Dr.McGuinness: I agree with your last comments about marrying the language of 21 CFR Part 11 into the final reg of HIPAA Privacy and Security. Even though disclosure of PHI needs training of the personnel using it when it is needed...
In the latest version of the WEDI SNIP white paper care has been taken to sort of define Certification as third party assessment, since at this stage of the evolution there is nobody to certify a certifier. We (those of us who participated in it, names not important but I am one of them) also recommended the formation of consortium of the testing services which I am sure will include vendors supplying the translators or similar software (which will have compliance checking modules) or services (for transactions) to agree with one another so that the same set of transactions pass the compliance checks with all of them. This can take time but is needed as it is not of much use if a transaction is compliant with one vendor's software but not with other's. Like Dr. Kepa said, certifying that a transaction is compliant is possible. Like wise certifying that a certain training is certified falls into accredition like any other certified training. I think the person who posted that thier organisation offers 'Cettified' training still needs to tell us what tht means... even if that ammounts to blatant advertisement... Bsically accredition from a certificaition point of view is the problem in the current HIPAA world. It will evolve, I am sure, down the road. I think regulatory aspects tend to get bogged down in certification and audits while other technnical areas could evolve to good levels of competence and confidence without needing them. HIPAA is a strange beast, where EDI will probably evolve like, ATM or other technologies but codesets, privacy and security will still need certification and audits... Regards, Rama. -- ---- <[EMAIL PROTECTED]> wrote: > Kepa, I totally agree with you on the one point - the claim of certification > should be publicly disclosed, and be credible. For example, a training > product that is commercially provided and certified by a State University > seems credible to me at this stage in our market's evolution - one > where the > vendor went to Bob's Consulting Company for a certification I would > be very > cautious about. The same is going to hold true from products, processes, > and services. That is the reason why conformance standards will separate > the hype from reality - but it will take some time to get there - just > as it > has taken time for implementation guidelines. We all know that this > will be > an ongoing process without end. > > As far as transactions goes, I'm not going to comment as I am not a > EDI > specialist. > > As far as the CISSP certification goes, or any other security standard > being > the equivalent to HIPAA certified, that's totally unrealistic - unless > the > final security reg says exactly that, which I doubt it will. I do > hope that > the final reg will go as far as the BS7799 (rather than the watered > down ISO > version), married with some of the language built into the FDA 21cfr11, > and > other HCFA, DoD, and other Federal standards in place. > > Tim McGuinness, Ph.D. > President, > HIPAA Help Now Inc. > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > www.hipaahelpnow.com <http://www.hipaahelpnow.com/> > > Executive Co-Chairman for Privacy, > HIPAA Conformance Certification Organization (HCCO) > www.hipaacertification.org <http://www.hipaacertification.org/> > > __________________________________________________________________ > Tim McGuinness, Ph.D. - Instant Access > Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 > Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] > - > Yahoo IM timmcguinness - AOL IM: mcguinnesstim > __________________________________________________________________ > > > =========================================================================== > > IMPORTANT NOTICE: This communication, including any attachment, contains > information that may be confidential or privileged, and is intended > solely > for the entity or individual to whom it is addressed. If you are not > the > intended recipient, please notify the sender at once, and you should > delete > this message and are hereby notified that any disclosure, copying, > or > distribution of this message is strictly prohibited. Nothing in this > email, > including any attachment, is intended to be a legally binding signature. > > > > -----Original Message----- > From: Kepa Zubeldia [mailto:[EMAIL PROTECTED]] > Sent: Saturday, August 31, 2002 1:39 AM > To: David W. Loewy; [EMAIL PROTECTED]; 'Meyer, Perry'; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Certifications > > > David, Tim, > > Before you keep going too far on that line, there is a significant > difference > between "certifying" an entity or a product to "be" HIPAA compliant > (personally I don't see how this would happen) and certifying that > a > specific > set of transactions is in compliance with the HIPAA transaction > implementation guides. > > To verify whether a transaction is in compliance with the HIPAA > Implementation > Guide is a process that is totally deterministic and objective, and > can be > verified and validated by a number of third parties. In any case, > the > process must be disclosed and verifiable by third parties and by the > relying > parties. An entity relying on the certification of a transaction as > being > compliant should be able to know what was the exact content of the > transaction that was certified. > > And the certification of a transaction as compliant does not automatically > extend to the software that generated the transaction in a generic > mode. > While you can say that the software is capable of generating HIPAA > compliant > transaction(s), you cannot say that all the transactions generated > by that > software will always be compliant. However, if the sample size is > sufficiently large and representative of the business of the provider > or > payer that generates these transactions, then you could establish a > level of > confidence that future transactions will also be compliant. But, again, > this > does not extend to the software or the entity in as generic way. For > instance, the fact that you can generate compliant office visits does > not > mean much when you need to generate DME claims. > > For this reason it is important that the certification of transactions > as > compliant be well documented and publicly disclosed. > > So, lets qualify the statements. When organizations claim to "be" > HIPAA > Certified, or to offer "certified" training, or to have certified HIPAA > transactions they should try to "prove it". I bet they will not be > able to > prove they "are" compliant, or that their software or training is certified, > but we can prove their TRANSACTIONS are or are not compliant. > > The testing and certification of TRANSACTIONS for HIPAA compliance > is > documented in the SNIP white paper on that topic. There is a new version > that has been approved for publication (version 3.0) that should be > posted > in > the web site in the next few days. Please understand that it does > not > address certification of entities, software, systems or training programs, > only certification of transactions. > > Kepa Zubeldia > Claredi > > PS: cross posting of messages like this is spam. > > > On Friday 30 August 2002 11:19 am, David W. Loewy wrote: > From: "David W. Loewy" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>, "'Meyer, Perry'" <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, > <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > > > I agree as well, I am constantly amazed when I see organizations > > referring to being either HIPAA Certified or offering HIPAA > > Certification!! And there are more than a handful I've seen recently! > > > > > > David W. Loewy > > President > > Health Providers Practice Management, LLC. > > Publishers of The HIPAA Survival Kit for Providers > > 617.739.6665 (voice) > > 601.415.0007 (mobile) > > > > > > <http://www.hipaacertification.org/> > > www.hipaacertification.org > > NOTE: The information contained in this message is intended only > for use > > by the individual or entity to which it is addressed. This message > may > > contain information that is privileged, confidential, and exempt > from > > disclosure under applicable law. If you are not the intended recipient, > > you are hereby notified that any dissemination, distribution, or > copying > > of this information strictly prohibited. If you have received this > > communication in error, please notify us immediately and delete the > > original message. > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, August 30, 2002 12:58 PM > > To: Meyer, Perry; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Certifications > > > > > > Perry, your point is very valid! > > > > As stated by the agencies, it isn't the role of the government to > > "Certify" a product, service, or process relating to HIPAA. > > Certifications by their nature certifications require a process of > > accreditation, credentialing, and ideally broad support. I have > no > > knowledge of what the vendor in question bases their "certification" > on, > > and without full disclosure of that basis I view its claim as suspect, > > however there is at least one validly certified training/education > > product in the market - certified/credentialed by a State University > > System. > > > > However, this specific problem has resulted in the creation of a > > separate body to address this issue of developing HIPAA conformance > > certification standards. This activity is complementary to the work > of > > the other HIPAA bodies, and recognizing the urgency of this for covered > > entities and industry alike, has begun and hopes to publish a > > significant body of work rapidly. > > > > This also raises another important point - full disclosure. Some > on > > this listserv express offense at participants including their company > > names in their replies and messages. Personally, I want to know > who it > > is that is expressing their opinions and who they represent, and > in what > > capacity. I appreciate a weblink also, making it easy to view their > > context. Without this disclosure, we do not have the ability to > > properly weight their credentials or perspective in these issues. > Each > > of us needs to be able to evaluate each posted statement and not > simply > > take everything said as fact or legal opinion - this one included. > So I > > would encourage all to be candid in their signatures for these reasons > > and recognize the difference between spam commercialism and simple > > honest disclosure. > > > > Tim McGuinness, Ph.D. > > President, > > HIPAA Help Now Inc. > > [EMAIL PROTECTED] > > www.hipaahelpnow.com > > > > Executive Co-Chairman for Privacy, > > HIPAA Conformance Certification Organization (HCCO) > > www.hipaacertification.org > > > > > > > > > > -----Original Message----- > > From: Meyer, Perry [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, August 27, 2002 8:24 AM > > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED] > > Subject: RE: WEDI SNIP Forum to be Rescheduled!!! > > > > > > Just curious, but does CMS or OCR recognize "certified" HIPAA training? > > I see no mention of this in the regs. I think we need to be very > > careful in promoting something as "certified" when it comes to HIPAA. > > > > Perry Meyer > > Senior Vice President > > Iowa Hospital Association > > > > To be removed from this listserv, please email [EMAIL PROTECTED] > <P>The WEDI SNIP listserv to which you are subscribed is not moderated. > The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI > Board > of > Directors nor WEDI SNIP. If you wish to receive an official opinion, > post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv > is > specifically prohibited. > > > To be removed from this listserv, please email [EMAIL PROTECTED] > <P>The WEDI SNIP listserv to which you are subscribed is not moderated. > The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI > Board of > Directors nor WEDI SNIP. If you wish to receive an official opinion, > post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv > is > specifically prohibited. > > To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
