All -- Just wanted to make a few important points of clarification in this important discussion.
1) Those who are pointing out that this is not like Y2K are right. It is magnitudes more complex. However, most of the implementation details of the HIPAA standards (emphasis on MOST), are truly standard. The many "interpretations" that have been discussed actually apply to a relatively few items. It would be fairly easy to identify those problem areas -- and, in fact, this is the point of the WEDI SNIP issues database. Other than these exceptions, the implementation guides ARE the definition of compliance for the industry. 2) The point of the WEDI SNIP white paper on the topic of certification is not getting a "sign for the wall" or even making sure that everything is perfect in one's implementation. The point is to take advantage of the standardization of HIPAA in order to reduce the amount of point-to-point testing necessary with each entity's trading partners, and to ensure that "readier" trading partners don't end up debugging the systems of those who are not as far along. Fact is, if everyone uses third party testing/certification, then the amount of difficulty -- and time spent -- in getting trading partners exchanging transactions successfully is greatly reduced. It doesn't always eliminate the end user testing, but allows the focus to be on real issues between trading partners, rather than items that can be resolved outside of that exchange. 3) Credibility in third party testers and certifiers is crucial. Today, this can only be obtained through real-world experience, since we don't have a 'certifier of certifiers'. Since the HIPAA clock is continuing to tick, time is of the essence if the industry is to benefit from third party testing or certification solutions. Hope this helps, Larry Watkins Vice President & COO Claredi Corporation Office: (801) 444-0339 x204 Fax: (770) 419-5295 Mobile: (770) 331-1898 e-Mail: [EMAIL PROTECTED] -----Original Message----- From: Ramakrishna Pidaparti [mailto:[EMAIL PROTECTED]] Sent: Monday, September 02, 2002 8:37 AM To: [EMAIL PROTECTED] Cc: David W. Loewy; [EMAIL PROTECTED]; [EMAIL PROTECTED]; 'Meyer, Perry'; [EMAIL PROTECTED] Subject: RE: Certifications and Y2K vs.HIPAA Sanjiv wrote: > To cut a long story short, Y 2K had logic problems of only one > element. > My data base shows me that for 837 Insitutional there are : > 34 Loops, 168 Segments and 1129 Elements. > Our model of the IG Rules has 593 Rules some of them quite complex. The above is exactly why the comparison of HIPAA compliance with Y2K is not very relevant. No matter how many places the date field was hiding, it was/is still one field. Not the case with HIPAA EDI loops, segments, elements... The other significant point being... Y2K was a hard date. It arrived midnight 1999, Dec 31st. If you are not ready, sorry, too late. HIPAA compliance deadline can be a moving target. It already moved by one year once and for a good reason. And if most aren't ready because of the final rules not being ready (with addenda and the next versions coming out due to all the requests for changes)... it can move again... again for a good reason. Whether it will move again is irrelevant but that it is not a hard date like Y2K is. The other even more significant part is Y2K did not have code-sets, privacy and security problems! Even if you consider transactions being one set of the problem... as opposed to a one field problem for Y2K. Given all this I am not sure if anybody can be or should be comfortable with being certified by a testing services vendor's certificate hanging on their wall. While certificate hanging on the wall can be a feel good thing, transactions bombing will most certainly not be... like sitting on that boiler plate... The most significant point about certification is that it is NOT mandated... except for security... not for transactions, code sets or privacy. HIPAA is a good faith effort of all in the Health care community commuicating in one common language one day and penalties for not complying will be far less if one can show their good faith efforts at becoming compliant. The reason I say this is that people (organisations which they work for) should focus on the good faith effort and more testing than (and not certificates from anybody on the wall) worrying about penalties for non compliance. It will be a while before that will kick in... Of course this is my understanding and NOT a recommendation to anybody. Please don't follow it as Rama's word ;-) cause you will pay dearly! Regards, Rama. -- ---- Sanjeev N Kulkarni <[EMAIL PROTECTED]> wrote: > > Kepa & David, > David as hit the nail on the head. Considerable amount of debate is > going on in this thread on one time certification, data edits , production > transactions et al. Let me add by bit on a slightly different track: > I was the Principal for Certification of a process control plant for > Y 2 K Compliance. Initially the plant was not compliant and we did > "lose the plant" when we simulated the Y 2K transition. It was made > compliant ( after a big hole in the pocket of this client) and our > team "certified" that the plant was Ok after lot of simulations, testing > and sceanrio building. > In my final meeting with the CEO of this PTFE plant the CEO looked > at me with lot of doubts in his eyes. He was positively not impressed > with our crtificate and said that he would really believe in the certificate > if I were ready to sit on top of the boiler on that fateful day ! > To cut a long story short, Y 2K had logic problems of only one element. > My data base shows me that for 837 Insitutional there are : > 34 Loops, 168 Segments and 1129 Elements. > Our model of the IG Rules has 593 Rules some of them quite complex. > Test Sequences have to be written , formal acceptance criteria have > to be specified, test plans made, data edits have to be reconciled > and at the end of the day, transactions have go right through in production > so that the provider is re imbursed for the service rendered. > I would hate to sit on top of the HIPAA Boiler and Certify that a System > is spewing out HIPAA Transactions and its partner is accepting HIPAA > Transactions faultlessly based on looking at few EDI files being passed > through correctly. All the money in the world would not convince me > to certify unless they are verifiable and repeatable. > Sanjeev N. Kulkarni > Chief Technical Officer > Advent Software Ltd. > [EMAIL PROTECTED] > "David W. Loewy" wrote:Kepa, > > I believe that pert of the issues, as pointed out previously, is that > of > credibility. Unfortunately, our industry and more importantly the > perception of our industry, is one of discord and confusion. Certainly, > within the HIPAA community, and specifically within the provider > segment, it is so. I think that's why there is only a 3% response to > the extension filling. I don't believe that most providers are > (although with their training they should) able to ask the right > questions, they perceive this to be, primarily, an IT problem and Bobs > Computer Emporium has always taken care of the IT problem for them, > so > why shouldn't they be able to "certify" the solutions. > > Best practices, in other industries are not certifiable solutions, > but > they are certainly a significant within litigation. There are models > that are adaptable form other industries for this. On a high level, > look at the best practices within the accounting profession. Of course > specific practices and content are different, but never the less there > are defined best practices. I believe, outside of the transaction/code > set piece, and even somewhat within that umbrella, beyond attempting > to > comply with the regs, what providers are truly doing is building a > defense to litigation. Through the entire compliance process, without > documentation of the logic and thought process behind decision making, > providers are leaving themselves open to potentially disastrous > implications. > > I was involved with much of the Y2K remediation for the Nuclear Power > Providers and worked as a liaison between them and the NRC. While HIPAA > is vastly different in many respects, I believe many of the lessons > learned are directly applicable. As important, if not more important, > wasn't the specific solution, but the process which was used to define > the solution. In other wards, when Y2K failures became litigious, the > court looked at the logic that was built into the solution. When the > NRC appeared on-site for an audit, they were more interested in seeing > that a specific item was touched and handled and the process behind > it. > Specifically, they would ask to see processes that were in place to > deal > with a specific system walk-down and asked for the documentation to > validate that an audit trail was in place and that we could articulate > the thinking behind the process. > > It is my contention that this directly applies to HIPAA, and the > unfortunate litigious world we live in. HIPAA is and will be setting > defacto standards for Privacy and Security, whether we like it or not. > HIPAA compliance in my opinion will become another factor in any > litigation, not just from the Feds. > > All that said, it is important that whatever is considered "certified" > come form a credible source. Bobs computer emporium, may have credible > staff, and may have all of the best intentions but isn't a driving > force > and bottom line doesn't add much to litigation defense! > > David W. Loewy, PhD > President > Health Providers Practice Management, LLC. > Publishers of The HIPAA Survival Kit for Providers > 617.739.6665 (voice) > 601.415.0007 (mobile) > > Board Member of > > www.hipaacertification.org > NOTE: The information contained in this message is intended only for > use > by the individual or entity to which it is addressed. This message > may > contain information that is privileged, confidential, and exempt from > disclosure under applicable law. If you are not the intended recipient, > you are hereby notified that any dissemination, distribution, or copying > of this information strictly prohibited. If you have received this > communication in error, please notify us immediately and delete the > original message. > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Saturday, August 31, 2002 4:52 AM > To: [EMAIL PROTECTED]; David W. Loewy; 'Meyer, Perry'; > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: Certifications > > > Kepa, I totally agree with you on the one point - the claim of > certification should be publicly disclosed, and be credible. For > example, a training product that is commercially provided and certified > by a State University seems credible to me at this stage in our market's > evolution - one where the vendor went to Bob's Consulting Company for > a > certification I would be very > cautious about. The same is going to hold true from products, > processes, > and services. That is the reason why conformance standards will > separate the hype from reality - but it will take some time to get > there > - just as it has taken time for implementation guidelines. We all know > that this will be an ongoing process without end. > > As far as transactions goes, I'm not going to comment as I am not a > EDI > specialist. > > As far as the CISSP certification goes, or any other security standard > being the equivalent to HIPAA certified, that's totally unrealistic > - > unless the final security reg says exactly that, which I doubt it will. > I do hope that the final reg will go as far as the BS7799 (rather than > the watered down ISO version), married with some of the language built > into the FDA 21cfr11, and other HCFA, DoD, and other Federal standards > in place. > > Tim McGuinness, Ph.D. > President, > HIPAA Help Now Inc. > [EMAIL PROTECTED] > www.hipaahelpnow.com > > Executive Co-Chairman for Privacy, > HIPAA Conformance Certification Organization (HCCO) > www.hipaacertification.org > > __________________________________________________________________ > Tim McGuinness, Ph.D. - Instant Access > Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 > Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] > - > Yahoo IM timmcguinness - AOL IM: mcguinnesstim > __________________________________________________________________ > > > ======================================================================== > === > > IMPORTANT NOTICE: This communication, including any attachment, contains > information that may be confidential or privileged, and is intended > solely for the entity or individual to whom it is addressed. If you > are > not the intended recipient, please notify the sender at once, and you > should delete this message and are hereby notified that any disclosure, > copying, or distribution of this message is strictly prohibited. Nothing > in this email, including any attachment, is intended to be a legally > binding signature. > > > > -----Original Message----- > From: Kepa Zubeldia [mailto:[EMAIL PROTECTED]] > Sent: Saturday, August 31, 2002 1:39 AM > To: David W. Loewy; [EMAIL PROTECTED]; 'Meyer, Perry'; > [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Certifications > > > David, Tim, > > Before you keep going too far on that line, there is a significant > difference between "certifying" an entity or a product to "be" HIPAA > compliant (personally I don't see how this would happen) and certifying > that a specific set of transactions is in compliance with the HIPAA > transaction implementation guides. > > To verify whether a transaction is in compliance with the HIPAA > Implementation Guide is a process that is totally deterministic and > objective, and can be verified and validated by a number of third > parties. In any case, the process must be disclosed and verifiable > by > third parties and by the relying parties. An entity relying on the > certification of a transaction as being compliant should be able to > know > what was the exact content of the transaction that was certified. > > And the certification of a transaction as compliant does not > automatically extend to the software that generated the transaction > in a > generic mode. While you can say that the software is capable of > generating HIPAA compliant transaction(s), you cannot say that all > the > transactions generated by that software will always be compliant. > However, if the sample size is sufficiently large and representative > of > the business of the provider or payer that generates these transactions, > then you could establish a level of confidence that future transactions > will also be compliant. But, again, this does not extend to the > software or the entity in as generic way. For instance, the fact that > you can generate compliant office visits does not mean much when you > need to generate DME claims. > > For this reason it is important that the certification of transactions > as compliant be well documented and publicly disclosed. > > So, lets qualify the statements. When organizations claim to "be" HIPAA > Certified, or to offer "certified" training, or to have certified HIPAA > transactions they should try to "prove it". I bet they will not be > able > to prove they "are" compliant, or that their software or training is > certified, but we can prove their TRANSACTIONS are or are not compliant. > > The testing and certification of TRANSACTIONS for HIPAA compliance > is > documented in the SNIP white paper on that topic. There is a new > version that has been approved for publication (version 3.0) that should > be posted in the web site in the next few days. Please understand that > it does not address certification of entities, software, systems or > training programs, only certification of transactions. > > Kepa Zubeldia > Claredi > > PS: cross posting of messages like this is spam. > > > On Friday 30 August 2002 11:19 am, David W. Loewy wrote: > From: "David W. Loewy" > To: , "'Meyer, Perry'" , > , , , > > , , , > , , > > > > I agree as well, I am constantly amazed when I see organizations > > > referring to being either HIPAA Certified or offering HIPAA > > Certification!! And there are more than a handful I've seen recently! > > > > > > David W. Loewy > > President > > Health Providers Practice Management, LLC. > > Publishers of The HIPAA Survival Kit for Providers 617.739.6665 > > (voice) 601.415.0007 (mobile) > > > > > > > > www.hipaacertification.org > > NOTE: The information contained in this message is intended only > for > > use by the individual or entity to which it is addressed. This message > > > may contain information that is privileged, confidential, and exempt > > > from disclosure under applicable law. If you are not the intended > > > recipient, you are hereby notified that any dissemination, > > distribution, or copying of this information strictly prohibited. > If > > you have received this communication in error, please notify us > > immediately and delete the original message. > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, August 30, 2002 12:58 PM > > To: Meyer, Perry; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] > > Subject: Certifications > > > > > > Perry, your point is very valid! > > > > As stated by the agencies, it isn't the role of the government to > > > "Certify" a product, service, or process relating to HIPAA. > > Certifications by their nature certifications require a process of > > > accreditation, credentialing, and ideally broad support. I have no > > > knowledge of what the vendor in question bases their "certification" > > > on, and without full disclosure of that basis I view its claim as > > > suspect, however there is at least one validly certified > > training/education product in the market - certified/credentialed > by a > > > State University System. > > > > However, this specific problem has resulted in the creation of a > > > separate body to address this issue of developing HIPAA conformance > > > certification standards. This activity is complementary to the work > > > of the other HIPAA bodies, and recognizing the urgency of this for > > > covered entities and industry alike, has begun and hopes to publish > a > > significant body of work rapidly. > > > > This also raises another important point - full disclosure. Some > on > > this listserv express offense at participants including their company > > > names in their replies and messages. Personally, I want to know who > > > it is that is expressing their opinions and who they represent, and > in > > > what capacity. I appreciate a weblink also, making it easy to view > > > their context. Without this disclosure, we do not have the ability > to > > > properly weight their credentials or perspective in these issues. > > > Each of us needs to be able to evaluate each posted statement and > not > > simply take everything said as fact or legal opinion - this one > > included. So I would encourage all to be candid in their signatures > > > for these reasons and recognize the difference between spam > > commercialism and simple honest disclosure. > > > > Tim McGuinness, Ph.D. > > President, > > HIPAA Help Now Inc. > > [EMAIL PROTECTED] > > www.hipaahelpnow.com > > > > Executive Co-Chairman for Privacy, > > HIPAA Conformance Certification Organization (HCCO) > > www.hipaacertification.org > > > > > > > > > > -----Original Message----- > > From: Meyer, Perry [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, August 27, 2002 8:24 AM > > To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > > [EMAIL PROTECTED] > > Subject: RE: WEDI SNIP Forum to be Rescheduled!!! > > > > > > Just curious, but does CMS or OCR recognize "certified" HIPAA > > training? I see no mention of this in the regs. I think we need to > be > > > very careful in promoting something as "certified" when it comes > to > > HIPAA. > > > > Perry Meyer > > Senior Vice President > > Iowa Hospital Association > > > > To be removed from this listserv, please email [EMAIL PROTECTED] > > The WEDI SNIP listserv to which you are subscribed is not moderated. > The discussions on this listserv therefore represent the views of the > individual participants, and do not necessarily represent the views > of > the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an > official opinion, post your question to the WEDI SNIP Issues Database > at > http://snip.wedi.org/tracking/. Posting of advertisements or other > commercial use of this listserv is specifically prohibited. > > > To be removed from this listserv, please email [EMAIL PROTECTED] > > The WEDI SNIP listserv to which you are subscribed is not moderated. > The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI > Board of > Directors nor WEDI SNIP. If you wish to receive an official opinion, > post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv > is > specifically prohibited. > > > > > --------------------------------- > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > > To be removed from this listserv, please email [EMAIL PROTECTED] > <P>The WEDI SNIP listserv to which you are subscribed is not moderated. > The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI > Board of > Directors nor WEDI SNIP. If you wish to receive an official opinion, > post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv > is > specifically prohibited. > To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. To be removed from this listserv, please email [EMAIL PROTECTED] <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
