HIPAA
Health Insurance Portability and Accountability Act of 1996
While the Act deals with privacy, security and portability of health insurance, we'll focus our attention on privacy issues.

Special Report

CONGRESS CONSIDERS HIPAA DELAY The Senate has unanimously passed a bill that would delay implementation of the HIPAA transaction and code set standards until Oct. 16, 2003, a one-year extension. Similar legislation was introduced but not yet voted upon in the House of Representatives. The House version contains a number of requirements on the healthcare industry to demonstrate that the industry is moving forward with its preparations. House and Senate leaders are currently meeting to see if they can resolve differences in the two bills and come up with identical measures that can pass both chambers before Congress adjourns. It's uncertain whether that's possible. Congress plans to adjourn as early as December 7, 2001, and no later than December 21, 2001. Many provider groups oppose the delay. The groups say a delay unfairly penalizes hospitals and health systems that have expended significant financial and labor resources to meet the existing compliance date. To read the bills, go to http//thomas.loc.gov (for the Senate bill, search on S. 1684; for the House bill, search on H.R. 3323).

Privacy

This standard defines the use and disclosure of health information. It establishes individual patient rights and the health information that is covered. It also requires that providers, plans, and clearinghouses adopt policies for safeguarding this information.

• Plans and providers will be required to inform patients about how their information is being used and to whom it is being disclosed.
• The regulations also will give each patient a right to a "disclosure history'' listing the entities that received their personal medical information.
• Patients will also have the right to access their own medical files, as well as the right to request amendments or corrections.
• Doctors and hospitals will be required to obtain written consent before using a patient's health information, even for routine purposes.

1/21/02 Meeting the HIPAA Challenge: An Introduction to the HIPAA Administrative Simplification Regulations
This satellite broadcast and webcast will inform physicians and the health care provider community about the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). This presentation will serve as an informational resource to explain and highlight critical issues relating to HIPAA's Transaction & Code Sets, information about the Privacy Rule and all the up-to-date news.

This is an updated version of last year's broadcast.

Information about this satellite broadcast can be viewed at
http://www.hcfa.gov/medlearn/hipacast.htm

Webcast information can be found at:
http://cms.livewebcasts.com/

Please direct questions regarding this broadcast to Robin Phillips at CMS - 410-786-3010, rphillips@cms.hhs.gov

1/21/02 AIS Health What to Do When a Patient Does Not Sign a Consent Form
The HIPAA privacy rule assumes that, in the vast majority of episodes of care, provider-covered entities will obtain signed consent forms to use PHI for treatment, payment and health care operations (TPO) from adult patients or, in the case of patients who are minor children, from parents.If the patient (or parent) refuses to grant consent or is unable to do so, the HIPAA privacy rule and state laws outline what must be done in relatively clear terms.

1/9/02 Health care organizations get an extra year to comply with the HIPAA electronic transaction
The U.S. Senate on Dec. 12 passed a bill by unanimous consent that is identical to the House of Representatives' one-year delay in the effective date of HIPAA's electronic trans-action and code set. This legislation permits a one-year delay in TCS implementation until Oct. 16, 2003. But there's a catch: covered entities that want the one-year delay must submit to HHS, by Oct. 16, 2002, a plan that details how they will come into compliance with the TCS requirements, according to the bills. This plan must include summaries of: an analysis reflecting the extent to which, and the reasons why, the person is not in compliance; abudget, schedule, work plan, and implementation strategy for achieving compliance; whether the person plans to use or might use a contractor or other vendor to assist in achieving compliance; and a specific time period of testing that begins not later than April 14, 2003. The Administrative Simplification Compliance Act (ASCA, also known as HR3323), states that ".a health care provider, health plan (other than a small health plan), or a health care clearinghouse shall not be considered to be in noncompliance with the [electronic transactions and code sets regulations] only if, before Oct. 16, 2002, the person [i.e., the provider, health plan or clearinghouse] submits.a plan of how the person will come into compliance.not later than Oct. 16, 2003." This legislation deals strictly with HIPAA's electronic transaction and code set requirements and has no impact whatsoever on the April 14, 2003, deadline for compliance with HIPAA's privacy requirements. A major issue to resolve in the next 10 months is how transactions will be handled after Oct. 16, 2002, when many health care entities will be complying with HIPAA's TCS rules and many others will have filed for a one-year delay.

11/11/01 AHA Releases Guidelines For Releasing Patient Information To Media
The American Hospital Association (AHA) Thursday, issued an advisory to members outlining guidelines for releasing patient condition information to the media and others under the Health Insurance Portability and Accountability Act (HIPAA). AHA stipulates that these guidelines are a tool to assist hospitals in finalizing their patient information release policy and that hospitals should consult with legal before implementing any components of the guidelines. Some of the recommendations include: don't release dangerous or embarrassing patient information; make sure the disclosure complies with all other applicable laws; and exercise good judgement when patients can't express a preference. Other areas include types of information that require patient authorization. These include: detailed statements, photos of the patient, or any interviews with the patient. The guidelines further state that hospitals have a responsibility to tell patients what will be disclosed in their directories, and allow patients to opt out of having it disclosed. For more information, go to http://www.aha.org/.

10/14/01: House Lawmakers Address AHA-Endorsed HIPAA Concerns
The House Appropriations Committee has directed the Department of Health and Human Services to assess whether the Health Insurance Portability and Accountability Act privacy requirements will hinder hospitals' ability to provide care to patients, and also asked the agency to identify federal money sources to assist in provider compliance costs. The directive accompanied the panel's FY 2002 HHS budget appropriations bill passed Thursday afternoon and on the House floor for a vote at publication time. AHA supports the directive and hopes it will bolster its request to get federal funding for hospitals as they cope with HIPAA privacy requirement compliance costs.

ABC News

(8/30/01) Doctor-Patient E-Privilege

In December 2000, the Department of Health and Human Services passed new regulations governing the privacy of medical records — both paper and electronic. But hospitals and HMOs aren't required to comply with the laws until February 2003, and the new Bush administration is already challenging some of the regulations.

AISHealth

(10/13/01) Tips for Protecting Faxes Under HIPAA Privacy Rule

People tend to get complacent about the fax machine because usually nothing goes wrong. But even a 1% error rate puts providers at great risk under HIPAA

(8/30/01) A Quick Guide to Developing Your HIPAA Notice of Privacy Practices

The government wants everything but the kitchen sink in your notice of privacy practices, but you need patients to actually read and understand it. A solution may exist in a mix of straightforward, easy-to-grasp statements with a few well-chosen, but not distracting number of, examples.

(8/23/01) Craft Policies for 'Routine and Recurring Disclosures' of Protected Patient Data

As your medical group moves toward HIPAA privacy and security compliance, get used to this phrase: "routine and recurring disclosures." It's part of the minimum necessary standard, which says that providers can only access the patient data they need to do their particular jobs. That sounds good in theory but can be very hard to define and implement on a day-to-day basis.

(8/2/01) HIPAA: Target Behavior to Plug Weak Spots In Seven Vulnerable Privacy Areas

If you want to find the holes in your protection of patient health information, start with some of the universal human shortcomings

(7/26/01) 12 Tips to Improve Confidentiality In the Emergency Room.

The Type A quality of the emergency room - high pressure, intense, fast-paced, with a sense of urgency - may somewhat suspend the normal sensitivities to patient privacy. Here are tips for minimizing HIPAA violations in the ER.

Medscape (free registration required)

(7/22/01) Industry Shifts from Complaining to Complying with Patient Privacy Rule

When the Bush Administration essentially endorsed new patient privacy protections last month -- instead of overhauling them as many had expected -- it sent two clear messages to the health care industry.

(7/22/01) E-Health, HIPAA and Beyond

Despite rapid and vast changes in our ability to process and share information, the encounter between patient and doctor is little different today from what it was at the dawn of the twentieth century. A bright future where health information systems can revolutionize the doctor/patient encounter on a vast scale is within our reach. However, two obstacles stand in the way: concerns over privacy and lack of uniform standards. The National Committee on Vital and Health Statistics (NCVHS), a congressionally appointed advisory body on e-health, has begun to address both of these barriers.

American Academy of Family Practice Physicians

(7/21/01) A Problem-Oriented Approach to the HIPAA Security Standards

Your practice does not have to invest in Fort Knox-type security to comply with HIPAA. Most of the security components prescribed by HIPAA are already being used by other industries, such as retail and banking. A basic self-audit consists of asking yourself common-sense questions about how you and your staff currently handle PHI.

Medscape / Reuters (free registration required)

(7/20/01) South Carolina Doctors Sue HHS Over Privacy Rule

A state medical association is suing federal health officials over sweeping new patient privacy rules that allegedly violate constitutional protections. The South Carolina Medical Association is seeking to force the US Department of Health and Human Services (HHS) to overturn the rules, which establish national standards for how personal health information is used and distributed and set criminal and civil penalties for breaching patient privacy.

ACEP.org

(7/18/01) HHS Issues Clarification for New Privacy Regulations

The Department of Health and Human Service has issued the first in a series of guidance materials for the new federal patient privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). The guidance is presented in a question and answer format and gives specific information about the new requirements for physicians, hospitals, health plans, and others. It also attempts to clarify some of the confusion that has surrounded the regulation's key provisions.

The guidance: http://www.hhs.gov/ocr/hipaa/finalmaster.html.
Fact sheet:http://www.hhs.gov/news/press/2001pres/01fsprivacy.html
Additional information: http://www.hhs.gov/ocr/hipaa.

Washington Post

(7/8/01) Guidelines Issued on Patient Records

Friends can pick up prescriptions at the local pharmacy. Hospitals don't have to build soundproof rooms for patient consultation. Parents generally may be told if their children have had abortions or visited drug clinics. A guide on federal privacy rules was issued Friday to answer questions that arose after President Bush endorsed updated rules in April. Dating back to the Clinton administration, the rules were meant to ensure that hospitals, doctors, insurers and others keep patients' personal files private. Bush promised some changes, but Friday's document doesn't contain any, said Bill Pierce, a spokesman for the Health and Human Services Department. He said the guidelines were issued to clear up confusion over existing provisions.Health and Human Services Press Release.

Merginet

(7/4/01) New Privacy Regulations Impact EMS

As originally conceived by Congress, HIPAA was intended to standardize electronic health data and protect the privacy of the electronic information. However, the current rule goes beyond protection of electronic data and applies to all patient information used by health care providers. This will require significant changes for EMS providers in how they handle patient information and establish procedures to assure compliance with the law.

ComputerWorld

(5/10/01) Beware of Predatory HIPAA Consultants

Modern Physician

(5/10/01) Standard issue: HIPAA prompts discussion of rules for electronic information

CNN.com

(4/12/01) Medical privacy rules to take effect

Reuters / Medscape (registration required)

(3/30/01) Survey Finds Healthcare Managers Want Privacy Rule Maintained

(3/30) AHA Seeks Fixes to Privacy Rule

(3/30) Rating Agency Says Hospitals Can Weather The Impact of HIPAA

(3/12) HIPAA Privacy Regulations Targeted For Congressional Review

(3/12) Privacy Regulations Said to Impede Dispensing of Prescription Drugs

(3/14) Health Industry Wants Privacy Rules Delayed

Medscape Practice Prescriptions

Start Preparing Your Practices for HIPAA

Time.com

Ooops! Medical Privacy Rules Aren't Written in Stone After All

"In late December, the Federal Register published the administration's hard-fought and exhaustively researched medical privacy rules, hailed by privacy advocates as the most comprehensive and sweeping protections ever. But thanks to an administrative glitch (chalk it up to end-of-term nerves), the rules were never sent to Congress for a required 60-day review — until February 13.

And that, says new Health and Human Services Secretary Tommy Thompson, means the rules cannot be adopted until at least April 14. And in the meantime, both the health care industry and the public will have a second chance to review the rules before they are implemented."

Reuters: House Leader Asks for Delay of Medical Privacy Rules

WASHINGTON (Reuters Health) Mar 06 - House Majority Leader Dick Armey, R-Texas, is asking Health and Human Services Secretary Tommy Thompson to further delay controversial medical records confidentiality rules because they require too much information to be given to the federal government.

"Far from protecting privacy, the proposed regulation actually provides the federal government with more access to people's personal medical information," said the letter, sent to the secretary on Monday. "Handing sensitive medical records to federal departments and agencies that are ill-equipped to protect that information is not a solution; it is inviting abuse, errors, scandal and tragedy," the majority leader wrote.

Armey in the letter cited an incident last year in which computer hackers were able to access individual medical information in the databanks of the Department of Veterans' Affairs. "Imagine the backlash if the federal government required the collection of personal medical information, then left it vulnerable to those seeking to misuse that information — be they external hackers or disgruntled bureaucrats with an axe to grind."

But backers of the rules — which are already on hold until April because of a filing mistake made by the department — said Armey is misreading them.

"This regulation does not require disclosures to government agencies, with one exception: to the HHS Secretary to assess compliance," said Joanne Hustead of the Georgetown University Health Privacy Project. "As a general matter it's not a regulation that requires providers and plans to disclose a ton of information to the federal government," Hustead said.

Meanwhile, at a hearing at the Senate Budget Committee Tuesday, Thompson said he remains committed to rules ensuring the privacy of medical records, but defended his decision to reopen the regulations for another 30-day comment period. Because the rules were already on hold, Thompson said, and because he had heard complaints, "we decided to use the time constructively," he told the committee, to let people have their say. After the comment period is over, he said, "we will decide to either make changes or leave it alone."

Office of Civil Rights

Press Briefing on HIPAA:
HHS Secretary Shalala

HHS News