutions, but
they are certainly a significant within litigation.  There are models
that are adaptable form other industries for this.  On a high level,
look at the best practices within the accounting profession.  Of course
specific practices and content are different, but never the less there
are defined best practices.  I believe, outside of the transaction/code
set piece, and even somewhat within that umbrella, beyond attempting to
comply with the regs, what providers are truly doing is building a
defense to litigation.  Through the entire compliance process, without
documentation of the logic and thought process behind decision making,
providers are leaving themselves open to potentially disastrous
implications.  

I was involved with much of the Y2K remediation for the Nuclear Power
Providers and worked as a liaison between them and the NRC.  While HIPAA
is vastly different in many respects, I believe many of the lessons
learned are directly applicable.  As important, if not more important,
wasn't the specific solution, but the process which was used to define
the solution.  In other wards, when Y2K failures became litigious, the
court looked at the logic that was built into the solution.  When the
NRC appeared on-site for an audit, they were more interested in seeing
that a specific item was touched and handled and the process behind it.
Specifically, they would ask to see processes that were in place to deal
with a specific system walk-down and asked for the documentation to
validate that an audit trail was in place and that we could articulate
the thinking behind the process.

It is my contention that this directly applies to HIPAA, and the
unfortunate litigious world we live in.  HIPAA is and will be setting
defacto standards for Privacy and Security, whether we like it or not.
HIPAA compliance in my opinion will become another factor in any
litigation, not just from the Feds.  

All that said, it is important that whatever is considered "certified"
come form a credible source.  Bobs computer emporium, may have credible
staff, and may have all of the best intentions but isn't a driving force
and bottom line doesn't add much to litigation defense!

David W. Loewy, PhD
President
Health Providers Practice Management, LLC.
Publishers of The HIPAA Survival Kit for Providers
617.739.6665 (voice)
601.415.0007 (mobile)
 
     Board Member of
 <http://www.hipaacertification.org/> 
www.hipaacertification.org
NOTE: The information contained in this message is intended only for use
by the individual or entity to which it is addressed. This message may
contain information that is privileged, confidential, and exempt from
disclosure under applicable law. If you are not the intended recipient,
you are hereby notified that any dissemination, distribution, or copying
of this information strictly prohibited. If you have received this
communication in error, please notify us immediately and delete the
original message.

 


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, August 31, 2002 4:52 AM
To: [EMAIL PROTECTED]; David W. Loewy; 'Meyer, Perry';
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: Certifications


Kepa, I totally agree with you on the one point - the claim of
certification should be publicly disclosed, and be credible.  For
example, a training product that is commercially provided and certified
by a State University seems credible to me at this stage in our market's
evolution - one where the vendor went to Bob's Consulting Company for a
certification I would be very
cautious about.   The same is going to hold true from products,
processes,
and services.  That is the reason why conformance standards will
separate the hype from reality - but it will take some time to get there
- just as it has taken time for implementation guidelines.  We all know
that this will be an ongoing process without end.

As far as transactions goes, I'm not going to comment as I am not a EDI
specialist.

As far as the CISSP certification goes, or any other security standard
being the equivalent to HIPAA certified, that's totally unrealistic -
unless the final security reg says exactly that, which I doubt it will.
I do hope that the final reg will go as far as the BS7799 (rather than
the watered down ISO version), married with some of the language built
into the FDA 21cfr11, and other HCFA, DoD, and other Federal standards
in place.

Tim McGuinness, Ph.D.
President,
HIPAA Help Now Inc.
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.hipaahelpnow.com <http://www.hipaahelpnow.com/>

Executive Co-Chairman for Privacy,
HIPAA Conformance Certification Organization (HCCO)
www.hipaacertification.org <http://www.hipaacertification.org/>

__________________________________________________________________
Tim McGuinness, Ph.D. - Instant Access
Phone:   727-787-3901   Cell: 305-753-4149    Fax: 240-525-1149
Instant Messengers:  ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] -
Yahoo IM  timmcguinness - AOL IM:  mcguinnesstim
__________________________________________________________________


========================================================================
===

IMPORTANT NOTICE: This communication, including any attachment, contains
information that may be confidential or privileged, and is intended
solely for the entity or individual to whom it is addressed. If you are
not the intended recipient, please notify the sender at once, and you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this message is strictly prohibited. Nothing
in this email, including any attachment, is intended to be a legally
binding signature.



-----Original Message-----
From: Kepa Zubeldia [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 31, 2002 1:39 AM
To: David W. Loewy; [EMAIL PROTECTED]; 'Meyer, Perry';
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Certifications


David, Tim,

Before you keep going too far on that line, there is a significant
difference between "certifying" an entity or a product to "be" HIPAA
compliant (personally I don't see how this would happen) and certifying
that a specific set of transactions is in compliance with the HIPAA
transaction implementation guides.

To verify whether a transaction is in compliance with the HIPAA
Implementation Guide is a process that is totally deterministic and
objective, and can be verified and validated by a number of third
parties.  In any case, the process must be disclosed and verifiable by
third parties and by the relying parties.  An entity relying on the
certification of a transaction as being compliant should be able to know
what was the exact content of the transaction that was certified.

And the certification of a transaction as compliant does not
automatically extend to the software that generated the transaction in a
generic mode. While you can say that the software is capable of
generating HIPAA compliant transaction(s), you cannot say that all the
transactions generated by that software will always be compliant.
However, if the sample size is sufficiently large and representative of
the business of the provider or payer that generates these transactions,
then you could establish a level of confidence that future transactions
will also be compliant.  But, again, this does not extend to the
software or the entity in as generic way.  For instance, the fact that
you can generate compliant office visits does not mean much when you
need to generate DME claims.

For this reason it is important that the certification of transactions
as compliant be well documented and publicly disclosed.

So, lets qualify the statements.  When organizations claim to "be" HIPAA
Certified, or to offer "certified" training, or to have certified HIPAA
transactions they should try to "prove it".  I bet they will not be able
to prove they "are" compliant, or that their software or training is
certified, but we can prove their TRANSACTIONS are or are not compliant.

The testing and certification of TRANSACTIONS for HIPAA compliance is
documented in the SNIP white paper on that topic.  There is a new
version that has been approved for publication (version 3.0) that should
be posted in the web site in the next few days.  Please understand that
it does not address certification of entities, software, systems or
training programs, only certification of transactions.

Kepa Zubeldia
Claredi

PS: cross posting of messages like this is spam.


On Friday 30 August 2002 11:19 am, David W. Loewy wrote:
From: "David W. Loewy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, "'Meyer, Perry'" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>

> I agree as well, I am constantly amazed when I see organizations 
> referring to being either HIPAA Certified or offering HIPAA 
> Certification!!  And there are more than a handful I've seen recently!
>
>
> David W. Loewy
> President
> Health Providers Practice Management, LLC.
> Publishers of The HIPAA Survival Kit for Providers 617.739.6665 
> (voice) 601.415.0007 (mobile)
>
>
>  <http://www.hipaacertification.org/>
> www.hipaacertification.org
> NOTE: The information contained in this message is intended only for 
> use by the individual or entity to which it is addressed. This message

> may contain information that is privileged, confidential, and exempt 
> from disclosure under applicable law. If you are not the intended 
> recipient, you are hereby notified that any dissemination, 
> distribution, or copying of this information strictly prohibited. If 
> you have received this communication in error, please notify us 
> immediately and delete the original message.
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 30, 2002 12:58 PM
> To: Meyer, Perry; [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Certifications
>
>
> Perry, your point is very valid!
>
> As stated by the agencies, it isn't the role of the government to 
> "Certify" a product, service, or process relating to HIPAA. 
> Certifications by their nature certifications require a process of 
> accreditation, credentialing, and ideally broad support.  I have no 
> knowledge of what the vendor in question bases their "certification" 
> on, and without full disclosure of that basis I view its claim as 
> suspect, however there is at least one validly certified 
> training/education product in the market - certified/credentialed by a

> State University System.
>
> However, this specific problem has resulted in the creation of a 
> separate body to address this issue of developing HIPAA conformance 
> certification standards.  This activity is complementary to the work 
> of the other HIPAA bodies, and recognizing the urgency of this for 
> covered entities and industry alike, has begun and hopes to publish a 
> significant body of work rapidly.
>
> This also raises another important point - full disclosure.  Some on 
> this listserv express offense at participants including their company 
> names in their replies and messages.  Personally, I want to know who 
> it is that is expressing their opinions and who they represent, and in

> what capacity.  I appreciate a weblink also, making it easy to view 
> their context.  Without this disclosure, we do not have the ability to

> properly weight their credentials or perspective in these issues.  
> Each of us needs to be able to evaluate each posted statement and not 
> simply take everything said as fact or legal opinion - this one 
> included.  So I would encourage all to be candid in their signatures 
> for these reasons and recognize the difference between spam 
> commercialism and simple honest disclosure.
>
> Tim McGuinness, Ph.D.
> President,
> HIPAA Help Now Inc.
> [EMAIL PROTECTED]
> www.hipaahelpnow.com
>
> Executive Co-Chairman for Privacy,
> HIPAA Conformance Certification Organization (HCCO) 
> www.hipaacertification.org
>
>
>
>
> -----Original Message-----
> From: Meyer, Perry [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 27, 2002 8:24 AM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; 
> [EMAIL PROTECTED]
> Subject: RE: WEDI SNIP Forum to be Rescheduled!!!
>
>
> Just curious, but does CMS or OCR recognize "certified" HIPAA 
> training? I see no mention of this in the regs.  I think we need to be

> very careful in promoting something as "certified" when it comes to 
> HIPAA.
>
> Perry Meyer
> Senior Vice President
> Iowa Hospital Association
>

To be removed from this listserv, please email [EMAIL PROTECTED]
<P>The WEDI SNIP listserv to which you are subscribed is not moderated.
The discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP.  If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. Posting of advertisements or other
commercial use of this listserv is specifically prohibited.



<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to