Search the web
Sign In
New User? Sign Up
ShareHIPAA · Share HIPAA
  • Members Only
  • Post
  • Files
  • Photos
  • Links
  • Database
  • Polls
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Want your group to be featured on the Yahoo! Groups website? Add a group photo to Flickr.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
Messages 220 - 249 of 641   Newest  |  < Newer  |  Older >  |  Oldest
Messages: Show Message Summaries   (Group by Topic) Sort by Date v  
#249 From: Share HIPAA <sharehipaa@...>
Date: Wed Dec 1, 2004 2:06 pm
Subject: CMS 18th HIPAA Implementation Roundtable on NPI Wed December 15, 2004 2:00-3:30 PM ET 		sharehipaa
Offline Offline
Send Email Send Email
 
M a r k     Y o u r    C a l e n d a r ! ! !
 
The Centers for Medicare and Medicaid Services (CMS) is please to invite you to participate in the Eighteen National HIPAA Implementation Roundtable conference call. This call will focus on the HIPAA National Provider Identifier (NPI) Standards.
 
Date: Wednesday December 15, 2004
Time:  2:00 - 3:30 PM ET
 
Location: Conference call only.
 
Call in number: 1-877-203-0044
Conference ID number: 1598382
 
No cost or registration required.
 
Due to the volume of callers wishing to participate, please dial in fifteen minutes before the start of the meeting.
 
NPI Background and the NPI Final Rule
An individual or organization must determine if it provides any services that fall within the definition of ``health care'' at Sec.  160.103. If it does provide those services, it is considered a health care provider and would be eligible for an NPI. If it does not, and does not provide other services or supplies that bring it within the definition of  ``health care provider,'' it would not be a health care provider under HIPAA, and would not be eligible to receive an NPI.
 
The NPI Final Rule is found in Federal Register, Vol. 69, No. 15, Friday, January 23, 2004 http://www.access.gpo.gov/su_docs/fedreg/a040123c.html
Health and Human Services Department
Rules
Health insurance reform:
Health Insurance Portability and Accountability Act of 1996—
Standard unique health care provider identifier,
  3433–3469 [04–1149]
[TEXT]
 
[PDF]

Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.

Reply | Forward | Messages in this Topic (1)
#248 From: "Barbara McGowin" <mcgowin@...>
Date: Wed Nov 24, 2004 6:01 pm
Subject: HIPAA Privacy Horror and Security Incident 		hitrecruiting
Offline Offline
Send Email Send Email
 
 
October 19, 2004 The California Department of Social Services (CDSS) issued a notification of computer security incident.
 
An unauthorized party accessed a computer at UC Berkeley, which contained personal information about In Home Supportive Services (IHSS) recipients and providers.  CDSS encourages IHSS recipients and providers to follow the recommendations of the Office of Privacy Protection to protect themselves from identity theft.  Step-by-step recommendations on how to place fraud alert on credit accounts and how to receive free copies of credit reports are posted on the CDSS web site at www.cdss.ca.gov/ihhs/
 
California Law requires entities with electronic individually identifiable information that has or is suspected of having a security incident causing unauthorized access or transmission of this information to notify the individual whose personal information may have been involved.
 
The Privacy Rule requires a Covered Entity to take reasonable steps to mitigate harm of unauthorized use or disclosure of PHI, and the Security Rule requires a Covered Entity to have policies and procedures for security incidents.
 
Notifying individuals of the security incident and providing step-by-step recommendations on how to place a fraud alert on credit accounts and how to receive free copies of credit reports may be the only reasonable action a covered entity can take to mitigate harm.  Do you have a process in place for such a security incident listed above? 
 
Have a safe and happy Thanksgiving,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#247 From: "Barbara McGowin" <mcgowin@...>
Date: Mon Nov 22, 2004 3:27 pm
Subject: Risk Analysis - 1st Step in HIPAA Security 		hitrecruiting
Offline Offline
Send Email Send Email
 
I have attached a white paper that was finalized November 16, 2004 on 45 CFR
Administrative Safeguard 164.308 Risk Analysis.  It mainly covers methods to
measure risk.

Risk assessment is just the first step, but very important step, in a HIPAA security
compliance program.  It will be the foundation of your mitigation work plan and
budget development which will need to be monitored and audited.

John Parmigiani, a key person in the drafting of the Final Security Rule, co-
authored this paper, wanting covered entities to understand qualitative and
quantitative.  He knows the importance of understanding and applying the results of
the risk assessment, having spent money on an algorithm risk assessment while at
DHHS and finding it unhelpful.  From my discussions with John, I would say that he
is a strong proponent of the NIST enterprise-wide risk management program. 

I am trying to set up a free interactive audio/video conference for presentation of
the concepts in the attached paper.  If I can beg and borrow the required bandwidth
and conference support, it will be conducted December 17, 2004.  I would say right
now, the chances are 50/50 so you might want to pencil in the date for 2:00 PM ET.
I will let you know if I was successful no later than December 10 and provide
additional information if so.
 
Wishing you a safe and happy Thanksgiving,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.

Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#246 From: "Barbara McGowin" <mcgowin@...>
Date: Thu Nov 18, 2004 5:57 pm
Subject: HIPAA Bookmarks and Draft NIST SP 800-66 in excel 		hitrecruiting
Offline Offline
Send Email Send Email
 
Attached is an excel spreadsheet of HIPAA links and phone numbers that are helpful in the HIPAA Compliance initiative.  The items are current as of November 15, 2004.  Other than links to recent DRAFT NIST Publications, the following have bee recently added:
 
http://www.himss.org/asp/medicalDeviceSecurity.asp HIMSS Medical Device Security Work Group site which provides a security checklist to send to medical device vendors.
 
http://www.x12n.org/portal ASC X12 Implementation Guide Request for Interpretation Web Interface  - serves as a free public repository of questions and responses from the HIPAA Implementation Work Group Insurance Subcommittee (X12N). Gives visitors "access to the ASC X12N experts" for those Implementation Guides (IG's) that have been adopted for use under HIPAA.
 
The document appears like this in the ShareHIPAA group's Files section:
HIPAA Ref link.xls
Msg #212 HIPAA Bookmarks Rev 2004/11/18
 
I have also attached an updated version of DRAFT NIST SP 800-66 in excel.  This is my attempt of taking DRAFT NIST SP 800-66 NIST Resource Guide for Implementing HIPAA and placing it in a simple spreadsheet.  The actual HIPAA language is provided via links to the url for the "regulation by topic" tool from the Bricker and Eckler/Ohio Hospital Assn. website.  For each main section (administrative, physical, and technical) in the spreadsheet,  I have also provided the corresponding recommended NIST guidance of each sub-section as provided by DRAFT NIST SP 800-66.  I have added the following NIST publications links:
 
DRAFT FIPS 201 Personal Identity Verification (PIV) for Federal Employees and Contractors (published November 8, 2004)
Added to:
Administrative Safeguards Information Access Management 164.308(a)(4)
Technical Safeguards Person or Entity Authentication 164.312(d)
 
DRAFT NIST SP 800-73 Integrated Circuit Card for Personal Identity Verification
Added to:
Technical Safeguards Transmission Security 164.312(e)
 
Draft NIST SP 800-70 Security Configuration Checklists Program for IT Products
Added to:
Administrative Safeguards, Security Management Process 164.308(a)(1)
Technical Safeguards Integrity 164.312(c)(1)
 
NIST SP 800-64 Security Considerations in the Information System Development Life Cycle
Added to:
Administrative Controls Security Management Process 164.308(a)(1)
 
You may want to review the additions as these NIST Publications came out after DRAFT NIST SP 800-66 was published.  You may not agree with where I placed them or even if they should belong.
 
DRAFT NIST SP 800-66 in excel appears like this in the ShareHIPAA Files Section:
NIST SP 800.66.xls
Msg #187 NIST Guide to Implementing HIPAA Rev 2004/11/15
 
To access the Files Section of the ShareHIPAA group, go to the ShareHIPAA group's home page at http://health.groups.yahoo.com/group/ShareHIPAA , sign in with your Yahoo! ID and password and select "Files" from the left column.
 
Having information resources readily accessible helps a covered entity to save time and resources.  HIPAA ComplyAssistant (HCA) makes access to this information seamless.  HCA is a HIPAA compliance management workbench for privacy, security and TCS.  HCA steps you through each phase of an enterprise-wide compliance program (assessment, mitigation work plan and budget development, and monitoring/audit).  HIPAA is multi-dimensional  and extremely complex.  If you could benefit from automating your HIPAA compliance initiative, I encourage you to visit www.complyassistant.com .  To schedule a free on-line session go to  http://www.complyassistant.com/online_meeting_req.htm and Gerry Blass will contact you to schedule a session that is convenient for you.  If you would like to have a HIPAA subject matter expert provide a presentation on HIPAA Compliance Management at your next HIPAA conference or work shop, contact me and I will arrange it.
 
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance. 
 
 
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#245 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Tue Nov 16, 2004 4:20 pm
Subject: Federal RFI on Interconnecting Clinicians 		dafeinberg
Offline Offline
Send Email Send Email
 
For those who may be interested, a Request for Information (RFI) "seeking public comment and input regarding how widespread interoperability of health information technologies and health information exchange can be achieved" was posted on pages 65599 through 65601 of the Federal Register dated 15 November 2004.  A direct link to this posting is
[Note that the above link may wrap onto more than one line.  If that occurs, you'll need to copy and concatenate all lines into your web browser for access.]
 
A "technical assistance conference call to answer questions from potential responders" has been scheduled for 6 December 2004.  Details about this call will be provided at http://www.hhs.gov/onchit as they become available.
 
Any responses to the RFI are due by 18 January 2005.

                    Dave Feinberg
                    Rensis Corporation  [A Consulting Company]
                    206-617-1717
                    DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#244 From: Share HIPAA <sharehipaa@...>
Date: Fri Nov 12, 2004 5:43 pm
Subject: Framework for Security 		sharehipaa
Offline Offline
Send Email Send Email
 
On Friday November 5, 2004 a request was received by the ShareHIPAA group and was forwarded to the ShareHIPAA2 group for discussion.  Here is the request:
Is there anyone willing to share a systems risk analysis tool?
 
On Sunday, November 07, 2004 Shiv Shanker Asthana ssasthana@... responded to the ShareHIPAA2 group's posting with the following:
Please find attached a framework for security, you may use this as a template.
Let me know if you find it of some use or if you need further help.
Regards,
Shiv
 
Today, Shiv has uploaded the excel spreadsheet to the Files section of the ShareHIPAA group.  To access this document, go to the ShareHIPAA home page at http://health.groups.yahoo.com/group/ShareHIPAA/   Sign in with your Yahoo! ID and password and select "Files" from the left column.  The excel spreadsheet appears like this in the files directory:
 
FrameworkSecurityScorecardfromLiz030904.xls 
A HIPAA Framework for Risk and Security Analysis
 
If you are signed into Yahoo! You can access the file at this URL:
http://groups.yahoo.com/group/ShareHIPAA/files/FrameworkSecurityScorecardfromLiz030904.xls
 
If you are only subscribed to the ShareHIPAA group (have no Yahoo! ID or password) and you would like this excel spreadsheet, please request a copy directly from Shiv at ssasthana@... .
 
The ShareHIPAA group is a no-discussion group reserved for document sharing and announcements of free HIPAA related roundtables, work groups, seminars and conferences.  It is also used to inform the group members of free access to tools that may assist you in the HIPAA compliance initiative.
 
The ShareHIPAA2 group is the discussion companion of the ShareHIPAA group.  If you would like to join in discussions concerning HIPAA issues and concerns go to the ShareHIPAA2 group's home page at:
 
If you are looking for HIPAA related work opportunities, or if you have a need for a HIPAA professional, you may want to consider joining the ShareHIPAAWork group.  You can join from the group's home page at:
 
Your participation and willingness to share is welcomed and much appreciated.
 
Thank you,
ShareHIPAA
 


Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com

Reply | Forward | Messages in this Topic (1)
#243 From: Share HIPAA <sharehipaa@...>
Date: Tue Nov 9, 2004 7:13 pm
Subject: CMS Office of HIPAA Standards (OHS) HIPAA Update - November 2004 		sharehipaa
Offline Offline
Send Email Send Email
 

National HIPAA Roundtable

On Wednesday, November 10, 2004 (TOMORROW!) at 2:00PM ET CMS will host the 17th National HIPAA Implementation Roundtable conference call.  This call will focus on the HIPAA Security Standards. 

The call in number is 1-877-203-0044. 

The conference identification number is 1347026.

 No cost or registration required

 

Security Deadline – Remember the deadline to become compliant with the HIPAA Security provisions is April 20, 2005-only six months away!  The deadline for compliance for small health plans is April 20, 2006.  Thirteen new HIPAA Security questions were recently added to the FAQ section of our website.  Topics include:  PHI Coverage; Compliance and Certification; Risk Analysis, Management and System Vulnerabilities; Physical Safeguards; Encryption and other technical safeguards; as well as information on NIST publications.

 

HIPAA Conference Dec. 3, 2004 Naperville, IL

CMS Region V - Chicago is hosting a one-day provider outreach event "Implementing the Next Wave of HIPAA Regulations: Practical Approaches to Security, NPI, Transactions and Privacy Compliance."  

 

The Conference will be held Friday, December 3, 2004 at the Holiday Inn Select in Naperville, IL.  The event is free but Advanced Registration is required.  For more information please go to the conference's website at http://www.mche.us.com/cms04midwest.cfm

 

National Provider Identifier (NPI)

The Final Rule adopting the HIPAA standard unique health identifier for health care providers was published   in the Federal Register on January 23, 2004. Information on applying for NPIs will be available in mid 2005.  All health care providers are eligible to be assigned NPIs; health care providers who are HIPAA covered  entities must obtain and use NPIs. All HIPAA covered entities must use NPIs by the compliance dates  (May 23, 2007 for all but small health plans; May 23, 2008 for small health plans). The Request for Proposals for the NPI Enumerator (RFP-CMS-2005-0004) can be found at: 

http://vsearch1.eps.gov/servlet/SearchServlet

Enter "NPI" in the "Full Text Search" box and click on "Start Search."  This takes you to the posting.  The Enumerator is the entity that will interface between the National Provider System and the health care industry, acting under the direction of CMS to perform a variety of functions.

 

Upcoming NPI Roundtable

CMS will host the National HIPAA NPI Roundtable conference call on Wednesday, December 15, 2004 at 2:00PM ET.

The call in number is 1-877-203-0044

Identification number is 1598382

No cost or registration required.

 

CONTACT OHS WITH HIPAA QUESTIONS

CMS HIPAA Hotline # 866-282-0659

HIPAA FAX toll free # 877-326-1165

HIPAA TTY toll free # 877-326-1166

E-mail us at askhipaa@...

 

HIPAA!  For more information including answers to frequently asked questions, educational materials, information on the law, regulations and enforcement go to our Website http://www.cms.hhs.gov/hipaa/hipaa2.

 

Do you Yahoo!?
Check out the new Yahoo! Front Page. www.yahoo.com

Reply | Forward | Messages in this Topic (1)
#242 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Tue Nov 9, 2004 5:11 pm
Subject: HIPAA IG Interpretations Available from X12 		dafeinberg
Offline Offline
Send Email Send Email
  
[From a press release dated 8 November 2004]

The Accredited Standards Committee (ASC) X12 and the Data Interchange
Standards Association (DISA) are pleased to announce the launch of the
ASC X12 Implementation Guide Request for Interpretation Web site.

The site initially gives visitors "access to the experts" in the ASC X12
Insurance Subcommittee (ASC X12N) for those Implementation Guides (IG's)
that have been adopted for use under HIPAA. The site allows for
submission of detailed questions about interpretation of these IG's.
While it does not replace the need for standards implementers to read
the IG's and do their own analysis, it does provide a location to find
resolution of issues of interpretations or  inconsistencies within or
between the IG's.

The Web site serves as the interface to a database or repository of
questions and answers from expert volunteers within the Insurance
Subcommittee. As requests and responses are accumulated, the site allows
searching of the database and access to prior interpretations, making it
an invaluable resource for implementers.  A further benefit of this
database is to help support industry needs by identifying areas of the
IG's that should be improved in future versions.

The HIPAA Implementation Guides Interpretations Web site is initially
located at www.x12n.org/portal .


[The complete press release may be accessed at www.disa.org/pr01.cfm .]

                     Dave Feinberg
                     Co-chair, HIPAA Implementation Work Group
                          Insurance Subcommittee (X12N)
                          Accredited Standards Committee X12
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...

P.S.    Requests for changes to HIPAA Implementation Guides should
continue to be submitted at www.hipaa-dsmo.org/crs .

                     DAF

Reply | Forward | Messages in this Topic (1)
#241 From: "Barbara McGowin" <mcgowin@...>
Date: Wed Nov 3, 2004 5:50 pm
Subject: HIPAA Security Mitigation Planning Tool 		hitrecruiting
Offline Offline
Send Email Send Email
 
I finished the draft of Collection of HCO Security Practices and NIST Crosswalk this morning.  I hope that it will help with some of your mitigation work plan and budget development.
I am not able to post it to the listserv because the maximum message size is 1000k, and the tool is about 1561k.  The document is freely accessible from the Files Section of ShareHIPAA group.  To access/download the document, go to the ShareHIPAA group's home page at:
 
 
Sign in with your Yahoo! ID and password and click "Files" from the left column.  The document appears like this in the files directory:
 
Security Mitigation Planning Tool.doc
Msg #241 Collection of HCO Security Practices &
NIST Crosswalk
 
 
If you would like for me to send it directly to you via email, send an email with "Collection of Security Practices" in the subject line to mcgowin@... .
If you have anything that you would like to add to the Collection of HCO Security Practices and NIST Crosswalk, please send it to me and I will enter it with attribution.  However, I will not put out another revision until DRAFT NIST SP 800-53 A and DRAFT NIST SP 800-66 are finalized (which could be a while).
 
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#240 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Tue Nov 2, 2004 4:04 pm
Subject: NPI Enumerator RFP 		dafeinberg
Offline Offline
Send Email Send Email
 
For those who may be interested, the Request for Proposal (RFP) for the National Provider Identifier (NPI) Enumerator -- the contractor organization that will process NPI and, ultimately National Plan ID, applications -- was posted yesterday at:

                    Dave Feinberg
                    Rensis Corporation  [A Consulting Company]
                    206-617-1717
                    DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#239 From: ShareHIPAA@yahoogroups.com
Date: Mon Nov 1, 2004 11:03 pm
Subject: New file uploaded to ShareHIPAA 		ShareHIPAA@yahoogroups.com
Send Email Send Email
  
Hello,

This email message is a notification to let you know that
a file has been uploaded to the Files area of the ShareHIPAA
group.

   File        : /NPIapp3_03tl.doc
   Uploaded by : sharehipaa <sharehipaa@...>
   Description : Msg #238 NPI Application DRAFT Oct 15 2004

You can access this file at the URL:
http://groups.yahoo.com/group/ShareHIPAA/files/NPIapp3_03tl.doc

To learn more about file sharing for your group, please visit:
http://help.yahoo.com/help/us/groups/files

Regards,

sharehipaa <sharehipaa@...>

Reply | Forward | Messages in this Topic (5)
#238 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Mon Nov 1, 2004 9:24 pm
Subject: NPI Application -- Paperwork Reduction Act Draft 		dafeinberg
Offline Offline
Send Email Send Email
  
For those who may be interested, attached is the draft version of the
National Provider Identifier Application being used for evaluation under
the Paperwork Reduction Act.  It was referenced on page 61257 of the
Federal Register dated 15 October 2004.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#237 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Mon Nov 1, 2004 8:38 pm
Subject: Fw: Announcing a Public Review Period of Addenda for 277 Health Care Payer Unsolicited Claim Status Implementation Guide (003070X070A1) 		dafeinberg
Offline Offline
Send Email Send Email
  
An addenda to X12N's version 003070 Implementation Guide noted in the
forwarded message is now available for public comment.  The underlying
Implementation Guide has not been adopted under HIPAA and no official
discussions regarding any such adoption of it or its addenda have been
held.  A factor in such discussions, should they be initiated, will be
any comments received.  Participation in the public comment period is
open to all who may be interested.  Please participate if you are able.

                     Dave Feinberg
                     Co-chair, HIPAA Implementation Work Group
                          Insurance Subcommittee (X12N)
                          Accredited Standards Committee X12
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...


----- Original Message -----
From: Mike Cabral
Sent: Friday, October 22, 2004 8:10 AM
Subject: Announcing a Public Review Period of Addenda for 277 Health
Care Payer Unsolicited Claim Status Implementation Guide (003070X070A1)


Announcing a Public Review Period of Addenda for 277 Health Care Payer
Unsolicited Claim Status Implementation Guide (003070X070A1).

The ASC X12N Health Care Health Care Payer Unsolicited Claim Status
(277) Implementation Guide Addenda (003070X070A1) is now available for
industry review.  This Addenda document has been developed by X12N TG2
WG5, which is the Claim Status work group within the Health Care task
group of the Insurance Subcommittee of X12.  X12 is an Accredited
Standards Committee (ASC) under ANSI (American National Standards
Institute).

The purpose of the 277 implementation guide is to:
·        Provide claim status information from the payer without health
care provider solicitation

Examples of this type of claim status notification include
acknowledgements of claim transmission and pended claim lists from a
payer organization.

The Addenda for this guide is based on version 3070 of the ASC X12
family of standards.

The public review period will commence at 8:00 P.M. Eastern on October
25th, 2004 and will close at 8:00 P.M. Eastern on November 24th, 2004.

The authors will review and discuss any and all comments following the
public review period.  Official work group responses will be posted to
the on-line conference.  All work group responses will be posted at
least 15 days prior to the corresponding Information Forum. This is the
only public review period.  For a complete understanding of changes
being made to the guide, reviewers should monitor the on-line conference
during the public review period and review all author responses prior to
the Information Forum.

Watch for the announcement of the corresponding Information Forum. The
Information Forum is the final opportunity to comment on modifications
based on the public review period comments.

The draft implementation guides are available for download at:
http://www.wpc-edi.com/HealthCareDraft.asp

Comments on the draft implementation guides can be submitted via the
on-line conference at:
http://www.wpc-edi.com/conferences/healthcare.html


Michael J. Cabral, Project Manager
Claim Status Work Group Co-Chair

Reply | Forward | Messages in this Topic (1)
#236 From: "Barbara McGowin" <mcgowin@...>
Date: Mon Oct 25, 2004 5:18 pm
Subject: Updates on HIPAA e-Bookmarks and NIST SP 800-66 in excel 		hitrecruiting
Offline Offline
Send Email Send Email
 
I have attached my HIPAA reference links that I have completed updating this morning.  It is current through October 25, 2004.  Having information readily accessible and at your finger tips will help you save time when you have time to focus on HIPAA compliance.  If you use this list, I recommend that you add any of your vendors', professional societies, and state and county HIPAA related sites,  and also consider adding links to sites that provide notification of security vulnerabilities and available patches for your in-house technology.  If you are in digest mode, or in the future misplace it and want to access it, it is available from the ShareHIPAA group's file section.  It appears in the files index like this:
 
HIPAA Ref links.xls
MSG #212 HIPAA e-Bookmarks Rev 2004/10/25
 
I tried to take DRAFT NIST SP 800-66 and boil it down to a simple spreadsheet.  It was suggested that the actual HIPAA language be provided so that those who prefer to work off the HIPAA Security Rule could do so.  That way if they didn't understand the standard or the implementation specification they could cross reference the NIST guidance recommended for that specific sub-section.
 
Bricker and Eckler represents the Ohio Hospital Assn. The particular link below is for their tab "Regulations by Topic". There, each regulation section you click on (e.g 512 b looking for information about Death Notice) is followed immediately by the preamble discussions of that section. This saves you from having to flip back and forth from reg to preamble. And you can do a text search or find.  The link for this tool is:

http://www.bricker.com/hipaa/hipaaindex.asp

I have added the url for the regulation by text from the Bricker and Eckler/Ohio Hospital Assn. website for each main section (administrative, physical, and technical) in the spreadsheet.  I have also provided the corresponding recommended NIST guidance of each sub-section as provided by DRAFT NIST SP 800-66.  There have been several new DRAFT NIST publications since DRAFT NIST SP 800-66 was published, and some of the draft guidance has been finalized.  I have added the new DRAFT NIST publications where I believed they would fit.
 
Some of the new publications are:
DRAFT NIST SP 800-53 2nd draft for public review
DRAFT NIST SP 800-72 Guidelines for PDA Forensics
DRAFT NIST SP 800-52 Guidelines on the Selection and Use of Transport Layer Security
DRAFT NIST SP 800-65 Integrating IT Security into Capital Planning and Investment Control Process
DRAFT NIST SP 800-70 Security Configuration Checklists Program for IT Products
 
Visit http://csrc.nist.gov/publications/nistpubs/ for all the latest NIST guidance.
To access/download NIST SP 800-66 in excel if you are in digest mode, or in the future misplace it and want to access it, it is available from the ShareHIPAA group's file section.  It appears in the files index like this:
 
NIST SP 800 66.xls
Msg# 187 NIST SP 800-66 in excel Rev 2004/10/25
 
To access the files section of the ShareHIPAA group, go to the group's home page at:
Sign in with your Yahoo! ID and password and select "Files" from the left column.  Files are listed in alphabetical order.
 
Any comments, especially if you find errors in the links, are needed and welcomed.  Please contact me.
 
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
 
 
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#235 From: "Ginger Wright" <gwright@...>
Date: Thu Oct 21, 2004 8:13 pm
Subject: RE: RISK ANALYSIS: For the Small Medical Practice, Just How Much Is Enough? 		ginger1464
Offline Offline
Send Email Send Email
 
Hi Tom,
I'm using a tool called ComplyAssist to guide us through, plan and document our HIPAA Security Compliance effort.  You might want to check it out.  www.complyassistant.com
 
 
Ginger Wright
Availity, L.L.C.
HIPAA Compliance Manager
904-470-4938
-----Original Message-----
From: Tom Austin [mailto:austin@...]
Sent: Thursday, October 21, 2004 8:09 AM
To: ShareHIPAA@yahoogroups.com
Subject: [ShareHIPAA] RISK ANALYSIS: For the Small Medical Practice, Just How Much Is Enough?

Looking at some compliance toolkits that healthcare attorneys are offering their clientsI continually get disappointed.

These toolkits offer risk analysis, and policies and procedures all in one package (typically from about $100 and up) but they just do not cover enough - especially in the technical area.  Moreover, depending on the toolkit, the policies and procedures may not be that good either.  The pitch is that the toolkit makes it easy for a small practice to become compliant. Has anyone come across a toolkit that they feel is reasonable and appropriate for small practices?  

As a consultant, I want to ensure that my clients understand and implement appropriate policies, procedures and tools based on an "accurate and thorough" risk analysis.  However, determining "what is enough analysis" to say that it is accurate and thorough for a small practice is a big question.  When I asked one attorney about whether his toolkit would satisfy due diligence in using his toolkit for small practices, he did not respond. 

I've raised this issue in an article in my newsletter and have also posted it on my website at http://www.ibg.com/ShadesOfGrayOpinion.html#RISK   In case you're interested in the newsletter, it's posted at http://www.ibg.com/newsletters/SecurityNewsletterIBGOct-Nov04.htm

Your thoughts and comments on risk analysis are welcome.

Regards,
Tom
http://www.ibg.com/people/tom_austin.html

ibg internet business group
201 Liberty Hill
Bedford, New Hampshire 03110
Phone 603.471.2700

"ibg. The knowledge to secure your business." ®

 


Reply | Forward | Messages in this Topic (2)
#234 From: "Tom Austin" <austin@...>
Date: Thu Oct 21, 2004 12:08 pm
Subject: RISK ANALYSIS: For the Small Medical Practice, Just How Much Is Enough? 		tomwaustin
Offline Offline
Send Email Send Email
 

Looking at some compliance toolkits that healthcare attorneys are offering their clientsI continually get disappointed.

These toolkits offer risk analysis, and policies and procedures all in one package (typically from about $100 and up) but they just do not cover enough - especially in the technical area.  Moreover, depending on the toolkit, the policies and procedures may not be that good either.  The pitch is that the toolkit makes it easy for a small practice to become compliant. Has anyone come across a toolkit that they feel is reasonable and appropriate for small practices?  

As a consultant, I want to ensure that my clients understand and implement appropriate policies, procedures and tools based on an "accurate and thorough" risk analysis.  However, determining "what is enough analysis" to say that it is accurate and thorough for a small practice is a big question.  When I asked one attorney about whether his toolkit would satisfy due diligence in using his toolkit for small practices, he did not respond. 

I've raised this issue in an article in my newsletter and have also posted it on my website at http://www.ibg.com/ShadesOfGrayOpinion.html#RISK   In case you're interested in the newsletter, it's posted at http://www.ibg.com/newsletters/SecurityNewsletterIBGOct-Nov04.htm

Your thoughts and comments on risk analysis are welcome.

Regards,
Tom
http://www.ibg.com/people/tom_austin.html

ibg internet business group
201 Liberty Hill
Bedford, New Hampshire 03110
Phone 603.471.2700

"ibg. The knowledge to secure your business." ®

 

Reply | Forward | Messages in this Topic (2)
#233 From: "Barbara McGowin" <mcgowin@...>
Date: Thu Oct 21, 2004 5:37 am
Subject: Access of Vendors to Information Systems Containing ePHI - 45 CFR 164.308(b)(1) Written Contract or Other Arrangement 		hitrecruiting
Offline Offline
Send Email Send Email
 
Questions:
(1) If a vendor is a business associate, are there any additional requirements necessary to ensure vendor access to the system (and ePHI) is appropriate. Should these vendors sign a user/access agreement stating they will only use the account when contacted for support or other issues?
(2). Does anyone provide restrictions to these vendors from accessing systems 24 hours each day, seven days a week? If so, how do you do this? (ie. disable account until needed).
(3). If a vendor does have access to a system 24 hours per day, does the Business Associate agreement insure if there are any security breaches or incidents the vendor can be held liable?
(4). How are vendor user accounts provided? If a vendor organization is sharing one user account, what procedures are in place to ensure accountability of the access?
Response:  These are all good questions.  And should be part of your baseline gap assessment survey questions.  The survey should have survey questions at the organization level to determine policy, and survey questions at the department and system level should determine gaps of procedure, implementation and audit.  Any mitigation should be documented.  45 CFR 164.308(b)(1) requires the CE to obtain assurances from the BA that they will abide by the agreement to safeguard confidentiality, integrity, and availability of the ePHI.  I have found that maintenance and configuration management may be the biggest issue when it comes to vendors that have the capability to implement updates, revisions, and perform flaw remediation.
 
I have provided some excerpts from DRAFT NIST SP 800-53 Recommended Security Controls for Federal Systems
(http://csrc.nist.gov/publications/drafts/draft-SP800-53.pdf ) on system maintenance and flaw remediation.  There are many more security controls that might apply to your specific organization.  I recommend that at least one person in your organization familiarize themselves with NIST SP 800-53. You will notice that each of the security controls have three strengths or robustness (basic, moderate, high).  The strength of a security control may be based on the impact the organization would face should a threat source exploit a vulnerability.  NIST determines this impact risk as security categorization.  There are 3 impact levels (low, medium, high).  For the NIST impact determination tools and more information on security categorization, see FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
(http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf).  NIST provides the strength of a security to mitigate risk appropriate for the security categorization.  It will be difficult to determine "reasonable and appropriate" safeguards to mitigate risk.  NIST provides guidance on the appropriate part, the CE will have to determine what is reasonable.  If you are unfamiliar with the NIST enterprise-wide security risk management program, or how to use NIST SP 800-53, I have put together an audio/video recording that presents a high-level overview.  This presentation spends about 30 minutes on how to use and navigate through NIST security controls found in NIST SP 800-53.  This presentation is free, is available via the internet, and may be accessed via the link below:
 
http://www.placeware.com/cc/complyassistant/view?id=NZTQJ4
Requires Name, No password, then email address and Company Name. (1 hour 2O min). 

For high-speed and broadband connections choose the 2nd file option. It is called "Microsoft Office Live Meeting Replay: Windows MediaTM - formatted streamed audio & video".  When the windows media window opens you can right click on the window, then click on zoom, and then click on full screen.

For 56K modems, your bandwidth will not support video.  You can choose the 1st file option.  It is called "Basic recording with Windows Media TM formatted streamed audio".   You can listen to the recording.This may not be very helpful.  If you can get to a PC with high-speed internet access, I would recommend viewing it this way.

Call MicroSoft Live Meeting 1-866-493-2825 (toll free in the US) if you have problems accessing the recording.
 
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
------------------------------------------------------------------------------
 
A selection of security controls from DRAFT NIST SP 800-53:
 
OPERATIONAL CONTROLS
 
FAMILY:
HARDWARE AND SOFTWARE MAINTENANCE (MA)
 
MA-1 PERIODIC MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to conduct periodic on-site and off-site maintenance
of the information system and of the physical plant within which this information system resides.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.3, 10.2.1, 10.2.2; FISCAM: SC-2.4, SC-2.4, SS-3.1, SS-3.2, CC-2.1;
ISO-17799: 7.2.4, 7.3.2; DCID 6/3: Maint-a, 8.B.8.c(1), 8.B.8.c(2), 8.B.8.c(3), 8.B.8.c(7), 8.B.8.c(8);
CMS: 2.2.30, 5.9.10, 5.9.1
1]
MA-1.b
BASIC CONTROL: Comprehensive maintenance testing procedures exist that systematically sched-ule
information system hardware for periodic maintenance inspections and testing to ensure the
equipment operates within design specifications and is properly calibrated. Routine periodic hard-ware
preventive maintenance is scheduled and performed in accordance with vendor specifications
and in a manner that minimizes the impact on operations. Repairs and modifications to the physi-cal
components of a facility that are related to security (e.g., hardware, walls, doors, and locks) are
documented. Regular and unscheduled hardware maintenance performed is documented. A main-tenance
log is maintained and includes: (i) the date and time of maintenance; (ii) name of the indi-vidual
performing the maintenance; (iii) name of escort; and (iv) a description of the type of main-tenance
performed to include identification of replacement parts. Maintenance of information sys-tems
is performed on-site whenever possible. If information systems or system components are to
be removed from the facility for repair, any component containing non-volatile memory is sani-tized
or appropriate\ cleared and its release is explicitly approved by an appropriate organization
official. Maintenance changes that impact the security of the information system receive a con-figuration
management review. After maintenance is performed on the information system, the se-curity
features are checked to assure that they are still functioning properly. Maintenance is per-formed
in a manner that maintains security.
MA-1.e
ENHANCED CONTROL (Add to basic control):
Problems and delays encountered, the reason and elapsed time for resolution are recorded and ana-lyzed
to identify recurring patterns or trends. Management periodically reviews and compares the
service performance achieved with goals and surveys user departments to see if their needs are be-ing
met. Procedures include checks to be performed and assigned responsibilities for conducting
these checks to periodically ensure that the procedures are being correctly applied and consistently
followed.
MA-1.s
STRONG CONTROL: To be defined.
 
MA-2 MAINTENANCE TOOLS
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to control and monitor the use of maintenance
tools.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.3, 11.2.4; DCID 6/3: Maint-c, 8.B.8.c(4), 8.B.8.c(5), 8.B.8.c(6)
(all
)]
MA-2.b
BASIC CONTROL: Introduction of network analyzers (e.g., sniffers) that allow maintenance person-nel
the capability to monitor the content of network traffic are approved by an appropriate organi-zation
official prior to being introduced into an information system. If maintenance personnel
bring diagnostic test programs (e.g., software/firmware used for maintenance or diagnostics) into a
facility, the media containing the programs are checked for malicious code before the media is
connected to the information system.
MA-2.e
ENHANCED CONTROL (Add to basic control):
Before leaving the facility, the media are checked to assure that no organizational information has
been written on it. All diagnostic equipment and other devices carried into a facility by mainte-nance
personnel are handled as follows: (i) all diagnostic and test equipment is inspected for obvi-ous
improper modification; (ii) maintenance equipment that has the capability of retaining infor-mation
is appropriately sanitized before being released; (iii) if the equipment cannot be sanitized,
the equipment remains within the facility or is destroyed, unless explicit exception is authorized
by an appropriate organization official. Replacement components that are brought into the facility
for the purpose of swapping with facility components are allowed. However, any component
placed into an information system remains in the facility until proper release procedures are com-pleted.
Any component that is not placed in an information system may be released from the facil-ity.
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
MA-2.s
STRONG CONTROL: To be defined.
 
MA-3 REMOTE MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to provide additional controls on remotely exe-cuted
maintenance.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.1; FISCAM: SS-3.1, AC-1; ISO-17799: 9.4.5; DCID 6/3: Maint-d,
8.B.8.d(all
)]
MA-3.b
BASIC CONTROL: Installation and use of remote diagnostic links are specifically addressed in the
security plan and agreed to by the authorizing official. Remote diagnostic or maintenance services
are acceptable if performed by a service or organization that implements for its own information
system the same level of security as that implemented on the information system being serviced.
The communications links connecting the components of the information system, associated in-formation
communications, and networks are protected in accordance with the FIPS Publication
199 security category of the information that may be transmitted over the link. If remote diagnos-tic
or maintenance services are required from a service or organization that does not implement for
its own information system the same level of security as that implemented on the system being
serviced, the system being serviced is sanitized and physically separated from other information
systems prior to the connection of the remote access line. If the information system cannot be sani-tized
(e.g., due to a system failure), remote maintenance is not allowed. Unless an exception has
been granted by an appropriate organization official, maintenance personnel accessing the infor-mation
system at the remote site are cleared to the highest FIPS Publication 199 security category
of information processed on that system, even if the system was downgraded/sanitized prior to
remote access. An audit log is maintained of all remote maintenance, diagnostic, and service
transactions including all commands performed and all responses. The log is periodically reviewed
by an appropriate organization official. Other techniques to consider for improving the security of
remote maintenance include: (i) encryption and decryption of diagnostic communications; (ii)
strong identification and authentication techniques, such as tokens; (iii) and remote disconnect
verification. Where possible, remote sessions involve an interactive window for coordination with
information security official responsible for the system being serviced. When the remote mainte-nance
has been completed, all sessions are terminated and the remote connection is also termi-nated.
Authenticators (e.g.,, passwords) used during remote maintenance are changed following
each remote maintenance service.
MA-3.e
ENHANCED CONTROL (Add to basic control):
Keystroke monitoring is performed on all remote diagnostic or maintenance services. A techni-cally
qualified person reviews the maintenance log, and if appropriate, the audit log to assure the
detection of unauthorized changes. Maintenance technicians responsible for performing remote
diagnosis/maintenance are advised (e.g., contractually, verbally, or by banner) prior to remote di-agnostics/
maintenance activities that keystroke monitoring will be performed. Procedures include
checks to be performed and assigned responsibilities for conducting these checks to periodically
ensure that the procedures are being correctly applied and consistently followed.
MA-3.s
STRONG CONTROL: To be defined.
 
MA-4 MAINTENANCE PERSONNEL
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to control the authorization of an individual to
perform maintenance.
CONTROL MAPPIN
G: [NIST 800-26: 10.1.1, 10.1.3; FISCAM: SS-3.1; DOD 8500: PRMP-2; DCID 6/3:
8.B.8.a(all), 8.B.8.b(all
)]
MA-4.b
BASIC CONTROL: The list of authorized maintenance personnel is documented. Only personnel
authorized to do so perform maintenance on the information system. Except as authorized by the
authorizing official, personnel who perform maintenance on the information system are authorized
access to the highest FIPS Publication 199 security category of information processed on that sys-tem.
Such personnel who perform maintenance or diagnostics on an information system do not re-quire
an escort, unless need-to-know controls must be enforced. However, a facility employee
who is authorized to access the highest FIPS Publication 199 security category of information and,
when possible, technically knowledgeable, is present within the area where the maintenance is be-ing
performed to assure that the proper security procedures are being followed. Foreign nationals
(with proper authorizations) may be utilized as maintenance personnel for those information sys-tems
jointly owned and operated by the US and a foreign allied government, or those owned and
operated by foreign allied governments. Approvals, consents, and detailed operational conditions
are fully documented within a Memorandum of Agreement. A person not authorized access to the
information system may be used to perform maintenance on the system provided an escort who is
authorized access and is technically qualified monitors and records that person’s activities in a
maintenance log.
MA-4.e
ENHANCED CONTROL (Add to basic control):
Prior to maintenance, the information system is completely cleared and all nonvolatile information
storage media removed or physically disconnected and secured. When an information system
cannot be cleared, approved procedures are enforced to deny the maintenance personnel visual and
electronic access to any organization information that is contained on the system. Procedures in-clude
checks to be performed and assigned responsibilities for conducting these checks to periodi-cally
ensure that the procedures are being correctly applied and consistently followed.
MA-4.s
STRONG CONTROL (Add to basic control; bold text represents change from enhanced control):
Prior to maintenance, the information system is completely cleared and all nonvolatile information
storage media removed or physically disconnected and secured. When an information system
cannot be cleared, approved procedures are enforced to deny the maintenance personnel visual and
electronic access to any organization information that is contained on the system.
For US-owned
and operated information systems, maintenance personnel must be US citizens. A separate
copy of the operating system and application software, including any micro-coded floppy
disks, cassettes, or optical disks that are integral to the information, that has not been used
in the processing of organizational information is used for all maintenance operations per-formed
by personnel not authorized access to information processed by the system. The
copy is labeled "For Maintenance Only" and protected in accordance with procedures estab-lished
in the security plan.
Procedures include checks to be performed and assigned responsibili-ties
for conducting these checks to periodically ensure that the procedures are being correctly ap-plied
and consistently followed.
 
MA-5 TIMELY MAINTENANCE
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to ensure that maintenance services and parts are
available in a timely manner.
CONTROL MAPPIN
G: [DCID 6/3: Maint-b; DOD 8500: COMS-2, COPS-2; CMS: 9.9.8, 5.9.9; FISCAM:
SC-2.
4]
MA-5.b
BASIC CONTROL: Spare or backup hardware is used to provide a high level of information system
availability for organization applications. Maintenance support and critical maintenance spares
and spare parts for [Assignment: list of key information system assets] can be obtained within [As-signment:
time period (e.g., twenty-four hours)] of failure.
MA-5.e
ENHANCED CONTROL (Add to basic control):
Maintenance support and critical maintenance spares and spare parts for
all information system
assets
can be obtained within [Assignment: time period (e.g., twenty-four hours)] of failure. Pro-cedures
include checks to be performed and assigned responsibilities for conducting these checks
to periodically ensure that the procedures are being correctly applied and consistently followed.
MA-5.s
STRONG CONTROL: To be defined.
 
MA-6 MAINTENANCE SCHEDULING
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to schedule maintenance operations and accom-modate
unscheduled maintenance with minimal mission impact.
CONTROL MAPPIN
G: [NIST 800-26: 10.2.8, 10.2.11, 10.2.12; FISCAM: CC-2.2, SC-2.1, SC-2.4; CMS:
3.4.4, 5.9.5, 5.9.
6]
MA-6.b
BASIC CONTROL: Changes of hardware equipment and related software are scheduled to minimize
the impact on operations and users, thus allowing for adequate testing. A retrievable, exact copy of
electronic information exists before movement of equipment used to process such information.
Advance notification on hardware changes is given to users so that service is not unexpectedly in-terrupted.
Emergency change requests are approved by management either prior or after the fact.
Flexibility exists in the organization’s operations to accommodate regular and a reasonable
amount of unscheduled hardware maintenance. Version control is maintained and contingency
plans are updated after any changes.
MA-6.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
MA-6.s
STRONG CONTROL: To be defined.
 
FAMILY:
SYSTEM AND INFORMATION INTEGRITY (SI)
 
SI-1 FLAW REMEDIATION PROCESS
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to facilitate flaw remediation for the information
system.
CONTROL MAPPIN
G: [NIST 800-26: 10.3.2, 11.1.1, 11.1.2, 11.1.2, 11.2.2, 11.2.7; FISCAM: SS-2.2, CM-5;
ISO-17799: 6.3.2, 6.3.3, 8.3.1, 8.4.3; DCID 6/3: Integrty2, F.2(all); CMS: 2.1.7, 3.5.3; DOD 8500: DCCT-
1]
SI-1.b
BASIC CONTROL: Significant weaknesses in the operational information system are reported and
effective remedial actions are taken. This includes the following:
Patch Management
Systems affected by recently announced software vulnerabilities are identified. Patches are in-stalled
on a timely basis and tested for effectiveness and potential side effects on the organiza-tion’s
information systems. There is verification that patches, service packs, and hot fixes are ap-propriately
installed on affected systems.
System Software Problems
A log is used to record the problem, the name of the individual assigned to analyze the problem,
and how the problem was resolved.
Malicious Code Screening
As needed, incoming information is reviewed for viruses and other malicious code. Anti-viral
mechanisms are used to detect and eradicate viruses transported by e-mail or attachments. The in-formation
system is automatically safeguarded from virus infections from other sources as well
(e.g., central choke points where diskettes are scanned for viruses prior to distribution). There is
timely updating of those mechanisms intended to prevent the introduction of malicious code (e.g.,
updating anti-viral software).
Miscellaneous
Software is up-to-date (latest versions of service packs, patches, and hot fixes are installed). Secu-rity
weaknesses are being reported and acted upon. Software malfunctions are being reported and
acted upon. Hardware fault control routines are logged to indicate all detected errors and deter-mine
if recovery from the malfunction is possible.
SI-1.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
SI-1.s
STRONG CONTROL: To be defined.
 
SI-2 PERSONNEL SUPERVISION
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are devel-oped,
documented, and effectively implemented to ensure adequate supervision of personnel and
review of their activities.
CONTROL MAPPIN
G: [NIST 800-26: 17.1.6, 17.1.8; FISCAM: AC-4.3, SD-2.2; ISO-17799: 8.4.2; CMS:
1.10.2, 4.2.2, 4.2.4, 4.4.
2]
SI-2.b
BASIC CONTROL: Active supervision and review are provided for all personnel, including each
shift for computer operations. Staff’s performance is monitored on a periodic basis and controlled
to ensure that objectives laid out in job descriptions are carried out. Supervisors routinely review
user activity logs for incompatible actions and investigate any abnormalities. All mission/business
partners are reviewed for compliance with information systems security requirements.
SI-2.e
ENHANCED CONTROL (Add to basic control):
Procedures include checks to be performed and assigned responsibilities for conducting these
checks to periodically ensure that the procedures are being correctly applied and consistently fol-lowed.
SI-2.s
STRONG CONTROL: To be defined.
 
SI-3 PROCEDURAL REVIEW
CONTROL OBJECTIV
E: In accordance with organizational policy, detailed procedures are periodi-cally
reviewed.
CONTROL MAPPIN
G: [NIST 800-26: 2.1.1, 6.1.2, 6.1.3; FISCAM: SP-5.1, SD-1, SD-1.1, SD-2.2; ISO-17799:
3.1.2; CMS: 3.1.2, 4.4.1; DOD 8500: DCAR-
1]
SI-3.b
BASIC CONTROL: A review is conducted every [Assignment: time period (e.g., twelve months)] that
comprehensively evaluates existing security policies and procedures to ensure procedural consis-tency
and to ensure that they fully support the goal of enabling mission accomplishment. Access
authorizations are periodically reviewed for incompatible functions. Management reviews are per-formed
to determine that control techniques for segregating incompatible duties are functioning as
intended and that the control techniques in place are maintaining risks within acceptable levels.
SI-3.e
ENHANCED CONTROL: To be defined.
SI-3.s
STRONG CONTROL: To be defined.
 
SI-4 SOFTWARE AND INFORMATION INTEGRITY
CONTROL OBJECTIV
E: In accordance with organizational policy, automated mechanisms are in
place and detailed supporting procedures are developed, documented, and effectively implemented
to both protect against and to detect unauthorized changes to software.
CONTROL MAPPIN
G: [NIST 800-26: 11.2.1, 11.2.4, 11.2.5, 11.2.9; ISO-17799: 8.7.6, 10.3.3; DCID 6/3: In-tegrty1,
Integrty2, SysAssur1-b, SysAssur2, 7.B.2.a(1); DOD 8500: ECND-2, ECTM -2; FISCAM: AC-
4]
SI-4.b
BASIC CONTROL: Integrity verification applications are available on the information system to look
for evidence of information tampering, errors, and omissions. Tools for automatically monitoring
the integrity of the information system and the applications it hosts are implemented. Good engi-neering
practice with regard to commercial off-the-shelf integrity mechanisms, such as parity
checks and cyclical redundancy checks are employed. The operating system's operational status
and restart integrity is protected during and after shutdowns. Mechanisms prohibit users from
modifying the functional capabilities of boundary protection devices such as firewalls, gateways,
and routers. There is limited write access to information system security capabilities (that is., the
hardware, software, and firmware that perform operating system or security functions and the
hardware, software, and firmware that must be relied upon in order for the system security func-tionality
to operated correctly).
SI-4.e
ENHANCED CONTROL (Add to basic control):
Message authentication codes, cryptographic hashes, digital signatures and digitally signed time-stamps
or notarizations are implemented using current standards (i.e., FIPS 198 HMAC, AES-MAC,
FIPS 180-2, FIPS 186-3) or subsequently adopted standards, for ensuring the integrity of
stored or archived file
s. Supporting procedures include checks to be performed and assigned re-sponsibilities
for conducting these checks to periodically ensure that the mechanisms are properly
configured and the procedures are being correctly applied and consistently followed.
SI-4.s
STRONG CONTROL: To be defined.
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#232 From: "Barbara McGowin" <mcgowin@...>
Date: Fri Oct 15, 2004 11:59 pm
Subject: Sharing databases among unaffiliated providers 		hitrecruiting
Offline Offline
Send Email Send Email
 
Question: Does HIPAA allow the sharing of ePHI between unaffiliated providers?
 
Background:  We are entering into an agreement with a non-affiliated health care provider to allow us to utilize their HIS system. They will be setting us up as a separate facility on their system through an ASP arrangement. We will have access to all their patients' demographics. When we go to register a patient for our facility, we will query their patient history file. If a patient has been to their facility, we will utilize that information.
 
Concern: There is no disclosure by the provider that their demographic information will be shared with our
facility.  Some of my colleagues are suggesting that it is permissible under the permissions granted through treatment, payment and health care operations clause.
 
Response:  As this concerns ePHI, there are some standards and requirements that must be considered from both the HIPAA Security Rule and the HIPAA Privacy Rule.  I have placed a link for the actual verbiage from the Rules in brackets [ ] beside each excerpt from the rules so that you might draw your own conclusions.
 
The HIPAA Privacy Rule
[http://www.bricker.com/legalservices/practice/hcare/hipaa/164.506c.asp]
§ 164.506(c) Uses and disclosures to carry out treatment, payment, or health care operations.

(a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or
disclosure is consistent with other applicable requirements of this subpart.
 
[http://www.bricker.com/legalservices/practice/hcare/hipaa/164.520b.asp]
Content of Notice of Privacy Practices - § 164.520(b)(1)(ii) Uses and disclosures. The notice must contain:
 
A.  A description, including at least one example, of the types of uses and disclosures that the covered entity is permitted by this subpart to make for each of the following purposes: treatment, payment, and health care operations.
B.  A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual’s written authorization.
 
The HIPAA Security Rule
Administrative Safeguards - § 164.308(b)
1.  Standard: Business associate contracts and other arrangements. A covered entity, in accordance with § 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.
2. This standard does not apply with respect to--
 
i.  The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual.
 
Based on the excerpts from the HIPAA Privacy and Security Rules, and applying the definitions of use, disclosure and business associate, and the standard for minimum necessary [http://www.bricker.com/legalservices/practice/hcare/hipaa/164.502b.asp], the following are actions that the covered entities may want to consider.
 
1.   The provider that is allowing access to their HIS by an unaffiliated provider should include in their NPP, or joint NPP that PHI is provided to other providers for the other providers' treatment, payment and health care operations.  Through a BAA or other arrangement, the provider must document satisfactory assurances that the other provider will appropriately safeguard the information.  Depending on the security technical capabilities of the HIS or the technical environment in which the HIS exists, access to an individual's ePHI by the unaffiliated provider may require implementation of technical security safeguards to audit system activity and also require the unaffiliated provider to abide by the HIS provider's rules of access.
 
2.  The unaffiliated provider using another's HIS for treatment, payment and health care operations should include this in their NPP or joint NPP.  The unaffiliated provider should provide the HIS's provider assurances that the ePHI will by safeguarded and will need to set up rules of access and train their workforce on these rules. Depending on the technical capability of the unaffiliated provider, some method of access control and access monitoring will need to be implemented.
 
Has anyone encountered this type of arrangement?  How were the HIPAA standards and requirements resolved?  For discussion on this subject please visit the ShareHIPAA2 group (the discussion companion of the ShareHIPAA group) home page. The messages section (Message Archives) are available for public view/access.  If you want to share your comments you will need to join ShareHIPAA2.  The ShareHIPAA2 group's home page link is:
http://health.groups.yahoo.com/group/ShareHIPAA2   To join, select "Join This Group!"
 
 
Thank you,
Barbara McGowin
HIT Recruiting
Resource Consultant
(843) 824-8537
Connecting Health Care Organizations with People,
Products and Services to Achieve HIPAA Compliance.

Reply | Forward | Messages in this Topic (1)
#231 From: Share HIPAA <sharehipaa@...>
Date: Mon Oct 11, 2004 9:16 pm
Subject: FREE! CMS Sponsored HIPAA Security Teleconferences. You're invited!! 		sharehipaa
Offline Offline
Send Email Send Email
 

Mark your calendars!

 

Security Teleconferences sponsored by CMS Regions IV and VI and presented by SHARP (Southern Healthcare Administrative Regional Process) Work Group.

 

When:  1:00 – 2:30 PM, ET, Wednesday, October 27, 2004

What: “HIPAA Security Risk Analysis, Ideas and Practical Tips

Receive helpful ideas and tips in planning and early implementation of this critical HIPAA security mandate to help you implement your own security measures.

 

PRESENTER: Susan A. Miller, JD.   

 

Where: dial-in only

            Phone number: 877-203-0044

            Conference ID#: 247630

 

 

When:  1:00 – 2:30 PM, ET, Wednesday, November 3, 2004

What:  “Practical Security Tools, Firewalls and Others”

Receive a detailed explanation of practical steps you can take to protect the confidential patient information that you use every day. 

 

PRESENTER: Roger Wernow

 

Where: dial-in only

            Phone number: 877-203-0044

            Conference ID#: 247633

 

Access/download the PowerPoints for the teleconferences at

www.sharpworkgroup.com

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

Reply | Forward | Messages in this Topic (1)
#230 From: "boxster92692" <cdirricq@...>
Date: Thu Oct 7, 2004 3:11 pm
Subject: September 29, 2004 - New California Information Security Privacy Law: 		boxster92692
Offline Offline
Send Email Send Email
  
September 29, 2004 - New California Information Security Privacy Law:

http://info.sen.ca.gov/pub/bill/asm/ab_1901-
1950/ab_1950_bill_20040929_chaptered.pdf

On September 29, 2004, Governor Schwarzenegger signed A.B. 1950, a
bill that imposes new information security duties on businesses that
keep personal information about California residents, including an
obligation to contractually bind non-affiliated parties to protect
shared information. The new law becomes effective January 1, 2005.


Chris Dirricq
Hoag Hospital
Newport Beach, CA.

Reply | Forward | Messages in this Topic (1)
#229 From: Share HIPAA <sharehipaa@...>
Date: Thu Oct 7, 2004 2:48 pm
Subject: CMS 17th HIPAA Implementation Roundtable Wed November 10, 2004 2:00-3:30 PM ET 		sharehipaa
Offline Offline
Send Email Send Email
 
MARK YOUR CALENDAR!!!  MARK IT NOW!!!

The Centers for Medicare and Medicaid Services (CMS) invites you to participate in the Seventeenth National HIPAA Implementation Roundtable conference call. This call will focus on the HIPAA security standards.

Day/Date/Time:
Wednesday November 10, 2004 from 2:00-3:30 PM ET

Location: Conference Call only

The call in number is 1-877-203-0044

The conference identification number is 1347026

Due to the volume of callers wishing to participate, please dial in fifteen minutes before the start of the meeting.

NO Registration Required.  NO Cost.


 
CMS HIPAA UPDATE
 
HIPAA!  For more information including answers to frequently asked questions, educational materials, information on the law, regulations, and enforcement visit: http://www.cms.hhs.gov/hipaa/hipaa2  
 
Transcript for the CMS 16th HIPAA Implementation Roundtable of May 12, 2004 now available at:
http://www.cms.hhs.gov/hipaa/hipaa2/events/default.asp#roundtable (transcripts from other roundtables also available).
 
Security Deadline – Remember the deadline to become compliant with the HIPAA Security provisions is April 21, 2005 (less than a year away!)  The deadline for compliance for small health plans is April 21, 2006.  Stay tuned for additional security information.
 

Need more assistance? CMS has a toll-free hotline in place and an e-mail address where you can seek technical assistance. 

Send CMS an e-mail at askHIPAA@...

Or, call the CMS HIPAA HOT line at 866-282-0659 

 
 
Regards,
ShareHIPAA
 

Do you Yahoo!?
vote.yahoo.com - Register online to vote today!

Reply | Forward | Messages in this Topic (1)
#228 From: "Barbara McGowin" <mcgowin@...>
Date: Mon Oct 4, 2004 3:43 pm
Subject: ALERT! Passwords and Vendor System Utilities 		hitrecruiting
Offline Offline
Send Email Send Email
 
In your security management program please add the following to your survey questions to your system vendors:  Are there
any characters that if used in passwords will cause degradation of confidentiality, integrity, or availability of the system or the data
contained in the system?

Here are some snippets of a thread from a vendor specific interface or IE users listserv.

<snip>
We are running [interface engine and version] on [platform].
 A security audit recently highlighted the fact that we are running  with
the default Administrator password.

 We ran for a few days with a new password, then the Monitor quit
connecting. We were getting the following error in the control
 broker log: "User authentication failed for " then the user name.   We
tried several accounts, but got the same result. I updated the
 password file. No change.

 Everything worked fine as soon as we changed the Admin password back  to
the default.

<snip>
Wow! Using the default Administrator password on any vendor technology opens
you up to a lot of security risks.

<snip>
We recently updated our password standards to include complex passwords.
After changing the admin password we ran into some similar issues.  The
reason we were having issues with the new passwords was because we were
including special characters.  Maybe this is a similar situation.  Here is
the resolution from [Vendor] (hope this helps):


   Unfortunately we do not have a list of special characters that  should
not be used, and [IE] can take special characters in passwords with
a  caveat. My testing shows the following.

   1) The Enterprise Manager will not allow certain special characters  to
   be used in a password. For example, the GUI allows % and * but not other
   characters on, such as !,@,#, etc
   2) ***aclutil will allow some additional special characters but none
   that conflict with the execution of the command. for example, ^  or  &
   on a Windows system.
   3) some special characters allowed by ***aclutil may later conflict
   with component startup.

The above "lesson learned" will be included in a document that I am now finalizing that will include a collection of security practices in the Health Care Industry and a NIST security controls crosswalk to each HIPAA security standard and implementation specification.  A lot of good ideas were shared by the 60 or so participants of the recently concluded series of Mitigation Planning Workshops.  Due to space consideration of the ShareHIPAA group's file section, we will not be able to include it in the ShareHIPAA group's files section.  Blass Consulting, LLC has agreed to provide it freely for access/download to all from its "Free HIPAA Tools" page from the ComplyAssistant website (www.complyassistant.com).  If you have any security practices that you would like to have included in this document, please send them to me at mcgowin@... by this Friday, October 8th.  We hope to have the final document available by mid October.  And if you participated in the workshops and would like to have your participation acknowledged, please send me your name and how you would like to be listed in the document's acknowledgements.
 
To effectively implement HIPAA security standards into our operations and business decisions most would agree that a baseline risk assessment should be conducted.  How do you do this?  Where do you start?  How do you know what to put in the survey questions?  I have put together a free audio/video presentation that is web accessible 24/7.  It is a high level overview of the NIST recommended Security Risk Management Program and steps you through a HIPAA security management approach from "defining the scope", conducting a survey to determine security gaps, through mitigation work plan and budget development (encompassing P&P, training, implementation/process integration, monitoring, and audit).  You can access this presentation from the link below.  The white paper that this presentation was based on is available in the ShareHIPAA files section (look for securityicepp-final.doc).  It is also available for access/download from www.complyassistant.com .  Look in the left column under White Papers for Security Issues, Concerns and Enforcement.
 
Here is the link for DeMystify Security - NISTify IT! presentation:
 
http://www.placeware.com/cc/complyassistant/view?id=NZTQJ4
Requires Name, No password, then email address and Company Name. (1 hour 2 min). 

For high-speed and broadband connections choose the 2nd file option. It is called "Microsoft Office Live Meeting Replay: Windows MediaTM - formatted streamed audio & video".  When the windows media window opens you can right click on the window, then click on zoom, and then click on full screen.

For 56K modems, your bandwidth will not support video.  You can choose the 1st file option.  It is called "Basic recording with Windows Media TM formatted streamed audio".   You can listen to the recording and refer to the white paper mentioned about.  If you can get to a PC with high-speed internet access, I would recommend viewing it this way.



Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#227 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Sat Oct 2, 2004 2:04 pm
Subject: Public Comment Period for X12's 5010 824 Acknowledgement TR3 		dafeinberg
Offline Offline
Send Email Send Email
  
Over the past years, many of you have asked for an implementation guide
that may be followed to acknowledge transactions at a more detailed
level than that allowed by a TA1, 999, or 997 transaction.  A draft
version of such a guide is now available for public review and comment
as a key step in its X12 Type 3 Technical Report (TR3) publication
process.  The public comment period commenced October 1, 2004, and
will close on November 30, 2004, at 5:00 pm Eastern time.

The purpose of the X12N Health Care Implementation Guide and Application
Reporting (824) Implementation Guide, 005010X186, is to:
· Enable a receiver of an X12 transaction, related to insurance business
   processes, to report errors that are outside of the scope of the 997
   or 999 error reporting, or to report the results of an application
   system's data content edits of transaction sets.
· Report transaction errors related to the use of any other approved
   implementation guide that does not have another standard vehicle for
   the reporting of such errors.
· Supplement other error-reporting vehicles that may not provide for
   reporting of every transaction set error.

Note that this 824 implementation guide does not replace existing
approved implementation guides designed to report transaction errors;
such as the 277 implementation guide designed for reporting certain
implementation-related errors and status in the 837.  Nor does it
replace transaction-specific 824 implementation guides such as the
266/824 or the 148/824.

The authors of this guide will consider all comments following the
public comment period. Official work group responses will be posted to
the on-line conference at least 15 days prior to the corresponding
Informational Forum. This is X12's only unconstrained public comment
period.  For a complete understanding of changes being suggested and/or
made to the guide, reviewers should monitor the on-line conference
during the public comment period and consider all author responses prior
to the Informational Forum.

An announcement of the corresponding Informational Forum will be made
later.  The Informational Forum, held during an X12 Trimester Meeting,
probably the one during the first full week of February, 2005, [see
http://x12.org/x12org/meetings/x12trimt/index.cfm ], is the final X12
opportunity to comment:  but only on modifications based on the received
public comments.  After that, the guide is finalized for movement
through the Insurance Subcommittee (X12N) and X12 publication approval
processes; and perhaps proposal as a new HIPAA standard.

The draft implementation guide is available for free download at:
http://www.wpc-edi.com/HealthCareDraft.asp . Comments on the draft can
be submitted by anybody via the on-line conference at:
http://www.wpc-edi.com/conferences/healthcare.html .

This Implementation Guide is not a counterpart of any that have been
adopted under HIPAA, and no official discussions regarding any such
adoption have been held.  A factor in such discussions, should they be
initiated, will be any comments received.  Voluntary use, once this
guide is published as a TR3, is, of course, permissible at any time
based on negotiated agreements between willing trading partners.  HIPAA
is a floor, not a ceiling!

Participation in the public comment period is open to all who may be
interested.  Please participate -- this is the highest leverage
opportunity for anybody outside of the authors to impact this document.
Also note that this is a version 005010 guide.  A version
004010 guide is also being written and is presently projected for public
comment during June-July, 2005 [see
www.x12.org/x12org/subcommittees/X12N/N0200_X12N005010_TR3.pdf ].

                     Dave Feinberg
                     Co-chair, HIPAA Implementation Work Group
                          Insurance Subcommittee (X12N)
                          Accredited Standards Committee X12
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#226 From: "boxster92692" <cdirricq@...>
Date: Thu Sep 30, 2004 3:44 pm
Subject: Unshredded Medical Records Found in Rrecycle Bin 		boxster92692
Offline Offline
Send Email Send Email
  
It was Memorial Day weekend when local resident Chris Aiken made the
discovery. Taking boxes of his own to one of the local drop off
points, he was dismayed to find that the bin was clogged. But it was
the bin's contents that disturbed him the most: unshredded
medical records on just under 30 patients treated by a Dr. Jennings
Pressly.

http://health-
information.advanceweb.com/common/Editorial/Editorial.aspx?CC=
41557


Chris Dirricq
Information Security
Hoag Hospital - Newport Beach, CA.

Reply | Forward | Messages in this Topic (1)
#225 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Mon Sep 27, 2004 2:42 pm
Subject: Fw: NPI Bulk File Load Information 		dafeinberg
Offline Offline
Send Email Send Email
  
For those who may not have received this via other routes.

Additionally, you may be interested that no Enumerator contract has yet
been awarded.  Charlie's latest estimate for the RFP is "early October".

----- Original Message -----
From: "Charles Waldhauser" <CWaldhauser@...>
Sent: Friday, September 24, 2004 10:59 AM
Subject: Re: NPI Bulk File Load Information

I am attaching some basic high level information about how we are
envisioning the bulk file enumeration process (which we are calling
electronic file interchange) to work.  Comments and questions are
welcome.

Charlie Waldhauser

Reply | Forward | Messages in this Topic (1)
#224 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Fri Sep 24, 2004 5:46 pm
Subject: X12 Presentations on Adopting New HIPAA Transactions and NHII / EHR-S 		dafeinberg
Offline Offline
Send Email Send Email
  
In addition to its usual standards creation activities, Accredited
Standards Committee X12 will be having presentations on adopting the
next generation of HIPAA transaction standards, and the National Health
Information Infrastructure and HL7's draft Electronic Health Record
Standard.  Short descriptions of each of these presentations are at the
end of this message.

Information on attending these sessions at X12's Miami [Hyatt Regency
hotel] Trimester meeting the first week in October can be found at
http://x12.org/x12org/meetings/x12trimt/index.cfm .  First time
non-members may attend X12 Trimester meetings for free.  At
this late date, contact Diane Huber, dhuber@... , if you're
interested in this option.

The sessions described below are an excellent opportunity learn more on
these two key topics at one time.  Take advantage of them, as well as
the entire X12 experience, if you can.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
______________________________________________________________

X12N/TG3/WG3 "HIPAA Implementation / Coordination"
             presents another installment of the
       HIPAA INFORMATIONAL FORUM

                   Wednesday Afternoon
                    6 October 2004
                    Ashe Auditorium


3:00-4:00     HIPAA Transactions - The Next TR3's
         A discussion of the materials, processes, schedules, and some of
         the as-yet unanswered questions involved in creating the next
         iteration of HIPAA standard transactions.

4:00-5:00     The NHII and HL7's Draft EHR-S Standard
         A report on HHS' National Health Information Infrastructure
         (NHII) Summit on Health Information Technology held this past
         July and Health Level Seven's (HL7) recently approved Electronic
         Health Record System (EHR-S) draft standard.  Included is an
         analysis of their potential relationships with HIPAA transaction
         standards.


Note:  "HIPAA and X12 -- An Introduction", a.k.a.
            HIPAA-101, is scheduled for presentation
            at 11:00 on Monday morning as part of the
            Newcomer Orientation in Gautier; see
            attachment.
______________________________________________________________

Reply | Forward | Messages in this Topic (1)
#223 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Fri Sep 24, 2004 3:38 pm
Subject: HIPAA Transactions -- The Next Generation 		dafeinberg
Offline Offline
Send Email Send Email
  
Hi everybody,

Following an X12 conference call yesterday, it appears that work on the
next generation of Implementation Guides -- now known as Type 3
Technical Reports (TR3's) -- remains on schedule.  Because of the long
lead times in the HIPAA transactions adoption process, the next months
are going to be critical.  X12 public comment periods -- see
attachment -- are the greatest leverage point for folks who don't
regularly participate in X12 to contribute their expertise to this next
generation of potential HIPAA standards.

An understanding of what's happening to create this next generation of
federally mandated healthcare EDI standards is also key for impacted
organizations' planning.  This is the reason I've created the
presentation "HIPAA Transactions -- The Next Generation" plus a full day
seminar "HIPAA TCS -- What's Next?  Products, Processes, and
Prognostications".

I'd be delighted to continue presenting either or both to any
organizations you know of that need to be aware of what's happening.
There's a window opening where anybody can participate in the HIPAA
standards creation process.  I don't think it should be missed simply
because people didn't know about or understand it.

Please feel free to contact me at any time should you have any questions
or desire any additional information.  Also, could you post and forward
the attachment to as many folks as possible to help get the word out?
Thanks.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#222 From: "Barbara McGowin" <mcgowin@...>
Date: Thu Sep 16, 2004 5:14 pm
Subject: AMA Reports HIPAA EDI is a Mess and Vexing Many Providers 		hitrecruiting
Offline Offline
Send Email Send Email
 
 
From August 2, 2003 through October 6, 2003 a group of volunteers participated in a TCS compliance solution for providers workgroup using HIPAA ComplyAssistant, a HIPAA compliance management tool. From my participation is this group I learned that:
 
1.  For the most part, the TCS technical solution had been passively out-sourced to application vendors and clearinghouses with little or no input form providers.
2.  Providers did not actively manage TCS compliance, and those who did focused on the technical solution and not on integrating the technical solution into the day-to-day actions of the workforce
3.  Most technical solutions provided by application vendors and clearinghouses were "all or none."  Which did not allow providers to implement upgrades until all of their payers were ready.  This was a huge problem when shifting from use of local codes to HCPCS codes.  
4. Application vendors could not manage TCS compliance for their client sites, and they were a little hesitant providing TCS updates because their clients had not asked for them.
5. In order to be successful with TCS, providers must manage the relationship between application vendor, billing service/BA clearinghouse, and payer by transactions type.
6. Most providers do not know what needs to be done or whom should do it which generally leads to finger pointing. 
 
I wrote a white paper on the findings of the test group.  The transcripts from each of the work group's test sessions and the white paper are available from the ShareHIPAA group's File section.  Here is how the appear in the Files Section directory:
 
tcsicepp-final.doc   60KB
Msg #107
 
tcsmoduletest1.doc 73 KB
Msg #107
 
tcsmoduletest2.doc 115 KB
Msg #107 
 
tcsmoduletest3.doc  92 KB
Msg #107  
 
To access these documents, go to the ShareHIPAA home page
http://health.groups.yahoo.com/group/ShareHIPAA and sign in with your Yahoo! ID and password.  Then select "Files" from the left column.  Files are listed in alphabetical order, but this is Yahoo!'s alphabetical order.  Conventional naming files are listed first, with the "gooble-dee-gook" named files at the end.  Since these are named in gooble-dee-gook, you will have to scroll way down the Files directory to find them.
 
Sense the completion of the TCS workgroup, advances have been made in HIPAA EDI interoperability at the point between provider BA clearinghouse and payer BA clearinghouse.  But clearinghouses say they aren't receiving the data necessary from providers (and probably some payers) to fill in all the necessary data elements.  And many providers and some payers are saying that they can't use the data coming from the clearinghouses.
 
I think, and I know I am in the minority, that as a health care industry we have failed to apply basic business principles to resolving the HIPAA EDI dilemma and have rushed to create a technical solution that falls short.  I believe the first step in any compliance initiative is for an organization to define the business deliverables, the requirements of regulation.  Once these are determined, there will be some things that will be resolved through a change in processes and procedures, and there will be some things that will need to be addressed by technology.  Because we failed to determine the business deliverables of the HIPAA TCS Rule, the need to understand how data was collected and processed and where the gaps are in our "process" was not address.  Also, we would have mandated that the technical solution provide greater flexibility (all trading partners and intermediaries will not be moving at the same pace and codes sets will constantly be changing, and all payers will not require the same thing in the situational fields).  Except for a few, the approach to HIPAA EDI has been backwards, i.e., a static technical solution was developed "by consensus", and therefore is generic.  The problem with providing a generic solution is that there is no Generic Memorial Health System, Generic Physician Practice, or Generic Health Plan, Inc.
 
If you are responsible for managing the TCS compliance plan, or your are trying to assist providers and payers in managing their TCS compliance plan, I strongly encourage you to go to www.complyassistant.com and sign up for an on-line live demonstration of the TCS module of HIPAA ComplyAssistant.  You may not need a tool to automate the management of TCS compliance, but at least you will see a very logical and consistent approach developed by David A. Feinberg, C.D.P. that I know will be beneficial to you.  You will have a greater chance at being successful if you know how to do something.  The demonstration will SHOW you how to do it.  So if you can't afford a management tool, take notes!  You may also want to read the white papers (accessible from the left column on the site's pages) or view the audio/video recordings on TCS by selecting "Presentations" from the top horizontal menu bar.
 
I would welcome your comments on the approach.  Anything that can be done to make it more effective, will help us all.  Any delay in achieving HIPAA EDI places the availability and provision of health care treatment, products, and services at greater risk.  There are many forces impinging on the availability and provision of health care, but low cost claim adjudication processing does not need to be one of them.
 
Sincerely,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance. 
Attachment: vcard [not shown]

Reply | Forward | Messages in this Topic (1)
#221 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Wed Sep 15, 2004 8:30 pm
Subject: Civil Money Penalties Interim Rule Expiration Date Extended One Year 		dafeinberg
Offline Offline
Send Email Send Email
  
The new HIPAA rule for Civil Money Penalties (CMP) that went to the
Office of Management and Budget on 9 August was published on pages
55515-55516 of today's Federal Register: Volume 69, No. 178, Wednesday,
15 September 2004.  It extends the expiration date of the CMP Interim
Final Rule originally published on 17 April 2003.  The new expiration
date is now 16 September 2005.

No other changes to the original CMP rule are included in today's
Federal Register rule.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...

Reply | Forward | Messages in this Topic (1)
#220 From: "boxster92692" <cdirricq@...>
Date: Wed Sep 15, 2004 11:10 pm
Subject: Hospital Workers Suspended for Accessing Clinton Medical Records 		boxster92692
Offline Offline
Send Email Send Email
  
http://www.nydailynews.com/news/local/story/230961p-198366c.html

Reply | Forward | Messages in this Topic (1)
Messages 220 - 249 of 641   Newest  |  < Newer  |  Older >  |  Oldest
Message #
Search:
Advanced
Add to My Yahoo!      XML What's This?
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help