The Winter IT Summit to take place on February 9-10

The Winter Health IT Summit of the Institute for Health Technology Transformation is taking place on February 9-10 in Phoenix, Arizona. The Winter Health IT Summit is designed to bring together C-level, physician, practice management and IT decision-makers from North America’s leading provider organizations and physician practices. It was announced recently that Redspin, Inc. will be participating and speaking at the summit. CEO and Founder John Abraham will be speaking on behalf of Redspin. Redspin, founded in 2000, delivers the highest quality information security assessments to leading companies in the industries of healthcare, financial services, hotels, casinos, and resorts as well as retailers and technology providers

The panel entitled, “Technology, Security Mandates, and HIPAA Privacy.” will cover the new mandates that ARRA has brought practices under HIPAA. “New mandates will force practices to adopt policies and procedures in order to avoid new enforcement provisions and significantly increased penalties,” said Waco Hoover, CEO, Institute for Health Technology Transformation adding, “These critical changes include: new provisions for accounting of disclosures; new patient rights that you will need to incorporate into your policies and staff training; new requirements should your patient data be breached; modifications that will need to be made to your business associate relationships; and increased penalties up to $50,000 per violation to a maximum of $1.5 million a year in the most egregious cases of data breaches.”

The panel will be moderated by Khalid Kark, Principal Analyst, Forrester Research, and speaking, along with John Abraham, will be Ram Krishnan, SVP of Products and Marketing, GuardianEdge; Carole Klove, Chief Compliance Officer & Privacy Officer, UCSF Medical Center; Robert Israel, Vice President & Chief Information Officer, John C Lincoln Health Network; and Aaron Carpenter, Chief Information Security Officer, Arizona Department of Health Services.

The Summit’s attendees include industry leaders and senior executives from the healthcare community with the following job titles: Chief Information Officer, Chief Medical Officer, Chief Medical Informatics Officer, Physician, Practice Manager, VP and Director of IT.

Emedon launches online resource to help transition to HIPAA upgraded version

Emdeon Inc. has announced the availability of HIPAA Simplified, a one-stop online resource for guiding the healthcare industry’s transition to HIPAA 5010, NCPDP D.0 and ICD-10 standards. The Web site is located at and it will feature technical gap analysis documentation, simplified business-level topics, trading partner transition strategy information, frequently asked questions, testing tools and resource pages that are specific to each of the affected healthcare industry segments.

As per the U.S. Department of Health and Human Services (HHS) updated standards of HIPAA (Versions 5010 and D.0) will replace the current standards (Versions 4010/4010A1 and 5.1). These are designed to promote greater efficiency in electronic transactions and compliance with the new HIPAA 5010 and NCPDP D.0 standards is required by January 12, 2012. The ICD-10 code sets are required in transactions as of October 1, 2013.

Emdeon has launched HIPAA Simplified as a resource to help guide the healthcare industry through the transition to the new standards. In December 2009, Emdeon senior vice president of corporate strategy and government services, Miriam Paramore, testified before the National Committee on Vital and Health Statistics and said, “Emdeon is committed to supporting our customers and leading the industry in compliance and adoption of the new standards and code sets. Our goal is to be ready in advance of the government mandated deadlines to ensure a smooth and successful transition.”

CMS to hold teleconferences on ICD-10 and HIPAA 5010 implementation

Last year, the Centers for Medicare & Medicaid Services (CMS) had issued a reminder to health care providers, health plans, clearinghouses, and vendors about the approaching compliance dates for a new generation of diagnosis and procedure codes and updated standards for electronic health care transactions. It also stated that all entities covered under the Health Insurance Portability and Accountability Act should be ready to test with their trading partners the functionality of the entities’ practice management and/or other related software featuring Version 5010 standards.

Use of the Version 5010 standards for HIPAA electronic health care transactions, including claims, remittance advice, eligibility inquiries, referral authorization and other administrative transactions, will be mandatory on Jan. 1, 2012. The Version 5010 standards also provide the framework needed for use of the revised medical data code sets (ICD-10-CM and ICD-10-PCS), that must be implemented on Oct. 1, 2013.

The greatly expanded ICD-10 code sets will support quality reporting, pay-for-performance, bio-surveillance and other critical activities, and provide a rich terminology for use of electronic health records. The ICD-10 code sets will also link to the standards and certification criteria for demonstrating “meaningful use” of certified EHR technology under the Medicare and Medicaid EHR incentive program.

In the same line and to assist healthcare providers do the same, CMS will host teleconferences on the ICD-10 implementation on Jan. 12 and on the Medicare fee-for-service implementation of the HIPAA Version 5010 and D.0 transaction standards on Jan. 19, according to an AHA News Now report.

The calls will take place as follows:
Jan. 12, 1-3 pm EST: “Preparing for ICD-10 Implementation in 2011″
Jan. 19, 2 pm EST: Fourteenth National Education Call on Medicare Fee-For-Service (FFS) Implementation of HIPAA Version 5010 and D.0 Transactions”

UMC under FBI investigation for violation of HIPAA

More than 100 people have been notified by University Medical Center that their personal information might have been compromised and the center has suspended six of its staff members under this charge and also for their casual treatment of a pregnant woman looking for help in the emergency room.

Under the investigation it came out that Roshunda Abney, 25, was ignored for so long at the hospital that she went home and gave birth to a premature baby that later died. Others who were in the waiting room supported Abney and her fiancé that they were ignored for several hours until they finally left.

In response to the second investigation, UMC sent out more than 100 notification letters letting people know their personal information might have been illegally shared with others. The 100 letters sent out notify 71 patients who used the hospital’s Trauma Center Oct. 31 or Nov. 1 and people who accompanied the patients and provided personal information to the hospital. Those getting the letters have been offered free credit monitoring for a year as compensation. A second letter will be sent in the next couple of days explaining how to use the service now that the contract is complete.

The FBI has launched an investigation into the violations of the federal Health Insurance Portability and Accountability Act, (HIPAA) — which includes penalties of up to $250,000 in fines and 10 years in jail. “The FBI feels that they have made some progress in the investigation — they don’t exactly keep us daily updated — but we do feel that they are handling the investigation appropriately and we expect to get to the bottom of this,” Silver said.

For future precautions, UMC has taken further steps to improve the protection of patient information. From now, UMC employees will be required to enter a personal identification number on copy machines in patient care areas so photocopies can be tracked and audited. Also, hospital officials are evaluating where additional electronic door access controls might be needed to further improve the security of patient information.

In case of any breach, if the source of the leak is found, Silver said, the hospital will insist the person is criminally prosecuted. “If, as it has been suggested, there have been data leaks, then we will get to the bottom of it and we will take the appropriate action,” she said. “These are criminal offenses, they’re very serious.”

CVS Caremark Corp. to pay $2.25 million to HHS

CVS Caremark Corp. was charged with violation of HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash. Now, in order to settle the federal investigation, it has agreed to pay has agreed to pay $2.25 million in an announcement which was made this Wednesday. In addition, the company has promised to establish and implement policies and procedures for disposing of protected health information, implement a training program, conduct internal monitoring and hire an outside assessor to evaluate compliance for three years in its more than 6000 retail pharmacy outlets.

The Corporation was under the joint investigation by the Department of Health and Human Services and the Federal Trade Commission after media reports in 2006 that workers at CVS pharmacies were improperly disposing of sensitive patient and employee data by disposing pill bottles with labels containing patient information into open Dumpsters, along with medication instruction sheets, pharmacy order information, employment applications, payroll data, and credit card and insurance card information.

Apart from the $2.25 million, The FTC order requires the company to establish a comprehensive information security program to protect the data it collects from consumers and employees. The company must also obtain a security audit from a qualified third party every two years for the next 20 years.

It has been noticed by experts that HIPAA rules have had very little enforcement mechanisms in place. Kate Borten, president of The Marblehead Group, a consultancy which helps healthcare organizations meet compliance mandates, said enforcement has been so rare that some healthcare providers say they fail to see a downside in making a weaker effort to comply with HIPAA.

“The thinking has been that the government has taken a ‘kinder and gentler’ attitude,” Borten said. “If a complaint comes in the government will come in and give you time to fix any issues you have.”

Surveys reveal non-compliance of new HITECH Act provisions

The survey of HITECH Act compliance by subsidiary HIMSS Analytics, and the 2nd annual HIMSS Security Survey released by The Healthcare Information and Management Systems Society (HIMSS) last month bring out the fact that health care organizations and business associates (BAs) are generally unprepared to comply with the new security breach rules, and much work remains to achieve compliance with the new HITECH Act provisions.

The HIMSS Analytics survey found the following:

* 2% of CEs and 12% of BAs were not aware of the new HITECH Act provisions.
* One-third of hospitals overall and 52% of large hospitals reported having a data breach in the last 12 months.
* 91% of hospitals conducted a risk assessment and took actions to address identified risks and gaps in the last 12 months.
* Large hospitals had a higher level of awareness of the new breach requirements than did small hospitals.
* Over 30% of business associates did not know they are now accountable for the HIPAA privacy and security requirements.
* Nearly half of hospitals would terminate a BA contract for violations.

Another study by the Crowe Horwath benchmark conducted for the Ponemon Institute collected data from 42 covered entities and 35 business associates. Larry Ponemon, chairman and founder of the Ponemon Institute, released the key findings of the benchmark study on Nov. 10 which included:

* 94% of respondents were not in “substantial compliance with HITECH.”
* Only 1% of organizations are ready to meet the deadlines for near-term effective dates.
* 90% of organizations experienced one or more data breaches in the past two years.
* 98% of CEs have formally implemented a HIPAA privacy compliance program; 43% of BAs have done the same.
* 86% of CEs have formally implemented a HIPAA security compliance program; 26% of BAs have done the same.
* 32% said their organizations do not provide adequate staff training for both privacy and security.
* 21% said their organizations have not formally implemented a risk-based assessment program.
* 30% said their organizations do not conduct a detailed security risk analysis.
* 22% have not formally assigned the role of security officer or CISO.

Both Ponemon and Gallagher blame the lack of resources as a major source of difficulty. Moreover, they feel that executives are not necessarily supportive of privacy and data security compliance initiatives and instead tend to focus on things that are revenue related. Compliance is also hindered because the “rank and file” employees handling medical records may not be the best to manage privacy, says Ponemon. Strict enforcement from the government is the only thing that will overturn complacency about privacy and security, says Ponemon.

RelayHealth’s TestTrack5010 to assist providers test for HIPAA 5010 compliance

RelayHealth, a leading provider of healthcare connectivity services, operates as a neutral partner in an open network environment, offering connectivity services and integration among all organizations, systems, and solutions. Its intelligent network is designed to streamline clinical, financial and administrative communication between patients, providers, payors, pharmacies, pharmaceutical manufacturers, and financial institutions.

Now, the company has announced the availability of its new TestTrack5010SM for Payors tool for health insurers to use. Part of RelayHealth`s suite of 5010 Compliance services, TestTrack5010 is a unique, Web-based solution. It helps health plans to test processing of HIPAA 5010 medical claims, eligibility and other 5010 transactions using their own production data. With this testing service, health plans will be able to reduce the amount of time and effort required to test the new government-mandated electronic transaction set by up to 75 percent.

Beginning Jan. 1, 2012, all payors and their trading partners, including healthcare providers, are required to use the ANSI X12 version 5010 transaction set to send and receive claims and other administrative data and this transition to the 5010 standard is not only costly but also cumbersome. The most difficult part of this changeover will be testing their systems to ensure that they can accommodate 5010 transactions.

Here, RelayHealth steps in as the only company offering a free testing service that enables its health plan customers to use live data sets to test for HIPAA 5010 compliance.

Payors can process their own transaction types in batch and real-time through TestTrack5010, which features HIPAA-compliant protection for personal health information (PHI).

The TestTrack5010 service also allows users to:

* Perform gap analyses by comparing 4010 and 5010 transaction content

* Convert 4010 files to 5010-compliant transactions

* Create benefit-specific 5010 test scenarios

* Review transaction details of selected items within batched claims

“The introduction of TestTrack5010 demonstrates RelayHealth`s ongoing leadership role in helping the healthcare community make the challenging transition to the new transaction standards, as well as the even more demanding switch to ICD-10 diagnostic coding that will follow,” said Jim Bodenbender, president of RelayHealth`s Provider and Consumer Solutions. “By providing this service, we can help payors efficiently achieve 5010 compliance which, in turn, will ensure they are able to sustain their service levels for their submitting providers.”

Companies on the way to implement encryption projects

The 2009 encryption and key management benchmark survey conducted by Trust Catalyst on behalf of Thales, reveals that the Payment Card Industry Data Security Standard (PCI DSS) and the US Health Information Portability and Accountability Act (HIPAA) are driving encryption projects across industries.

In order to comply with HIPAA, 52 per cent of respondents from Europe are planning to implement encryption projects to comply with PCI DSS. While in the US, 53 per cent of the organisations surveyed are planning encryption projects to comply with HIPAA. However it was also found in the research that organisations are, at the same time, spending more time and effort on key management planning.

Franck Greverie, vice president, managing director for the information systems security activities of Thales, said: “These results show clearly that two of the most important pieces of data – a person’s credit card details and their health records – and the regulations designed to safeguard this data are the major drivers for companies to encrypt data.

“The impact of a data breach is one of the main security headaches for CEOs and IT specialists alike and regulation is already playing a role in terms of tightening data security. The very nature of encryption means that data is secure even if many of the other enterprise security mechanisms fail and regulators and industry will therefore grow to depend on encryption.”

“Key management and the ability to demonstrate encryption key custody and control will become increasingly important as auditors and regulators look to validate safe harbour. The good news is that encryption is now significantly easier to implement and manage than in the past,” added Greverie.

HHS shifts the responsibility of Security Rule on OCR

The Department of Health and Human Services (HHS) has made an announcement to the effect that the authority for the administration and enforcement of the Security Standards for the Protection of Electronic Protected Health Information (Security Rule) has been delegated to the Office for Civil Rights (OCR). This step will improve HHS protection of individuals’ health information by “combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).”

Uptil now, enforcement of HIPAA Privacy Rule was the responsibility of the Office for Civil Rights. The Centers for Medicare & Medicaid Services (CMS) had administrative and enforcement responsibility for the HIPAA Security Rule.

HIPAA Privacy complaints include impermissible uses and disclosures of protected health information, lack of safeguards of protected health information, uses or disclosures of more than the minimum necessary protected health information, and lack of or invalid authorizations for uses and disclosures of protected health information.

Gallagher: In February of this year, in the Health Information Technology for Economic and Clinical Health [HITECH] section, the American Recovery and Reinvestment Act of 2009 [ARRA] mandated changes to improve enforcement of the HIPAA Privacy Rule and Security Rules. With this HHS announcement, the combination of responsibility within OCR should make enforcement more efficient because the majority of complaints received include both privacy and security components. If there is a privacy violation, most of the time that is due to a security control that is either violated or not working properly. That’s how the rules become interrelated.

HIPAA to undergo further change with the newly proposed Health Reform Bill

There are several health IT related provisions in the healthcare reform bill that has recently passed through a key Senate committee. Among them are new rules regarding HIPAA, including a proposals allowing the periodic update of HIPAA standards, and fines to health plans that don’t comply to HIPAA “operating rules” by April 2014.

This 223-page page bill was moved by Senate Finance Committee Chair Max Baucus (D-Mont.) and allows the Dept. of Health and Human Services to designate a committee that no later than April 2014 would biannually review existing HIPAA standards and operation rules, and make recommendations for updates.

The bill has a listing of proposed penalties for health plans that don’t certify compliance to the HIPAA requirements. The bill also proposes that health plans would be required to certify to HHS by Dec. 2015 that “their data and information systems comply with the most current standards and operating rules” for HIPAA transactions, including four additional ones–health claims, enrollment/disenrollment in plans, health plan premium payments, and referral certification and authorization.

However, there is no surity about the fact that the bill will be passed by Congress and signed by Obama. There will most probably be a host of changes in it as it’s combined with proposals from the House of Representatives.