[ Thursday, July 24, 2003 ]


Jeff [3:10 PM]


Here's a pretty good checklist of things you ought to be doing to be HIPAA compliant. From HIPAAdvisory. And here's a list of HIPAA resources, especially helpful for the impending train wreck/TCS deadline.

Jeff [3:07 PM]


Transaction and Code set guidance:

HHS has issued what it calls its final guidance on compliance with the transaction and code sets standards after the October 16 deadline. Unlike Privacy and Security, TCS is enforced by CMS rather than OCR (hey, at least it's not OIG!). For the acronymically challenged, the transaction and code sets rules will be enforced by the Centers for Medicare and Medicaid Services, rather than the Office of Civil Rights or the Office of the Inspector General. The enforcement environment will be complaint driven, and the covered entity subject to the complaint will be given the opportunity to show compliance, show good faith efforts to comply, and/or show a corrective action plan for attaining compliance. It sure looks reasonable.

In determining good faith efforts, CMS will look at sustained activities like external testing , outreach, and whether trading partners are impeding progress. For CMS, proof of good faith efforts will show in the documentation; if you're really trying but not making progress, at least document your efforts so you'll have something to show if the regulators come a-knocking.

One thing is clear, though. Regardless of the warning that this will be a train wreck, HHS is reiterating that the deadline is the deadline. There will be soft-handed enforcement, but there will be no extensions.

Jeff [3:04 PM]

[ Wednesday, July 16, 2003 ]


Here's an interesting item:

On June 24, the National Committee on Vital and Health Statistics, a committee within HHS, had a teleconference outlining a lot of different HIPAA items, such as the status of the Transaction and Code Sets (the "impending train wreck") and various other HIPAA matters. They had one of the bureaucrats from OCR there to report on what types of complaints have been coming in on HIPAA. As you might expect, things like failure to give information to individuals, failure to have or post NoPPs, and loud voices in the reception area and hallways took up most of the complaints. This is easy stuff to fix; it's disappointing that providers haven't done a better job here. For all the confusion and chaos of HIPAA, it's the easy to do, easy to follow parts that are the falling-down point for the industry. There really is no excuse for these types of problems (except for the possibility that the folks complaining are malcontents who would complain even if the provider was doing an almost-perfect job).

You can find the transcript here (scroll down about a quarter of the way to Stephanie Kaminsky's comments).

Jeff [5:40 PM]

[ Monday, July 14, 2003 ]


E-mail issues?

There's a new study out by ZixCorp indicating that many health professionals send out e-mails without sufficient privacy or security protection. Of course, you knew that. I'm not sure what exactly counts for "sufficient," but since ZixCorp sells e-mail protection packages, I'm suspecting that they are quick to determine that what folks are doing isn't sufficient.

Of course, you should take a look at your e-mail patterns and make sure you are doing what you can to keep information safe. But keep in mind that there are few hard-and-fast rules in either the privacy or security provisions of HIPAA that dictate when you can or can't use e-mail or when you must or needn't encrypt. Don't send e-mails with PHI if you don't have to, but don't let fear of doing so prevent you from taking care of your patients in the manner that's best for them.

Jeff [5:27 PM]


Don't ask me how much it costs . . .

. . . or how they determine what it ought to cost, but Healthcare First, a division of Arthur J. Gallagher & Co., is offering HIPAA insurance. It doesn't pay fines, but does cover damages caused by your HIPAA violations.

Jeff [5:22 PM]

[ Wednesday, July 09, 2003 ]


A new Phoenix Health Systems Survey:

Phoenix has been doing HIPAA surveys for some time now, and they are always useful. The more people that take the survey, of course, the better the information. So, I urge you to go take the latest survey, which is divided into groupings based on whether you are a provider, payor, vendor or clearinghouse. Here's the provider survey. If you're not a provider, you can go to the site and pick another survey to match with what you are.

Jeff [11:31 AM]


HIPAA in Hawaii.

Here's a story (may need free registration) on the impact HIPAA is having on the medical community in Hawaii. The islanders put together a HIPAA collaborative that did a lot of the heavy lifting for them, putting together forms and documentation for the group to share. The approach seems to exemplify the calmness usually associated with those folks. Of course, I think I should go do some research personally. Always good to do some field work. . . .

Jeff [10:25 AM]

[ Thursday, July 03, 2003 ]


Off-Topic: A Dan Hayes definition


noun. Derived from anarchist. An advocate of minimal government, often described as the night watchman state, in which the state exist legitimately only to enable appropriate law and order and to deal with collective territorial defense.

Such as state can exist to reinforce the liberty of individuals but not to 'do things' and is therefore a largely 'apolitical polity' guarding the boundaries of civil society.

Some minarchists view this as a transitional state leading inevitably to completely stateless anarcho-capitalism, whilst others see minarchy as a stable end point.

Whilst this is not a blog specific term, it is often used on 'pundit blogs', many of which are libertarian, hence its inclusion here.

(via Samisdata).

Jeff [10:08 AM]

[ Tuesday, July 01, 2003 ]


Here's an interesting article from the Arizona Republic regarding the possible unintended consequences of HIPAA on living trusts. I'm not sure I agree with the thrust of the article (frankly, I'm a little suspicious right off the bat when the first paragraph talks about the regulations Congress enacted earlier this year to regulate medical record privacy; Congress didn't enact them, and they weren't enacted this year, but they do have to do with medical record privacy, so one out of 3 ain't bad). The article implies that individuals who enter into living trusts might be in trouble if they are incapacitated later in life, because the trustees of the trust might not be able to get their health information and therefore might not be able to choose their healthcare. Of course, providers can provide information to individuals involved in the patient's care, and if that person is a legally-appointed guardian, trustee, or attorney-in-fact, HIPAA shouldn't be a bar to the decisionmaker receiving all the PHI necessary to see to it that the patient has good care.

I guess it could happen, but it could happen even with a good Durable Power of Attorney, if the provider was stubborn enough. Not too likely, though. Of course, it goes without saying that you should be pretty careful with those type of documents. And if you do estate planning, you should be certain that you cover the HIPAA angle.

(Thanks to Pamela Jones at MedAbiliti and their Health Innovation Daily headline service)

Jeff [5:28 PM]


The National Committee on Vital and Health Statistics has just published its letter to Tommy Thompson outlining the results of hearings it held on the likelihood that the healthcare industry will be able to meet the October deadline for implementation of the Transaction and Code Set standards. Short answer: it doesn't look good. Will this mean that HHS will push the deadline back? I wouldn't bet on it. I think it's more likely that they will keep the deadline in place but promise not to be too cruel when imposing punishments. For whatever that's worth.

Jeff [3:19 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template