HIPAA Blog

[ Friday, August 08, 2003 ]

 

DAMN BLOGGER!

Blogger ate my links and archives again. And my site meter (which hasn't worked for months, due to some other Blogger hiccup.

I will attempt to rebuild this weekend. Bear with me, while I bear with Blogger (if only my IS department would allow me to put the blog on www.jw.com).
Jeff [3:26 PM]

[ Tuesday, August 05, 2003 ]

 

War Stories:

Ed Richards, a law professor at LSU, was asking around the American Health Lawyers Association "HIT" list (that's the Health Information Technology listserv) for anecdotes and war stories about medical record privacy problems. E-mail me with any you might want to pass along. Some of the other e-mailers pointed to this list of stories from the Georgetown Health Privacy Project website, and some others pointed to this list from a HIPAA vendor.
Jeff [1:14 PM]

[ Friday, August 01, 2003 ]

 

Sorry for the light blogging, but I'm actually on vacation in Florida. No, not Disneyland -- it is a personal goal of mine, one which I fully acknowledge is likely unattainable, to never visit Disneyland. I'd rather pay for someone else to take my kids. Don't e-mail me that if I went I'd change my tune; I've heard that plenty, and don't think it's true. Anyway, if you're looking for a good place to stay in Naples, Florida, you can't go too wrong with where we are now, the Edgewater Beach Hotel and Club. Of course, if money is no object, try the Ritz Carlton, especially the beach resort (there's a second Ritz, the golf resort, with a truly challenging (I proudly tamed it with a 97) Greg Norman course). And I highly recommend Campiello's restaurant.

Anyway, there is news to post: the South Carolina HIPAA challenge has been appealed to the US Supreme Court. As you might recall, there is a Houston challenge and a South Carolina challenge, both in Federal courts, each with a different argument why HIPAA shouldn't be enforced. The Houston case centers its challenge over the fact that HIPAA actually gives the government, through HHS, the right to see anybody's medical record; covered entities must turn over any PHI that HHS asks for. The South Carolina case is a more interesting legal issue: the plaintiffs claim that HHS overstepped its authority in drafting the HIPAA regulations. Laws must be passed by Congress; the administrative agencies like HHS can enact regulations that tweak or fine-tune the law, but they can't draft actual law. The complaint in the South Carolina case is that what HHS did in the regulations was not tweaking or fine-tuning, but was the actual drafting of law. That would violate the US Constitution.

Both the Houston and South Carolina challenges lost in the US District courts as well at the US Circuit Courts of Appeal. If I recall my federal procedure (and I don't, really), the appeal to the US Supreme Court in the South Carolina case will have to be dealt with, even if by a simple affirmation of the lower court rulings, since it involves a federal question. I don't know about the Houston case, though.

Jeff [7:58 AM]

[ Thursday, July 24, 2003 ]

 

Jeff [3:10 PM]

 

Here's a pretty good checklist of things you ought to be doing to be HIPAA compliant. From HIPAAdvisory. And here's a list of HIPAA resources, especially helpful for the impending train wreck/TCS deadline.
Jeff [3:07 PM]

 

Transaction and Code set guidance:

HHS has issued what it calls its final guidance on compliance with the transaction and code sets standards after the October 16 deadline. Unlike Privacy and Security, TCS is enforced by CMS rather than OCR (hey, at least it's not OIG!). For the acronymically challenged, the transaction and code sets rules will be enforced by the Centers for Medicare and Medicaid Services, rather than the Office of Civil Rights or the Office of the Inspector General. The enforcement environment will be complaint driven, and the covered entity subject to the complaint will be given the opportunity to show compliance, show good faith efforts to comply, and/or show a corrective action plan for attaining compliance. It sure looks reasonable.

In determining good faith efforts, CMS will look at sustained activities like external testing , outreach, and whether trading partners are impeding progress. For CMS, proof of good faith efforts will show in the documentation; if you're really trying but not making progress, at least document your efforts so you'll have something to show if the regulators come a-knocking.

One thing is clear, though. Regardless of the warning that this will be a train wreck, HHS is reiterating that the deadline is the deadline. There will be soft-handed enforcement, but there will be no extensions.
Jeff [3:04 PM]

[ Wednesday, July 16, 2003 ]

 

Here's an interesting item:

On June 24, the National Committee on Vital and Health Statistics, a committee within HHS, had a teleconference outlining a lot of different HIPAA items, such as the status of the Transaction and Code Sets (the "impending train wreck") and various other HIPAA matters. They had one of the bureaucrats from OCR there to report on what types of complaints have been coming in on HIPAA. As you might expect, things like failure to give information to individuals, failure to have or post NoPPs, and loud voices in the reception area and hallways took up most of the complaints. This is easy stuff to fix; it's disappointing that providers haven't done a better job here. For all the confusion and chaos of HIPAA, it's the easy to do, easy to follow parts that are the falling-down point for the industry. There really is no excuse for these types of problems (except for the possibility that the folks complaining are malcontents who would complain even if the provider was doing an almost-perfect job).

You can find the transcript here (scroll down about a quarter of the way to Stephanie Kaminsky's comments).
Jeff [5:40 PM]

[ Monday, July 14, 2003 ]

 

E-mail issues?

There's a new study out by ZixCorp indicating that many health professionals send out e-mails without sufficient privacy or security protection. Of course, you knew that. I'm not sure what exactly counts for "sufficient," but since ZixCorp sells e-mail protection packages, I'm suspecting that they are quick to determine that what folks are doing isn't sufficient.

Of course, you should take a look at your e-mail patterns and make sure you are doing what you can to keep information safe. But keep in mind that there are few hard-and-fast rules in either the privacy or security provisions of HIPAA that dictate when you can or can't use e-mail or when you must or needn't encrypt. Don't send e-mails with PHI if you don't have to, but don't let fear of doing so prevent you from taking care of your patients in the manner that's best for them.
Jeff [5:27 PM]

 

Don't ask me how much it costs . . .

. . . or how they determine what it ought to cost, but Healthcare First, a division of Arthur J. Gallagher & Co., is offering HIPAA insurance. It doesn't pay fines, but does cover damages caused by your HIPAA violations.
Jeff [5:22 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

[ Advertisers ]
Electronic Medical Records

Health Insurance from AIG

[ HIPAA Training]

Auditing Requirements and IT Responsibilities for HIPAA electronic record security regulation

Be Prepared for a HIPAA Security Audit

HIPAA Compliance and Workforce Training for Medical Practices

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group) MPMsoft (HIPAA-compliant billing software)

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here