HIPAA News

CMS Says Don't Expect Any Delays On The Oct. 16 Deadline - July 1, 2003

There isn't a lot of time left for covered entities to prepare for the Oct. 16 Transaction and Code Set deadline, Karen Trudel, director of HIPAA outreach at the Centers for Medicare and Medicaid Services (CMS), said at CMS' eighth HIPAA roundtable discussion.

"Some people have said that HIPAA will go away, or Congress will give us more time, or we don't have to worry about this right now. Well, my response to that is first, HIPAA is the law. It could be said that Congress has already given us more time; time that is up on Oct. 16, and it began last Oct. 16, 2002, with the extension," she said.

Reported by HIPAA Heads Up

OCR Reports 637 Privacy Complaints - June 30, 2003

OCR presented their data to the National Committee on Vital and Health Statistics (NCVHS) at its June meeting. The numbers reflect statistics gathered from April 14, 2003 to the middle of June. 637 privacy complaints have been filed. Of those, 260 will proceed to investigation, 124 were closed without further investigation and no official decision has been made on the remaining 253 complaints. Most of those closed reflect incidents occurring prior to April 14, 2003.

The top reasons for complaints that will be investigated include: 1) Patient denied access to medical records; 2) No Notice of Privacy Practices provided to patients; 3) Inadequate safeguards in place in treatment settings.

In addition, OCR has received several HIPAA privacy complaints from employees reporting the organization where they work. OCR is determining whether this meets the "whistleblower" status and whether these complaints will be referred to the Department of Justice.

Reported by HIPAA Weekly Advisor

Security and Transaction Modification Final Rules - February 13, 2003

HHS Secretary Tommy G. Thompson today announced the adoption of the Security and Transaction Modifications Final Rules. The security standards will be published as a final rule in the Feb. 20 Federal Register with an effective date of April 21, 2003. Most covered entities will have two full years -- until April 21, 2005 -- to comply with the standards; small health plans will have an additional year to comply, as HIPAA requires.

Security Standards Final Rules - January 14, 2003

The OMB (Office of Management & Budget) received the Final Rules yesterday on Security Standards and the Modifications to Standards for Electronic Transactions and Code Sets. Clearance for publication could take two weeks to 90 days before being published in the Federal Register.

Rules Clarification - December 30, 2002

In an answer to an inquiry I made to CMS regarding the publication of the final Security Rule on December 27, 2002, the reply was that the Security Final Rules would be published “as soon as possible”. From another news source, I learned that the final rules have not been submitted as yet to the OMB (Office of Management & Budget). The OMB can take 2 weeks or longer (more likely) to review a rule as hefty as HIPAA. Through another source, HHS has called in additional resources to review the language and most likely January 2003 won’t see the rule either.

Final Rules not Published - December 28, 2002

Despite reassurance on December 13, 2002 from Karen Trudel, deputy director of the new Office of HIPAA Standards in the Centers for Medicare and Medicaid Services, the Final Security Standards did not appear in the Federal Register on December 27, 2002. Additional publications were expected as well; a final rule making modifications to the transactions and code sets. Technical implementation glitches and inconsistencies in the current final transaction implementation guides have been found by providers, payers and vendors. The final rule adopts the fixes. The rule also adopts updated versions of pharmacy-related transactions and code sets.

File Your Transactions Complaints Online - December 16, 2002

Centers for Medicare and Medicaid Services (CMS) has posted the "Electronic Health Care Transactions and Code Sets Complaint Submission Form" on its Web site and now can accept complaints online. The form should not be used for complaints about privacy.

New Medicare Fee Schedule Announced - November 28, 2002

Next year's Medicare physician fee schedule may go into effect on February 1, a Medicare official announced November 19. Problems with certain calculations have delayed the schedule beyond the usual January 1 launch. Congress may give the Centers for Medicare & Medicaid Services (CMS) the authority to adjust the fee update. A hopeful Tom Scully, the CMS administrator, is seeking a positive 1.5% update. Currently, the law requires a 4.4% negative update.

Final Security Rule Expected Soon - November 27, 2002

The final security rule under the Health Insurance Portability & Accountability Act (HIPAA) is expected on December 27, and it’s more streamlined than the bulky proposed rule, according to William Braithwhite, MD, PhD, FACMI, national director of HIPAA advisory services at PricewaterhouseCoopers, and former senior advisor on health information policy for the Department of Health and Human Services (HHS). The HIPAA-Kit Newsletter will preview some of the expected changes in next week’s edition (12/04/02).

DHHS Urged to Change Transaction Codes - November 20, 2002

In a letter sent November 19, 2002 to the Department of Health and Human Services (DHHS), The AHA, Federation of American Hospitals and the Advanced Medical Technology Association urged DHHS to replace the ICD-9-CM coding classification with ICD-10-CM for diagnosis codes and ICD-10-PCS for procedure code reporting for all hospital inpatient services. The groups state the 23 year-old ICD-9-CM system limits the capabilities of today’s needs and no capacity for growth. They oppose the Common Procedure Terminology (CPT) system for inpatient services, stating it was designed for services more commonly provided for physicians’ offices.

X12N Addenda Announced - November 7, 2002

The Washington Publishing Company and the ASC X12N Committee announced the publication of the X12N Addenda for the nine May 2000 X12N Implementation Guides adopted for use under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The X12N Addenda to the Implementation Guides are not independent documents and must be used in concert with the May 2000 Implementation Guides.

Final Security Rule to be Published - November 7, 2002

Stanley Nachimson, CMS Senior Technical Advisor said to expect the Final Security Rule publication on December 27, 2002 along with the final Addenda to Transactions and Code Sets. He was also quoted as saying that the final National Provider Identifier is expected in early 2003 and the National Health Plan (Payer) is expected in early Spring 2003.

CMS reports many delinquent filers - November 19, 2002

CMS reports that more than 1 million covered entities did not file for an extension to the Transactions and Code Sets. They will, however, not be actively pursued or have to pay fines at first. Corrective action plans will be the first step following a complaint investigation. CMS advises all that did not file for the extension to become compliant as soon as possible.

Patient Consent Provisions - November 19, 2002

House Democrats introduced two bills last month to restore patient consent provisions of the HIPAA Privacy Rule. HR5646 would also require health providers to notify consumers when they receive payment from drug companies to send unsolicited marketing material and limit how FDA regulated companies could use or disclose personal medical information.

Another bill, The Health Records Confidentiality Bill was introduced and seeks to prohibit the use of patient databases for marketing without the express consent of the patient (S 3064).

Implementation Guides Addenda 11/7/2002

The Washington Publishing Company and the ASC X12N Committee announced the publication of the X12N Addenda for the nine May 2000 X12N Implementation Guides adopted for use under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The X12N Addenda to the Implementation Guides are not independent documents and must be used in concert with the May 2000 Implementation Guides.

Transaction Code Enforcement 10/15/2002

In a press release issued today, HHS Secretary Tommy G. Thompson announced that CMS (Centers for Medicare and Medicaid Services – formerly HCFA) will be responsible for enforcing the HIPAA transaction and code set standards. To accomplish the end result of streamlining and standardizing the electronic filing and processing of electronic claims in an effort to save money and provide better service to providers, insurers and patients, will require an enforcement operation that will assure compliance and provide support.

Federal law, HIPAA, requires most health plans, clearinghouses and those providers conducting certain transactions electronically to be compliant by October 16, 2002, unless they have filed for the one year extension (deadline October 15, 2002). Those who are not compliant and have not filed for the extension may be subject to statutory penalties.

Enforcement activities will focus on obtaining voluntary compliance through technical assistance. The process will be primarily complaint driven and will consist of progressive steps that will provide opportunities to demonstrate compliance or submit a corrective action plan.

Battle in Iowa raises questions over limits of medical privacy 9/26/2002

by Janlori Goldman
Director, Health Privacy Project, Georgetown University

Iowa law enforcement officials are pressing the state’s Planned Parenthood and five local hospitals to release the names, addresses and ages of all women who had a positive pregnancy test between August 15, 2001 and May 30, 2002. Planned Parenthood has refused to release any patient information, citing state confidentiality laws. Now the Iowa Supreme Court has agreed to hear the case and Planned Parenthood will file its brief on Sept. 30. The court is expected to rule by the end of this year on whether the police can demand these highly sensitive records.

The Iowa case is raising a furor nationally for a number of reasons:

• What kind of a criminal case justifies law enforcement access to such a sweeping body of sensitive medical information?
• Does the state privacy law – or the new federal medical privacy law – set any real limits on police access to patient records?
• Do electronic medical records make it easier for law enforcement to cast the net wide on fishing expeditions?

U.S. House Approves Medical Liability Legislation 9/30/2002

On Sept. 26, the House of Representatives approved H.R. 4600, a medical liability reform bill by a vote of 217-203. The legislation awaits a vote in the Senate.

According to the Medical Group Management Association (MGMA), the bill's reforms include:

• Caps. Non-economic damages, such as pain and suffering, would be capped at $250,000. The amount of damages that injured patients could recover for economic harm, such as future medical expenses and loss of future earnings, would not be limited.
• Time limits. A lawsuit may be filed no later than three years after the date of injury or one year after the party discovered (or through reasonable diligence should have discovered) the injury.
• Evidence standards. A standard of clear and convincing evidence for punitive damages would be established. The legislation would also limit punitive damages to two times the amount of economic damages awarded or $250,000 (the greater of the amounts).
• Proportional allocations. Payment for damages would be proportional to a party's degree of fault.