Baucus’ proposal for use of ‘operating rules’ to go for voting soon

There will soon be a voting for Sen. Max Baucus’ proposal to mandate use of “operating rules” that would make HIPAA transactions more uniform. The proposal, at present, remains in the version of the Senate Finance Committee health reform bill.

The bill also would add the electronic funds transfer (EFT) of health claims payments as a HIPAA transaction besides requiring the release of a final rule within two years of enactment to establish unique health plan identifiers, to be effective by Oct. 1, 2012. The identifiers were mandated under HIPAA when enacted in 1996 but never implemented.

When Baucus (D-Mont.), chair of the finance committee, issued his first “Chairman’s Mark,” on September 16, he proposed the operating rules, EFT transaction and health plan identifiers. The mark, which is a detailed explanation of provisions for health care reform, is not yet formal legislation written in legislative language; the amended version is a 262-page plain-English document. The amended version of the bill explains the operating rules and EFT proposals in considerable more detail and includes compliance dates.

The amended proposal would require the Secretary of Health and Human Services to initially adopt a single set of operating rules for eligibility verification, claims status, remittance/payment and EFT. The goal would be to create as much uniformity in the implementation of the electronic standards as possible.

Under the proposal, HHS would adopt operating rules for eligibility and claims status transactions by July 1, 2011, to be effective by Jan. 1, 2013. “Such operating rules would be allowed to include rules for the use of a machine readable identification card.”

HHS would adopt operating rules for EFT and remittance/payment transactions by July 1, 2012, to be effective by Jan. 1, 2014. HHS would adopt operating rules for claims, enrollment/disenrollment, health plan premium payments and referral certification/authorization transactions by July 1, 2014, to be effective by Jan. 1, 2016.

New rules offer greater protection to genetic information

Under the Genetic Information Nondiscrimination Act of 2009, two new federal rules have put in additional protections to patient privacy. This interim final rule issued by the Departments of Labor, Treasury, and Health and Human Services prohibits group health plans and health insurance issuers in the group market from:

1. Increasing premiums for the group based on the results of one enrollee’s genetic information,
2. Denying enrollment,
3. Imposing pre-existing condition exclusions, and
4. Conducting other forms of underwriting based on genetic information.

The interim final rule also prohibits issuers in the individual market from using genetic information to deny coverage, raise premiums or impose pre-existing condition exclusions. Further, group health plans and issuers in both the group and individual markets cannot request, require or buy genetic information for underwriting purposes, or in connection with enrollment. They also are “generally” prohibited from asking individuals or family members to undergo a genetic test, according to the federal agencies.

Modifying the HIPAA privacy rule, HHS’ Office for Civil Rights has issued a proposed rule to prohibit insurers from using or disclosing genetic information for underwriting purposes. This rule states that genetic information is health information and prohibits “the use and disclosure of genetic information by covered health plans for eligibility determinations, premium computations, applications of any pre-existing condition exclusions, and any other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits,” according to the agencies. Violations could result in a fine of $100 to $50,000 for each violation. The proposed rule has a 60-day comment period.

Federal Data Breach Notification Rules kick off

HIT administrators have been posed with yet another challenge as federal data breach notification rules for entities covered by HIPAA kicked off last week. These new rules provide greater security against personal health information getting loose, and up the ante considerably in extending coverage to “business associates” of HIPAA-covered entities.

The term ‘business associates’ covers a wide range and include HIE partners, third-party administrators, claims processors, attorneys, accountants and software providers among many others.

Under the rules, HIPAA-covered entities such as hospitals, doctors and health plans have to inform victims of unauthorized releases of their private data that their PHI has been compromised. The new rules also allow for criminal and civil penalties.

This means that everyone involved with healthcare industry need to reassess their technical and administrative strategies, even if they have had good security policies in place for long. HIT administrators need to take a tough look at how they work with partners and subject any vendors hosting HIT applications to a rigorous security check-up.

There are some flaws and drawbacks in the rule, however. Suppose if the breached data is encrypted, making it unreadable, unusable or indecipherable, covered entities don’t need to notify anyone. Again, providers can skip the notification process if the breach doesn’t pose a major risk of financial or other harm to an individual–and lets the provider decide whether the possible harm meets the disclosure standard.

Arkansas’ first criminal prosecution for HIPAA violation

This was one of the first federal criminal prosecutions in Arkansas for accessing patient records out of curiosity when a physician and two former employees of St. Vincent Infirmary Medical Center (SVIMC) in Little Rock, Arkansas, pleaded guilty to misdemeanor violations of the privacy provisions of the HIPAA on July 20, 2009.

The records that were illegally accessed related to Anne Pressly, a local television personality who was brutally beaten by a home intruder on October 20, 2008 and had died at SVIMC on October 25.

The accused pleaded that they had accessed patient records out of curiosity. However, all of them admitted that they were quite aware of HIPAA and its privacy rules and that they had participated in HIPAA training provided by SVIMC.

Dr. Jay Holland who is the medical director for Select Specialty Hospital located on one floor within SVIMC and is involved in the case admitted that he logged into the medical center’s electronic medical record system from home seeking to quench his curiosity in order to determine the accuracy of a television news report concerning Ms. Pressly. Sarah Elizabeth Miller, an account representative for SVIMC, admitted that she had peeped in Ms. Pressley’s medical records twelve times, and Candida Griffin, an emergency room unit coordinator, accessed the file on three occasions.

SVIMC has terminated Miller’s and Griffin’s employment and has suspended Dr. Holland for two weeks and ordered him to complete additional HIPAA training. Each of the individuals faces up to a year in jail and a $ 50,000 fine for the violation they admitted. Sentencing should take place within the next two months. In determining the actual sentence, the federal judge will consult the advisory U.S. Sentencing Guidelines, but they are not bound by those guidelines in determining a sentence.

FTC delays Red Flags rule compliance for the third time

This is for the third time that The Federal Trade Commission has announced a delay for compliance with the identity theft prevention red flags rule. The delay this time is for three months from August 1, 2009, to November 1, 2009. Originally, the compliance originally was scheduled for November 1, 2008. The first delay came when it was shifted to May 1, 2009.

The entities which are covered by this rule are the creditors and financial institutions. Healthcare providers that extend delayed payment plans to patients are deemed “creditors” under the red flags rule.

This delay has been made with the aim of providing these affected entities more time to develop and implement written identity theft prevention policies and procedures for compliance with the rule, which is based on enabling regulations of provisions in the Fair and Accurate Credit Transactions Act of 2003.

25 more health care organizations opt for EdgeWall NAC appliance

Now, 25 more health care organizations are taking the service of Vernier Networks of Mountain View, Calif., a supplier of network access control (NAC) appliances, to secure their networks from unauthorized access, worms, viruses and other intrusions, and limiting access to electronic medical records. The EdgeWall NAC appliance, apart from laptops, desktops and other endpoints, protects mission-critical devices, such as heart monitors and insulin pumps from intrusions and threats.

Vernier’s customers include Baptist Healthcare System, Cedars-Sinai Medical Center, Managed Health Care Associates, and University of Miami Medical Center and a wide range of associations representing hospital networks, medical research facilities and academic medical centers.

Gregory S. Thomas, vice president of IT for Managed Health Care Associates, said, “Concerned about network intrusions and limiting access to sensitive health information, we selected Vernier’s EdgeWall appliance to protect our network. As a result, we were able to set up and monitor policies and quickly enforce them. The EdgeWall has enabled us to become more proactive and has helped free up critical IT resources to work on other strategic business initiatives.”

Simon Khalaf, president and CEO of Vernier Networks, said, “Health care is one of the most regulated industries, especially in the area of patient privacy. In addition, hospital networks simply can’t afford to have their networks go down because of costly intrusions — it could be life-threatening. Vernier’s NAC solution allows organizations to protect their networks from threats and limit access to sensitive data — without disruption, without deploying agents on physician and patient laptops, and without changes to their existing infrastructure.”

Khalaf added, “The technology builds a protective wall around these life-saving FDA approved devices wherever they are within the campus and completely protects them from attacks.”

MJ’s medical history is being disclosed in violation of HIPAA

The medical world surrounding Michael Jackson involved live-in cardiologists, traveling anesthesiologists, home IV poles and stockpiles of drugs that would be amazing for any ordinary human being and now after his death the way his medical history is being unearthed looks like some kind of a criminal investigation.

Last week, Dr. Arnold Klein, Michael Jackson’s Beverly Hills dermatologist, showed up on “Larry King Live.” and began by revealing personal details about his friendship with the singer. He then went on to divulge facts about Jackson that only a physician knows about a patient. He revealed that Jackson was diagnosed with Lupus and also that he was “rebuilding” Jackson’s face before his comeback concert. He admitted to providing Jackson with Demerol to sedate him.

Talking on Jackson’s drug addiction, he said, “Michael, at one time, had an addiction and he went to England and he withdrew that addiction at a secure setting, where he went off of drugs altogether. And what I told Michael when I met him in this present situation when I was seeing him, that I had to keep reducing the dosage of what he was on, because he came to me with a huge tolerance level.”

Now, this is just a plain and blunt violation of HIPAA. The fact becomes more ironical considering that on June 30, Klein’s attorney, Richard Charnley, released a statement requesting privacy that directly referenced HIPAA:

“Dr. Klein is aware of media reports connecting him to Michael Jackson. Because of patient confidentiality, Dr. Klein will make no statement on any reports or allegations. Out of respect for his patients and adherence to federal HIPAA regulations, Dr. Klein asks that the media not contact him or his patients, nor interfere with their medical treatments. Like millions of Michael’s fans around the world, Dr. Klein is saddened by Michael’s death and extends his condolences to the family.”

HIPAA laws forbid medical professionals from disclosing health information unless a patient provides consent to do so and it does apply to deceased individuals too.

“It doesn’t matter whether a patient is dead or alive — the HIPAA and state privacy law protections still apply,” Stephen K. Phillips, a healthcare attorney in San Francisco, says, “A deceased patient’s rights accrue to his/her legal representative for enforcement and redress purposes.”

HIPAA loopholes exposed by Wall Street Journal

This is one of the reports from the Wall Street Scrap Book- “Increasingly complex confidentiality issues” in federal medical privacy rules “are affecting patients and their insurance coverage.”

The reports also mention that complaints of privacy violations “have been piling up.” HHS received 23,896 complaints related to medical-privacy rules between April 2003 and Nov. 30, 2006. However, 75 per cent of these complaints were found to be without any violation and had to be closed, as said by an HHS spokesperson.

Since HIPAA was enacted in 2003, HHS has not charmed enforcement actions against any entity for violating the privacy rule. Let us consider the case of the attorney Patricia Galvin. Her notes from psychotherapy sessions at Stanford Hospital & Clinics were accessed by her insurer, UnumProvident, due to which she was denied disability benefits.

As published in the Journal, UnumProvident said the notes indicated that Galvin was not “too injured to work” after she was interested in a car fortune and applied as want-term disability leave. Galvin has filed a lawsuit against Stanford and UnumProvident with a view violating medical privacy laws, supply other issues, under the federal Robustness Guaranty Portability and Responsibility Accomplishment.

As per the HIPAA, there is provision for added protection for mental health records, but Stanford in court papers said that “psychotherapy notes that are kept together with the patient’s other medical records are not defined as ‘psychotherapy’ notes impaired HIPAA.” Peter Swire, a law professor at Ohio State University, said, “We’re three years into the enforcement of the rule, and they haven’t brought their first enforcement ambitiousness.” He added, “It sends the signal that the health system can give someone the brush-off this issue.”

Webcast released by VirtualHealth Technologies

VirtualHealth Technologies, Inc. has released an on-demand corporate Webcast on Breakthrough Healthcare Software to Meet HIPAA Compliance, Lower Healthcare Costs and Reduce Crime. The company has also introduced Real-Time Prescription Drug Monitoring, Healthcare Security, Practice Management and Electronic Health Records Solutions.

Webcast offers solutions for improved healthcare management and the reduction of prescription fraud and crime through real-time prescription drug monitoring software. Additionally, the Webcast provides an overview of the Company’s healthcare security and authentication solutions, and practice management and electronic health records technology.

VirtualHealth has over 1500 clients and has completed government trials for the Company’s next generation real-time, web-based prescription monitoring solution focused on reducing controlled substance fraud and crime. Additionally, the winner of the 2008 Hot Product TEPR award, PrivateAccess, Inc., has licensed solutions from VirtualHealth that provide security platforms to facilitate data sharing and communication.

New Boundary Technologies introduces its HIPAA Compliance solution

At the HIMSS 06 conference in San Diego, New Boundary Technologies introduced its HIPAA Compliance Solution. New Boundary is a provider of automated configuration and security management solutions and it claims that this solution ensures IT compliance with the HIPAA Security Rule.

The solution comprises of three components:

  • HIPAA Security Guide which breaks down the various HIPAA Security Rule provisions and guides the organizations through the steps to be taken to become HIPAA compliant.
  • HIPAA Security Policy Library which helps organizations meet HIPAA requirements by continually safeguarding electronic protected health information and the computers that have access to it.
  • Policy Commander which is an automated security policy management and enforcement product. This Commander automatically assigns security policies to the right computers, and automatically takes corrective measures for computers when they fail to comply with assigned policies.

The HIPAA Security Rule is intentionally vague because it is based on the concepts of flexibility, scalability and technology neutrality,” said Kim Pearson, president and CEO of New Boundary Technologies adding, “That’s been frustrating for many IT professionals tasked with implementing security solutions for HIPAA compliance. With our HIPAA Compliance Solution, we correlate security policies to the various sections of the Security Rule so administrators have a clear map of which policies will help them achieve specific security levels required by HIPAA.”