OMI: HIPAA: Updates

Overview | Tracker | Resources | Updates | FAQs

HIPAA Updates

Since OMI's inception, HIPAA has formed a large part of our practice. This section of our site contains articles concerning the various modifications made to HIPAA during the rulemaking process. Future articles will address ongoing compliance and enforcement.

Click the title of an update to see its full text.

HHS Releases Final Security Rules February 2003

After more than a year in delays, the much-discussed security rules were published in the February 20, 2003, Federal Register....

After more than a year in delays, the much-discussed security rules were published in the February 20, 2003, Federal Register, and are effective 60 days hence. Most covered entities must comply within 24 months, by April 20, 2005. Small health plans will have 36 months from the effective date to achieve compliance. These longer compliance dates are a welcome change for covered entities and their business partners who are just now coming into compliance with the privacy rules.

In general, the new security rules are focused on ensuring the integrity, confidentiality, and availability of protected health information maintained by a covered entity. In contrast with the privacy rule, the security rule only applies to information that is maintained in an electronic form. This final security rules does not include an electronic signature standard, which HHS says will be released at a later (and unspecified) date.

The final regulation pares down requirements and reorganizes them into more logical components.

As with the privacy rule, we can expect that HHS will periodically release clarifications to the rule in the form of updates. We do not expect any significant changes at this point.

Click here for the full text of the final security rule.

Technology-neutral

In most cases the rules allow covered entities to determine what technology is best suited to secure the protected health information in their possession. The broad nature of the regulation and HHS's decision not to endorse specific products or technologies avoids favoring or harming a particular vendor or group of vendors or requiring the implementation of a high cost technology where it is not required; however, covered entities and their business partners may encounter some difficulty in identifying appropriate technologies and assessing their costs and timeframes for implementation.

"Required" versus "Addressable"

The new rule includes two different types of implementation standards. To comply with the first standard ("required"), a covered entity must provide for the security of data exactly as specified in the rules.

The second standard ("addressable") is new; it will allow organizations to choose alternative solutions to some of HIPAA's requirements, provided that the chosen alternative can be proven to satisfy the underlying requirement and fits into the organization's assessed degree of risk. These addressable implementation features provide relief to small covered entities who clearly do not have the security issues seen in larger more complex systems.

Reevaluation Required

In the final rule HHS formalizes the requirement that all covered entities continually evaluate their security preparations against new technologies that become available as well as new potential threats.

What Changed

Prior to this clarification there was a great deal of confusion: Would waiting room sign-in sheets be permissible? Could patient charts be kept at the patient's bedside? Would it be considered a violation of the rule if a conversation about a patient was overheard? Recognizing that incidental disclosures of protected health information may occur in the routine operations of a covered entity, the final rule clarifies that these disclosures are not to be considered violations, so long as the covered entity has met the requirements for reasonable safeguards and minimum necessary disclosure requirements.

Many of the changes to the final rule were to eliminate redundancies in the requirements, to provide greater clarification where the language appeared to require more than intended, and to eliminate some of the requirements that were of little use or impossible to implement at this time.

In summary, the major changes to the rules are:

The new rule includes voice response and fax-back systems, but also clarifies a common misconception about faxing. Paper-to-paper faxes are not covered, but documents that are stored in an electronic form and then faxed are included in the definition of electronic data.
HHS has eliminated the requirement that covered entities develop a formal mechanism for processing records.
The requirement for system audits has been renamed "information system activity review" under security management. Audit is a mandatory implementation specification.
The requirement for policies and procedures that document the termination process has been made an addressable implementation standard. Covered entities will have more flexibility in defining how this process will be implemented, according to their assessed degree of risk
The proposed "personnel security policy/procedure" and "record of access authorizations" implementation features have been removed from the final rule and replaced with an addressable requirement that is focused on the general policy for controlling access to information systems.
Implementation specifications for testing and revision procedures and an applications and data criticality analysis is now addressable.
A contingency plan standard must be met, but the testing and revision implementation is now addressable.
The requirement for a chain of trust between covered entities is removed and replaced with business associate language from the Privacy Rule.
The requirement for security configuration management requirement has been eliminated.
The requirement that organizations document a formal mechanism for processing records is not included in the final rule.
The requirement that organizations formulate policies and procedures for the receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information is not included in the final rule.
The requirements pertaining to physical safeguards, media controls, physical access controls, policies and guidelines on workstation use, and secure workstation locations have been adopted as addressable.
Requirements for assigned security responsibility and security awareness training have been moved to § 164.308.
Facility access controls are now addressable.
Access Control has been changed to require only unique user identification and provision for emergency access procedures. Encryption and auto logoff are now addressable. Encryption of data and dial-up lines is not required. Encryption of E-mail with patients is not required.
The final rule specifies that a business associate agreement must require a business associate to:
- Implement safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity
- Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate safeguards
- Report to the covered entity any security incident of which it becomes aware
- Make its policies and procedures, and of those policies and procedures, available to HHS for purposes of determining the covered entity's compliance with the rules
- Authorize termination of the contract by the covered entity if the covered entity determines that the business associate has violated a material term of the contract
When a covered entity and its business associate are both governmental entities, an "other arrangement" is sufficient.

Final Changes to Privacy Rule Issued August 2002

On Friday, Health and Human Services released the latest set of changes and clarifications to the Privacy Rule....

On Friday, Health and Human Services released the latest set of changes and clarifications to the Privacy Rule. The changes, which did not include a delay for implementation, will be released in the August 14th Federal Register. Click here for the HHS press release and fact sheet.

The changes announced on Friday include the following changes and clarifications.

Marketing

Covered entities may not use protected health information for marketing purposes without written authorization. Exceptions are made for face-to-face encounters, or for "promotional gifts of nominal value." Covered entities are also prohibited from selling lists of patients or members to third parties for marketing activities, without obtaining patients' authorization. Most importantly, the rule clarifies HHS's position on covered entities' ability to communicate with patients about treatment options or health-related products and services.

Obtaining a Patient Consent for the Release of Protected Health Information

Covered entities must provide patients with a notice of privacy rights and practices, and must make a good faith effort to obtain patients' acknowledgment of the notice. Written consent for the release of protected information is optional for purposes of treatment, payment and health care operations. Covered entities are given the option of developing consent processes that fit their needs and requirements. Consent documents that have already been created to remain in effect.

Disclosures to the Food And Drug Administration

Covered entities may, without consent, disclose protected health information to a person subject to the jurisdiction of the FDA for purposes related to the quality, safety or effectiveness of FDA-regulated products.

Incidental Use and Disclosure

Authorization

The new rule seeks to simplify the authorization requirements by eliminating separate authorization requirements for covered entities; however, patients must still grant their permission for the covered entity for non-routine use or disclosure of protected health information.

Clarification for Minimum Necessary Rule

Under the new rules, disclosures made with the patient's authorization are exempted from the minimum necessary rule.

Parents and Minors

The final rule grants parents the right to control their children's protected health information, but also defers to state and local laws that are explicit in this matter. Furthermore, in cases where state or local law grants minor children the right to control their own health information, and does not address the rights of parents, the rule gives providers discretion to grant or deny access to parents, as long as they act within the parameters of the state or local law.

Business Associates

Covered entities, other than small health plans, are granted up to an additional year to bring existing contracts into compliance with business associate requirements.

Research

Researchers may use a single form to obtain informed consent for the research, and for the authorization to use or disclose protected health information. Certain modifications are also made to the process of obtaining an IRB or Privacy Board waiver, in order to streamline the process.

Limited Data Set

In order to facilitate certain uses of health care information for research and public health, the rule permits the creation of "limited data sets," stripped of individually identifiable information, for dissemination. Covered entities that wish to disclose limited data sets must create a data use agreement with the recipient of the data set, requiring the recipient to use it only for the intended purpose, to secure the data, and to refrain from using the data to identify individuals to which it pertains.

HIPAA Gets a Boost from the Bush Administration February 2002

President Bush's proposed budget includes $64.1 million for HIPAA compliance programs. This is in addition to the $44 million allocated in December when the bill delaying Transaction Standards was passed....

The proposed budget provides funding in four areas:

$9.6 million for transaction standards compliance programs for CMS
$10 million to support transaction standards testing for Medicare providers
$10 million for HIPAA-related education and outreach programs
$34.5 million for the development and implementation of healthcare provider and health plan identifiers

At this time the budget is only a proposal, which means that the money has not actually been appropriated and may be subject to changes as the administration finishes its budget negotiations with congress.

The ongoing lack of funding has caused many problems for covered entities who have been asking questions and getting few answers from the Office of Civil Rights, HHS’s compliance arm. One key question has been when the security rules, now in their final form, will be released. The lack of funding has also slowed the development and implementation of the national provider ID program. The proposed budget may solve some problems with HIPAA roll-out, but it may not come in time to help covered entities meet the next set of deadlines.

House Passes Bill to Delay Transaction Standards by One Year December 2001

The proposed delay to HIPAA's Transaction Standard moved a step closer to reality as the House unanimously passed a bill that would change the compliance date to October 16, 2003....

The proposed delay to HIPAA's Transaction Standard moved a step closer to reality as the House unanimously passed a bill that would change the compliance date to October 16, 2003. The bill specifically states that the delay in Transaction Standards will not affect the compliance date for Privacy, currently set for April 14, 2003. The House version of the bill will require covered entities (health plans, healthcare clearinghouses and provider organizations) who request a delay in compliance to submit a compliance plan and budget to HHS before they will be allowed an exemption. In addition, the House bill would require that all healthcare entities (with the exception of some small providers) submit claims electronically by October 16, 2003. This replaces the original $1 per claim fee that would have been imposed on organizations who submit paper claims.

Last week we reported that the Senate had unanimously passed a similar measure that did not include the requirement for a compliance plan and associated $1 paper claim fee. It was assumed at that time that the House and Senate versions of the bill would be consolidated in committee, but it is being reported today that the Senate plans to adopt the House bill as it currently stands. After Senate approval, the bill will be sent to Mr. Bush for signature.

The bill also provides $44M in funding for HHS to be used for HIPAA technical assistance, enforcement and funding for the provider identifier initiatives.

Impact on Healthcare Organizations

Once the bill is signed into law, covered entities requesting a delay in complying with the Transaction Standards would be required to submit a compliance plan to Health and Human Services by October 2002. This compliance plan must document following elements:

The extent to which the covered entity is not in compliance
The reasons that compliance cannot be achieved by the original compliance date
A budget, schedule, work plan and implementation strategy for achieving compliance by October 16, 2003 date, and
A decision on whether the covered entity will use a contractor or vendor.

Covered entities requesting a delay must agree to begin testing by April 16, 2003. Requests will be submitted to HHS in a format that HHS will make available by March 2002.

Organizations that are behind in their compliance projects may find that the benefits provided by a one-year delay are eliminated by the documentation required to secure and approved delay. Organizations must also realize that, after submitting the requested documentation, if the delay is not approved, they must still make the original compliance date. Failure to meet this date could mean exclusion from Medicare.

Senate Unanimously Passes Bill to Delay HIPAA’s Transaction Standards by One Year November 2001

In a unanimous vote the Senate has passed a bill to delay implementation of HIPAA’s Transaction Standards by one year....

In a unanimous vote the Senate has passed a bill to delay implementation of HIPAA’s Transaction Standards by one year. If passed by the house the new compliance date for the Transaction Standards will be October 16, 2003.

The House is considering a different bill. The House bill would require covered entities requesting a delay to explain to the Department of Health and Human Services why a delay is needed and to provide a compliance plan and budget for achieving compliance. Once approved the covered entity would receive a one-year extension. The house plan would also charge a $1 processing fee for submitting a paper claim to Medicare. This fee is expected to generate up to $44 million, which would then be available to HHS for HIPAA enforcement and technical assistance.

This will be welcome relief to organizations facing the implementation of a highly technical project in less than 14 months. Many covered entities have adopted a lackluster attitude toward HIPAA compliance, perhaps assuming that HHS is ill-funded for HIPAA enforcement programs or that resistance to the new regulations from industry trade associations might result in delay or repeal. Missing the compliance dates would have meant that non-compliant organizations could not have submitted claims and would have developed major cash flow problems. Some providers could even have been driven out of business.

The delay will give organizations a total of 26 months to become compliant with the transactions standards while also working towards compliance for the Privacy and possibly the Security rules. Unfortunately, the delay may have the opposite effect from what is intended, if covered entities take this as another sign that the government is not going to aggressively press the issue of HIPAA compliance. Already many covered entities have taken a wait-and-see attitude on HIPAA compliance based on the ongoing delays in publishing the final rules.

Setting Up Interconnectivity Between Organizations August 2001

Pressures on healthcare organizations (HCOs) to decrease costs, increase efficiencies and develop strategic partnerships have resulted in the development of some unique information exchange policies and practices. Some of these longstanding polices and practices will be challenged by HIPAA and could have a significant impact on an organization’s productivity.

HIPAA supports the exchange of information between provider organizations only for the purpose of treatment, payment or operations (abbreviated as TPO). HIPAA prohibits information exchange between HCOs when there are no TPO conditions present at the time of exchange.

Reference labs, imaging centers, and other organizations that operate as independent businesses ordinarily use ADT interfaces to receive all patient transactions from an HCO. These organizations usually discard information for patients who don’t receive services.

Recently, a reference laboratory that handles the majority of the lab work for a medical practice contacted us. It is their practice to receive all ADT transactions from a client and discard transactions without a lab request, as described above. They wanted to know whether this would be a violation of HIPAA’s requirements.

In short, the answer is yes. In order for a covered entity to shared protected health information with another entity, two things must happen. First, the covered entity must obtain the patient’s consent for the use of the patient’s protected health information. Second, the data exchange must be part of TPO. When labs receive data that is discarded because it is not to be acted upon, that information does not meet the TPO requirement, and the exchange is therefore outside of HIPAA’s regulations.

The benefits of this type of interface—cost savings, increased productivity and increased accuracy of information exchanged—have made these interfaces important. To comply with the new HIPAA regulations we must now develop interface strategies that preserve the benefits without compromising patient privacy. This may require some significant redevelopment and new ways of managing patient information, but there are several options.

In some cases, the interfaces may have to be discontinued entirely, particularly when dictated by limits in an organization’s resources or available technology. In such cases, organizations will need to consider how the lack of these interfaces may impact personnel resources and may consider replacing technology with people. This is not the best solution and certainly not the most cost-effective, but for some organizations it may be the only option.

A more technical solution would be to develop an option in the ADT system that would transmit the ADT information only when appropriate. This would require that someone in the organization be responsible for initiating each transaction, but would preserve most of the benefit of electronic transfer. This type of development will require the involvement of the ADT vendor; an organization choosing this option should start negotiations now to ensure a solution by the time HIPAA’s privacy rule is completely in effect.

By far the cleanest solution would be to develop an order entry interface. This interface would be designed to update the receiving system with both the ADT transaction and the ordering information when the order is placed. This is a different design from most order entry systems—in which the ADT is sent when the patient is admitted and the orders are sent later—but the combined transaction would be required to meet HIPAA’s requirements.

Regardless of the solution you choose, you should consider the costs associated with additional clerical support, interface development, or both when calculating your HIPAA compliance budget. Organizations facing these issues would be well advised to begin talking to their vendors, IT departments and customers now to ensure that sufficient time and resources are allocated to address this issue.

HIPAA Solutions: Dealing with Digital Assistants, Laptops and Home Computers July 2001

Fortunately, healthcare is starting take advantage of personal digital assistants (PDA), laptop computers, and E-mail....

Fortunately, healthcare is starting take advantage of personal digital assistants (PDA), laptop computers, and E-mail. Although the adoption of new technology may not be progressing as quickly as some of us might like, we are nevertheless beginning to see the benefits these devices can provide to both patients and providers. With the enactment of HIPAA, management of these devices by covered entities becomes important, since they can easily become the source of inadvertent disclosure of protected health information.

Risks and Opportunities with Electronic Devices

Used correctly, PDAs and laptops can increase a provider's efficiency, enhance the patient's experience with a healthcare organization, and potentially decrease the rate of medical errors. On the other hand, portable devices are also inherently less secure than more traditional facility-based information systems and will require new policies, procedures and training to ensure their security.

HIPAA's requirements for the protection of individually identifiable health information do not specifically mention PDAs or laptop computers, but the regulations do establish guidelines for the use of these devices, since they may contain or provide access to protected health information. Due to their mobility, and the increased possibility they will be lost or stolen, they represent a higher risk than a desktop computer or terminal.

The Major Issue: Protecting Health Information

E-mail Communication

The American Medical Association web site contains several different articles discussing the pros and cons of communicating with patients via E-mail.

Corporate E-mail systems can be configured to provide the required level of encryption when when sending E-mail. The problem is establishing the same level of security on a physician's home computer. Other considerations are who else may have access to the computer (other family members) and how well the protected health information, stored in the form of E-mail messages, is protected.

The safest route would be to prohibit E-mail communication with patients. This would eliminate the potential for inappropriate disclosure of health information but might not be in the best interest of the patients or providers. It would also be difficult to enforce this requirement on providers when out of the office.

It is quite likely that a provider using a home computer for E-mail communication will not have the technical resources available, nor the technical knowledge required, to configure his or her system to use data encryption when sending data through a public network. It is also likely that other family members will have access to the home computer. These issues make it unlikely that a home computer would be secure enough to allow access to the organization's protected health information.

There are alternatives. For larger organization with access to technical resources, the implementation of a web-based E-mail system for communicating with patients is one a potential solution. This type of system allows physicians and other appropriate healthcare providers to access E-mail securely, using an ordinary browser. This would require little configuration on the part of the home user and would ensure secure communication with patients with a greatly limited risk to the organization.

Smaller organizations could use a similar technique, but instead of implementing the system themselves, could contract with one of several companies who are taking advantage of HIPAA restrictions and providing secure web-based E-mail systems.

Developing appropriate polices and procedures covering the use of E-mail within the organization and appropriate training to ensure that users have a basic level of competence with using the system would also be requirements under HIPAA's provisions.

Laptop Computers and other Portable Devices

The mobility provided by laptop computers and other portable devices such as PDAs represents another potential source of unauthorized disclosure. In the cases of these devices, the possibility of loss or theft of a computer that contains protected health information is the chief cause of worry. Although there are no surefire ways of preventing loss or theft, several issues need to be addressed when allowing employees to remove information from the facility.

One of the first issues to consider is that of making employees aware of the potential for violations of HIPAA's requirements should a computer with protected health information be lost or stolen. This heightened awareness should include an assessment of the importance of allowing that information to leave the organization. The result may be that the potential pitfalls far exceed the benefits; in other words, your organization may decide that removing data on a laptop or PDA is simply too risky to be permitted.

But, if you find that a provider has good reason for removing information (such as in home health organizations) several precautions should be taken. Each laptop user should be required to sign an agreement stipulating that he or she understands the risks associated with removing data from the facility, agrees to use the information only in accordance with the facility's established policy on workstation use, and assumes responsibility for its protection and safe return. Although this isn't a legal agreement, it serves to increase users' awareness of the importance of protecting the information contained on portable computers.

The user should be made responsible for knowing what data is on his or her laptop and removing data that is no longer necessary. Although it is impossible for any user to know precisely and completely what information is contained on his or her laptop, he or she should be aware of the type of information and its source so that the organization can determine what information has potentially been compromised in case of loss.

Define a policy on how and where a laptop can be used and requiring users to delete protected health information once it is no longer necessary. This policy should also cover other people (family members, for example) who use the laptop or PDA, and the safe transportation of the laptop or PDA from the facility to the user's destination. Your organization many also want to consider arming these laptops with more sophisticated security systems, such as alarm systems that will alert the user to a potential theft.

Establishing a system password (at the OS level) and religiously following the requirements for periodically changing the password should also be requirements made of users who have access to a laptop computer. If one of your mobile devices happens to get stolen, you should have a policy that describes how, when, and who a user should notify.

Conclusion

PDAs, laptops, and E-mail are all slowly becoming the tools of the trade. The productivity gains and potential reduction of medical errors these devices can provide are well worth the risks if your organization take appropriate steps to ensure reasonable protections.

HIPAA Privacy Rules Finally in Place April 2001

In a surprise announcement, the Bush Administration announced on April 12, 2001, that the much delayed, often maligned HIPAA privacy rules will go into effect as of Saturday, April 14, 2001....

In a surprise announcement, the Bush Administration announced on April 12, 2001, that the much delayed, often maligned HIPAA privacy rules will go into effect as of Saturday, April 14, 2001. Covered entities are required to be in compliance with the final rule by April 14, 2003. Small health plans have until April 14, 2004, to comply.

Many people were confused by this allowance for small health plans, thinking that the additional compliance time would apply to small provider organizations as well, but this is not the case. Clarification of that point appears in the final rule published in December 2000, which specifies that provider organizations must comply within the 24-month period.

Changes to the final rule were minimal. The original rule prohibited access to a child's medical record by parents. Parents now have access to their children's medical records without restriction.

The last-minute additions of oral and written communication by the Clinton administration before the rule's release in December 2000 remain in this version of the rule. These requirements will drive many covered entities to automate their practices, since tracking access to oral and written communications will be impossible under the new privacy rules.

Covered entities will be required to obtain written consent from patients before they can use protected health information for any purpose. Patients will also have the right to a full disclosure of who has seen their records, the right to gain access to their records, and the right to request corrections to information contained in their records. The right to request corrections has caused a lot of confusion. It does not mean, as is widely believed, that a provider is required to make requested changes, but the patient has a right to make the request and to receive a response.

Yet to be finalized are the security rules, which focus on the integrity, confidentiality and availability of health information. HHS has not published a released date for the security rules, but has set a general timeframe of mid-year.

Now that the question of whether the regulations will be released has been answered, covered entities can begin to put their resources to use finding solutions.

Effective Date for HIPAA Privacy Rules Extended Until April 14, 2001 March 2001

According to a notice from the HIPAA-REGS mailing list, Health and Human Services Secretary Tommy G. Thompson has opened the privacy rules to an additional 30-day comment period....

According to a notice from the HIPAA-REGS mailing list, Health and Human Services Secretary Tommy G. Thompson has opened the privacy rules to an additional 30-day comment period. Healthcare organization and health plans have been particularly vocal about the cost of HIPAA compliance and the difficulties associated with a 24-month compliance period.

The extension may delay the implementation of the rules, but it will take an act of Congress to repeal the rule. Congress does not appear to have any plans for revisiting the rules.

Recent reports of compromised patient data have created an environment that will make it difficult for healthcare organizations to ignore issues of patient confidentiality. Many larger healthcare organizations, facing increased public scrutiny, have publicly stated that they will take steps to protect health information outside of any federally mandated requirement.

Comments on the Privacy Rule can be made at the HHS Administrative Simplification Web Site.

Final Privacy and Security Rules Due Before Year End December 2000

The Clinton administration will release the final privacy and security rules within the next two weeks, according to Chris Jennings, the White House health policy coordinator....

The Clinton administration will release the final privacy and security rules within the next two weeks, according to Chris Jennings, the White House health policy coordinator. Once the final rules are released, most health plans, healthcare clearing houses, and provider organizations will have 24 months to comply. Small health plans (group or individual health plans with fewer than 50 participants) will have 36 months to comply.

It is unclear at this time if the industry will mount an effective campaign to delay the implementation of the regulations. Earlier this year, after the release of the final rules for the standardization of healthcare transactions, health plans and healthcare clearing houses launched a campaign to delay the implementation of the new standards. Industry representatives stated that the new rules would create an economic hardship and could not be implemented within the required timeframe. So far there has been no indication that HHS is considering relaxing the timeframe for compliance.

The privacy rules are designed to protect the confidentiality of patient information contained in electronic systems. The security rules provide for confidentiality of patient information, but also require that organizations ensure the integrity and availability of patient information even in the event of an electronic systems failure.

Under the new rules, covered entities will be required to:

Establish a number of new policies and procedures regarding the use of health information systems.
Assign a security officer to review, monitor, and enforce privacy and security policy.
Establish a chain of trust agreement with third parties that have access to protected information.
Conduct training for employees.
Educate patients on their rights under the new regulations.

These changes in the organization's operations will have an effect on information system vendors and other third parties that may have access to protected health information. For example, vendors who have access to protected health information during the course of providing system support services will be subject to a chain of trust agreement that outlines the approved uses of the protected information, requirements for protecting a client's information, and sanctions against the vendor should patients' confidentiality be compromised by the vendor. Other aspects of the security rules will require changes to what has become standard operating procedures in the industry and will impact both the vendor community as well as provider organizations.

There is a high degree of probability that healthcare providers and provider organizations will either delay the purchase or slow down the implementation process of systems that are covered by the privacy and security rules while they evaluate the organization's readiness to comply.

The ongoing delays for the final rules have caused many healthcare providers, provider organization, and vendors to delay evaluating the rules. These organizations will find themselves scrambling to achieve compliance, ultimately putting even more pressure on the healthcare industry as a whole.

New Release Dates for Privacy and Security Rules October 2000

The Department of Health and Human Services (HHS) has announced another change to the release dates for Privacy and Security Rules, which were part of the Health Insurance Portability and Accountability Act of 1996. Initially, the final Security and Electronic Signature Rules were to be released in August or September, before the final Privacy Rules. Because the Security Rules rely on key definitions made in the Privacy Rules, however, the proposed release schedule and subsequent implementation of the Security Rules became too complex. HHS has changed the release strategy and is now working on the final Privacy Rules for a release with the Security Rules by the end of 2000.

This change will have a great impact on provider organizations that were set to implement the rules in two phases. Depending on the final compliance time frames, organizations may be faced with growing projects as they work to implement the Privacy and Security Rules together.

Organizations covered under the regulations should start becoming familiar with the rules and develop an initial scope of work to guide them through the implementation. Some compliance requirements-hiring or appointing an Information Security Officer, for example-can be completed well before the final rules are released and will provide critical organizational leadership.

The following steps may help to minimize the impact on organizations that must comply with the rules:

Appoint a compliance czar to oversee the organization's compliance planning.
Develop a compliance team to review the proposed regulations and serve as a resource to the organization.
Develop a compliance strategy and general timeline based on the proposed regulations.

Most large healthcare organizations have already started the process of evaluating compliance requirements. The latest changes to the implementation time frames will put pressure on smaller organization to begin the process of evaluation sooner than many had planned.

Gore Announces Additional Protections for Medical Data September 2000

In a recent campaign speech in Los Angeles, Vice President Al Gore announced a comprehensive plan to expand protection of medical data from what he termed "inappropriate use"....

In a recent campaign speech in Los Angeles, Vice President Al Gore announced a comprehensive plan to expand protection of medical data from what he termed "inappropriate use." Gore's plan would expand the proposed HIPAA rules on privacy and security to include paper medical records. Depending on how these new rules are implemented, the protection of paper records could be a potential boon to the EMR market by setting standards that would be difficult if not impossible to meet without a computerized system.

Citing abuses by insurance companies and drug companies, Gore proposed strengthening existing privacy rules through the implementation of the following strategies:

Ensuring that basic privacy protections are guaranteed. Gore would expand current protections and fight for legislation to ensure that private medical information is not released inappropriately without written consent of the patient. He would fight to make sure these protections have the full force of law.
Protecting paper as well as electronic records. Gore would expand existing medical record privacy laws to protect paper as well as electronic medical information from misuse by employers, life insurance companies, health insurance companies and others.
Guaranteeing that everyone must comply with privacy protections. Gore would expand current protections to ensure that any entity generating, maintaining or receiving health records–including employers, life insurers and workers' compensation plans–could not, without prior consent, use the information for non-health-related purposes such as marketing.
Holding HMOs and insurance companies accountable. Gore would fight for a new private right of action and new criminal and civil penalties to ensure that individuals who have been harmed by the inappropriate release of private medical information have adequate legal recourse.
Outlawing genetic discrimination. Gore would extend protections for genetic information and work to outlaw genetic discrimination. In 1996, Gore and the Administration enacted the Health Insurance Portability and Accountability Act (HIPAA), which prevents group health insurers from using genetic information to deny individuals health insurance benefits. Gore now endorses the Genetic Nondiscrimination in Health Insurance and Employment Act of 1999. Introduced by U.S. Senator Tom Daschle (D-S.D.) and U.S. Representative Louise McIntosh Slaughter (D-N.Y.), this bill would ensure that genetic information used to help predict, prevent and treat diseases could not also be used to discriminate against those seeking employment, promotion or health insurance.

Delay in Security and Privacy Rules Announced August 2000

In a speech given to the Workgroup on Electronic Data Interchange (WEDI) on July 7, 2000, Kevin Thurm, Deputy Secretary of the Department of Health and Human Services, announced that the privacy and security regulations that are part of the Health Insurance Portability and Accountability Act of 1996 would be released in September of 2000. Previously, the rules were scheduled for release in August. The proposed rules allow 12-24 months for covered health organizations to comply with the new privacy and security rules.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The increase in the use of electronic systems to capture, manage and transmit health information has increased the public's concern with the security and confidentiality of health information. HIPAA directed Congress to enact a comprehensive patient confidentiality law by August 1999. HIPAA also specified that if Congress failed to act by August 1999 Health and Human Services must create and enact privacy and security rules by February 2000.

Implementation Timeframes

The rules proposed by Health and Human Services state that, within up to 24 months of the rules' final adoption, health organizations must implement privacy and security rules pertaining to health information systems. Implementation timeframes are dependent on the size of the organization. Larger organizations have a shorter time frame for implementation. The definition of these systems includes any system that contains identifiable health information-billing systems, patient care systems and systems involved in the transmission of patient records and other health information.

P.O. Box 337 | Ravenel, SC 29470
866.402.4875 phone | 843.278.5773 fax