HIPAA UPDATE
Information from CMS’ Answers to Some
Recent Frequently Asked Questions


  • Email and the Internet: The Security Rule allows electronic PHI to be sent over an open network through email or over the internet so long as the organization takes steps to adequately restrict access to, protect the integrity of, and prevent unauthorized access to the electronic PHI.
  • Compliance Certification: Certification of compliance with the Security Rule is not required and there is no standard or implementation specification requiring certification. Certification by an external organization may be sought in order to help an organization implement the Security requirements, but HHS has stated that it does not recognize any external certification.
  • Access Control and Telecommuters: Access control requirements do apply to employees who telecommute or work from home-based offices and have access to electronic PHI. These types of work arrangements do not absolve an organization from responsibility to ensure that only those persons or software programs granted access rights to electronic PHI are able to access it.
  • Digital Signatures: The Security Rule does not require the use of an electronic or digital signature. Also, there is currently no HIPAA standard for electronic signatures.
  • NIST Guidance: Organizations are not required to use the National Institute of Standards and Technology (NIST) guidance documents to implement the Security Rules; but an organization may use them for guidance to the extent that the guidance is relevant to the organization’s implementation activities.
  • Encryption: Encryption is a method of converting a message created in regular text into an encoded text through the use of an algorithm. Encryption is not mandatory under the Security Rule, but is addressable; therefore, an organization must analyze whether encryption is reasonable and appropriate and, if not, take steps that are reasonable and appropriate to safeguard information transmitted over open networks.
The full text of CMS’ FAQs can be found at www.cms.hhs.gov/hipaa.hipaa2/default.asp


OSHA 300 Logs & HIPAA

On August 2, the director of the Directorate of Evaluation and Analysis of OSHA, Keith Goddard, stated in a letter to the AFL-CIO that OSHA does not believe HIPAA privacy compliance requires employers to remove the names from the OSHA 300 Log (injury and illness recording that is required to be maintained under 29 CFR Part 1904) before allowing access to employees, former employees, and employee representatives. Under the record keeping requirements of 29 CFR Part 1904, those listed are required to have access. Since HIPAA expressly permits disclosures of PHI required by law, then disclosure of health information through access to the injury and illness log are permissible.

National Provider Identifier

In order to implement one of the administrative simplification provisions of HIPAA, CMS has adopted a final rule that will utilize the National Provider Identifier (NPI) as the standard unique health identifier for health care providers to use in filing and processing health care claims and other transactions. The rule will be effective May 23, 2005. The NPI must be applied for and will be issued through the National Provider System being developed by CMS. The NPI will replace all “legacy” identifiers. Covered health care providers (providers that transmit any data in electronic form in connection with a transaction for which the Secretary of HHS has adopted a standard) must obtain NPIs and begin using them by the compliance dates (2007 for large health plans and 2008 for small). Non-covered providers may obtain NPIs. Applications for NPIs will be accepted after May 23, 2005. CMS intends to provide more information regarding the application process and application availability as that date approaches.

HIPAA Litigation
  • Texas Attorney General, Greg Abbott, is being sued by two state agencies that he has told must turn over information related to patient populations in mental health facilities under Texas open record laws. The state agencies are suing on the theory that the information is protected from disclosure by HIPAA. The Texas Health Department of Mental Health and Retardation v. Abbott, Tex. Dist. Ct. No. GV400344. Filed March 11, 2004
  • After claiming he does not have the jurisdiction to formally rule on a HIPAA Privacy issue, a Tennessee judge stated that the safety of the medical staff treating an inmate justifies the presence of guards during an inmate’s treatment at a mental health facility.
  • A man in Washington state became the first ever to be convicted under the criminal provisions of HIPAA, which became effective in April 2003. The man pled guilty in Federal court to wrongful disclosure of individually identifiable health information for economic gain and admitted he obtained a patient’s name, date of birth, and social security number while employed at the Seattle Cancer Care Alliance. He used this information to obtain credit cards in the patient’s name and then charge over $9,000 on those cards in the patient’s name. If his plea is accepted, the man could serve up to 16 months in prison, pay off the credit card debt, and pay retribution to the patient.
United States v. Gibson. Plea Agreement available at www.usdoj.gov.usao.waw.press_room/2004/aug/pdf_files/cr04_0374rsm_plea.pdf


Status of HIPAA Complaints

OCR and CMS have done a remarkable job handling and resolving HIPAA Privacy and Transactions complaints, respectively. OCR has received over 7,080 privacy complaints and have closed 55% of those cases. CMS has received over 147 complaints for violations of the transactions rules (mostly filed by providers against health plans) and successfully closed 68 of them.

AHIMA Compliance Survey

By April 14, 2004, one year after the effective date of the final Privacy Rule, an AHIMA survey reports that 68% of healthcare industry respondents reported between 85% and 99% compliance with the rule. Most also expressed positive reaction to changes implemented at their organizations in order to achieve compliance. If you want to see how your organization stacks up to those of the respondents, you can view the survey at www.ahima.org/hipaa/survey.cfm.


Medicare Electronic Claims

Since June 30, 2004, CMS has been treating electronic claims that do not comply with HIPAA as paper claims. The result: while electronic claims can be paid after 14 days, paper claims are not paid for at least 27 days after receipt. CMS is hoping this two week delay will help them achieve 100% compliance on the use of standard electronic claims. This “encouragement” applies only to covered entities submitting Medicare claims to a Medicare contractor.

New Health Information Infrastructure Proposed

On July 21, 2004, HHS Secretary Tommy Thompson released an outline of a 10 year plan to build a new health information infrastructure that is to include electronic health records and a network for linking health records. By linking electronic health information nationwide, Secretary Thompson hopes to reduce medical errors, improve the quality of care, lower administrative costs, provide greater security and privacy of records versus paper-based systems, and give more access and control over health records to consumers themselves. The HIPAA rules and regulations, of course, will have a huge impact on the development of any such network. The Secretary also announced he would take some immediate steps and appoint a panel to assess costs and benefits of health information technology and create a report to him by fall. He also stated that efforts are now underway to develop private sector certification for health information technology products.

On the Horizon
  • Look for a national health payer identifier and a standardized claims attachment transaction format in a proposed rule that CMS hopes to publish in November.
  • Expect a proposed rule modifying the Transactions and Code Sets Rule in February 2005 and a final action rule in September 2006 requiring electronic submission of most Medicare claims. The September 2006 rule will replace the interim final rule published in August 2003.