Del, I think the first most important test to determine whether this constitutes DDE under HIPAA is to ask who's using it? That is, if it is health care providers who are accessing eligibility and claims status information, then it falls under the DDE exception as set forth in
? 162.923 Requirements for covered entities. (b) Exception for direct data entry transactions. A health care provider electing to use direct data entry offered by a health plan to conduct a transaction for which a standard has been adopted under this part must use the applicable data content and data condition requirements of the standard when conducting the transaction. The health care provider is not required to use the format requirements of the standard. Key points: 1. a health care provider uses the system 2. the system is offered by a health plan If this doesn't pass this test, then it's my opinion that it's not DDE as defined by HIPAA. Additionally, the Department of Justice has not weighed in on anything yet regarding enforcement/compliance with HIPAA. Rachel Foerster Principal Rachel Foerster & Associates, Ltd. 39432 North Avenue Beach Park, IL 60099 Voice: 847-872-8070 Fax: 847-872-6860 eMail: [EMAIL PROTECTED] <mailto:rachel@;rfa-edi.com> http://www.rfa-edi.com -----Original Message----- From: Del Texley [mailto:dtexley@;lipa.net] Sent: Thursday, October 17, 2002 12:03 PM To: [EMAIL PROTECTED] Subject: State Online system Our state has an online system to look at eligibility and claims/encouter data. It's just a mainframe/telnet session via dialup, leased line or internet. At a meeting yesterday we were given information about some minor changes to the system and of course it was asked what would be replacing it for HIPAA compliance. Imagine our surprise when the state informed us the system would continue in it's current form indefinately. When quizzed about HIPAA issues we were told the Dept. of Justice had determined that the system was "not DDE" because "no claims data was input via the system" and was not performing HIPAA transactions because "no files were being transferred" and was therefore exempt from HIPAA. The stand of the contractors in the meeting was that regardless of whether the system was or wasn't DDE (which it is), the system was transmitting PHI in an electronic format and therefore was required to adhere to privacy requirements, such as encryption of the data. I'm gathering information to send to the contact person as part of a request to revisit the classification of this system. Anybody have some suggestions on documentation sources or comments on the situation? Thanks Del Texley LIPA Information Systems (541) 484 6430 ********************************************************************** To be removed from this list, send a message to: [EMAIL PROTECTED] Please note that it may take up to 72 hours to process your request. ====================================================== The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
