Theresa,
The authors of the regs
used the term ‘reasonable’ very liberally. It is unreasonable for a CE to try to do
due diligence with potentially thousands of BA’s. It is also a burden for the BA’s
to have to spend time reacting to due diligence from thousands of potential
CE’s. The costs of due
diligence would be catastrophic without adding any real value to the quality of
healthcare.
Regards,
David Frenkel
Business Development
GEFEG USA
Global Leader in
Ecommerce Tools
www.gefeg.com
425-260-5030
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 18, 2002 6:30 PM
To: WEDI SNIP Testing Subworkgroup
List
Subject: Re: FW: Public Comment:
NCQA Releases Draft Standards for Privacy Certificati...
In an interview conducted last week
in advance of the release, Sharon King Donohue, NCQA general counsel and chief
privacy officer, talked to me about the rationale behind the BA certification
program.
Here's part of what she said:..."we thought this separate program would
give covered entities some assurance that BAs were going through an external
review, and that they have appropriate privacy protections in place. >From the
BA's perspective, they are often being asked to sign indemnity agreements and
submit to due diligence and monitoring by covered entities, and this gives the
BA some assurance that it is following good privacy practices and can help
fulfill any due diligence or monitoring requirements imposed by covered
entities."
"There is a lot of concern that even though the federal privacy rule says
covered entities don't need to perform due diligence, a lot of enforcement for
privacy and security is going to come at the state level and under common law.
Many state privacy laws and common law do not support the concept that you can
simply sign a BA contract and turn your head to the actions of your business
associates. Most experts are advising that covered entities needs to do more to
avoid potential liability."
Theresa Defino
Editor
Practical Guidance on HIPAA and E-Health
For the Physician Practice
301-738-3721
[EMAIL PROTECTED]
In a message dated 12/18/2002 7:52:02 PM Eastern Standard Time,
[EMAIL PROTECTED] writes:
Respected colleauges:
(I am not clear if this a conversational thread on the topic and if it is
proper that I respond with comments here. If not, please let me know and
beg your indulgence.)
I am concerned how a provider discerns between what ClarEDI certifcation,
Mercator certified, ENHAC certified, Microsoft certified, NCQA
certification, JCAHO...etc... truly means? An uninformed provider can, does
and will pay a higher price for a "certified" system/covered entity.
Clearly, not the intent of HIPAA, but a true blue, time tested, economic
phenomonon. At some point, all the alphabet soup of certifications loses
signifiance to the very people it was intended to help make an informed
choices.
I think Privacy "certifcation" is uncessary because a federal statue
now
exists that holds culpable covered entities criminally for their actions.
Ergo, covered entities and vendors are accountable at the most fundemental
of levels, their businesses are at significant risk. I certainly don't want
to be the test case for enforcement.
In contrast,certification of for security and transaction standards are
tangible in value to the both vendor and covered entity. They provide some
defined (debateable, I know) benchmark that the vendor/covered entity took
steps to bring their systems and practices in line with a "standard".
They
go beyond policy and procedure. Security technology is deployed or it
isn't. Each certification holds each coverd entity to having to meet a
minimum level. These standards have been evolving for years and are widely
adopted and accepted in other industries. The transactions are transmited
in the standard format, or they are rejected. (I know that's simplistic)
I welcome a alternate point of view.
With best regards and warmest holiday blessings and wishes for all who read
this.
Chris Brancato
Compliance Officer
Director-Development/Product Management
Health Data Services
Suite 3a
503 Faulconer Drive
Charlottesville, VA 22903
434-817-9000
Original Message:
-----------------
From: Miriam Paramore [EMAIL PROTECTED]
Date: Wed, 18 Dec 2002 18:47:51 -0500
To: [EMAIL PROTECTED]
Subject: FW: Public Comment: NCQA Releases Draft Standards for Privacy
Certification Program For Business Associates
In a recent post during the discussion of certification, I mentioned this
program that NCQA is doing. Notice they use the word "certification".
Even
though this is for Privacy, it shows that groups like WEDI are trying to set
the bar.
Best Regards,
Miriam J. Paramore
President &CEO
PCI: e-commerce for healthcare
9001 Shelbyville Road
iTRC Building
Louisville, KY 40222
502-429-8555
www.hipaasurvival.com
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.
You are currently subscribed to wedi-testing as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org
---