Search the web
Sign In
New User? Sign Up
ShareHIPAA · Share HIPAA
  • Members Only
  • Post
  • Files
  • Photos
  • Links
  • Database
  • Polls
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Want your group to be featured on the Yahoo! Groups website? Add a group photo to Flickr.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
Messages 594 - 623 of 641   Newest  |  < Newer  |  Older >  |  Oldest
Messages: Show Message Summaries   (Group by Topic) Sort by Date v  
#623 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Thu Aug 20, 2009 1:51 pm
Subject: HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health 		hitrecruiting
Offline Offline
Send Email Send Email
 

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

 

August 19, 2009

 

As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), the U.S. Department of Health and Human Services (HHS) issued “breach notification” regulations today requiring health care providers and other HIPAA covered entities to notify affected individuals following a breach of unsecured protected health information.

 

The regulations require covered entities to promptly notify affected individuals, the Secretary of HHS, and in some cases, the media, of a breach.  Smaller breaches may be reported to the Secretary on an annual basis.  The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.  The regulations were developed after considering public comment received in response to an April 2009 request for information and after close consultation with the Federal Trade Commission (FTC), which has issued companion breach notification regulations that apply to vendors of personal health records and certain others not covered by HIPAA.

 

To determine when information is “unsecured” and notification is required by the HHS and FTC rules, HHS is also issuing in the same document as the regulation an update to its guidance specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.  Entities subject to the HHS and FTC regulations that secure health information as specified by the guidance through encryption or destruction are relieved from having to notify in the event of a breach of such information.  This guidance will be updated annually.

 

The HHS interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period.  For more information, visit the OCR web site at http://www.hhs.gov/ocr/privacy/.

 

 

**********************************************************************

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy and Security Rules. For additional information on a wide range of topics about the the Privacy and Security Rules, please visit the OCR Privacy website at http://www.hhs.gov/ocr/privacy/index.html. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at http://www.hhs.gov/ocr/office/index.html.

If you believe that a person or organization covered by the Privacy and Security Rules (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR. For additional information about how to file a complaint, visit OCR's web page at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1


Reply | Forward | Messages in this Topic (1)
#622 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Tue Aug 18, 2009 4:01 am
Subject: Provider Discounts on X12 Version 005010 HIPAA TR3s 		dafeinberg
Offline Offline
Send Email Send Email
  
The first of potentially several reduced price arrangements for health
care providers to obtain X12's Version 005010 HIPAA-adopted Type 3
Technical Reports (TR3s) is now in effect.

Through an agreement between X12 and the American Hospital
Association, AHA members who are not X12 members may purchase X12's
Version 005010 HIPAA TR3s at a discount from the listed price.  X12
members already receive an even greater price-break on these TR3s.
Further details on obtaining the AHA discount, or becoming an X12
member, can be found at  http://store.x12.org/aha_discounts.htm .

In order to facilitate better provider understanding and use of X12's
Version 005010 HIPAA TR3s, X12 is also willing to discuss reduced price
arrangements with other provider associations that may be interested.
Representatives of provider associations interested in opening these
discussions should contact Karyn White, Co-Chair of X12's Provider
Caucus, at kmw1291@... for additional information.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

Reply | Forward | Messages in this Topic (1)
#621 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Mon Aug 17, 2009 8:16 pm
Subject: NIST Releases 3 Documents and 1 Update to Special Publications 		hitrecruiting
Offline Offline
Send Email Send Email
 

NIST’s Computer Security Division announces the release of 3 documents & 1 update to Special Publication already published.  See below for details --

 

1. Draft Special Publication 800-73 -3 Interfaces for Personal Identity Verification (4 Parts)

       Pt. 1- End Point PIV Card Application Namespace, Data Model and Representation

       Pt. 2- PIV Card Application Interface

       Pt. 3- PIV Client Application Programming Interface

       Pt. 4- The PIV Transitional Data Model and Interfaces

 

To learn more about this draft document, please visit the Drafts page on the CSRC website for full details:

http://csrc.nist.gov/publications/PubsDrafts.html#800-73-3

 

 

2. Draft Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices has been released and is available for review and comment.

 

To learn more about this draft document, please visit the Drafts page on CSRC website for full details:

http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-38-E

 

 

3. NIST Interagency Report (IR) 7611, Use of ISO/IEC 24727 -- Service Access Layer Interface for Identity (SALII): support for development and use of interoperable identity credentials is now available.

 

URL to read announcement of this publication’s release:

http://csrc.nist.gov/news_events/index.html#aug14

 

Link to NIST IR page to this document:

http://csrc.nist.gov/publications/PubsNISTIRs.html#nistir7611

 

 

4. Special Publication 800-53 Revision 3 was updated last Friday to include an errata page, and all the supporting files were also updated and uploaded Friday, August 14.

The following are the files (links) that were updated:

sp800-53-rev3-final-errata.pdf                   (SP 800-53 Rev. 3 document)

800-53-rev3_final-markup_final-publicdraft-to-final-updtpdf              (Markup copy from final public draft to final SP)

800-53-rev3-final_markup-rev2-to-rev3.pdf              (markup copy from Rev. 2 to Rev. 3)

  sp800-53-rev3-annex1-updt.pdf              (Annex 1)

  sp800-53-rev3-annex2-updt.pdf              (Annex 2)

  sp800-53-rev3-annex3-updt.pdf              (Annex 3)

 

 

URL to Special Publication 800-53 Rev. 3 supporting documents:

http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev3

 


Reply | Forward | Messages in this Topic (1)
#620 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Sat Aug 8, 2009 5:41 pm
Subject: Fw: National Plan and Provider Enumeration System (NPPES) -- two messages of interest 		dafeinberg
Offline Offline
Send Email Send Email
  
----- Original Message #1 -----
   From: CMS CMSProviderResource
   Sent: Thursday, July 30, 2009
   Subject: National Plan and Provider Enumeration System (NPPES) -
                Secure, Maintain and Update Your information

   NPPES - Secure, Maintain and Update Your information

   This message is for health care providers, particularly physicians and
other practitioners, who have obtained National Provider Identifiers
(NPIs) and have records in the National Plan and Provider Enumeration
System (NPPES).  The Centers for Medicare & Medicaid Services (CMS)
recommends that each health care provider, including individual
physicians and non-physician practitioners:

            Secure and maintain their own NPPES account information
(i.e., User ID, Password, and Secret Question/Answer) for safety and
accessibility purposes.  Health care providers should maintain the
confidentiality of their User ID, password, and Secret Question/Answer
in order to protect their NPPES information from unauthorized access.

            Reset their NPPES passwords at least once a year.  See the
NPPES Application Help page at https://nppes.cms.hhs.gov/NPPES/Help.do
and select the 'Reset Password Page' for applicable rules.  Those rules
indicate the length, format, content and requirements of NPPES
passwords.

            Review their NPPES records in order to ensure that the
information reflects current and correct information.  Covered health
care providers are required to update their NPPES information within 30
days of the effective date of the change.


   Viewing NPPES Information

   Health care providers, including physicians and non-physician
practitioners, can view their NPPES information in one of two ways:

   (1) By accessing the NPPES record at
https://nppes.cms.hhs.gov/NPPES/Welcome.do and following the NPI
hyperlink and selecting Login.  The user will be prompted to enter the
User ID and password that he/she previously created. *

   * If the health care provider has forgotten the password, enter the
User ID and click the "Reset Forgotten Password" button to navigate to
the Reset Password Page.  If the health care provider enters an
incorrect User ID and Password combination three times, the User ID will
be disabled.  Please contact the NPI Enumerator at 1-800-465-3203 if the
account is disabled or if the health care provider has forgotten the
User ID.


   OR


   (2) By accessing the NPI Registry at
https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do.  The NPI Registry
gives the health care provider an online view of Freedom of Information
Act (FOIA)-disclosable NPPES data.  The health care provider can search
for its information using the name or NPI as the criterion.
Information regarding NPPES data that are FOIA-disclosable can be found
at http://www.cms.hhs.gov/NationalProvIdentStand/ by selecting 'Data
Dissemination'.

   Please note:  Business Mailing Address and Business Practice location
information (full address and corresponding telephone numbers) are key
data elements that are FOIA-disclosable.  Health care providers should
not report their residential address unless it is their Business Mailing
Address or Business Practice location.  The NPPES data appearing on the
NPI Registry cannot be deleted; however, it can be updated or changed.


   Updating NPPES Information

   Health care providers, including physicians and non-physician
practitioners, can correct, add, or delete information in their NPPES
records by accessing their NPPES records at
https://nppes.cms.hhs.gov/NPPES/Welcome.do and following the NPI
hyperlink and selecting Login. The user will be prompted to enter the
User ID and password that he/she previously created.

   Please note: Required information cannot be deleted from an NPPES
record; however, required information can be changed/updated to ensure
that NPPES captures the correct information.  Certain information is
inaccessible via the web, thus requiring the change/update to be made
via paper application.  The paper NPI Application/Update Form
(CMS-10114) can be downloaded and printed at
http://www.cms.hhs.gov/cmsforms/downloads/CMS10114.pdf.


   Deactivating the NPI

   Health care providers, including physicians and non-physician
practitioners, can deactivate their NPIs if the NPIs are no longer
required or needed.  Reasons for deactivation include retirement,
business dissolved, or death of the health care provider.  A request for
deactivation must be submitted via paper application.  The paper NPI
Application/Update Form (CMS-10114) can be downloaded and printed at
http://www.cms.hhs.gov/cmsforms/downloads/CMS10114.pdf.  Health care
providers should review the instructions located on the application
regarding deactivations in order to properly complete the deactivation
request.  The Power of Attorney or Executor of the Will may complete the
application for deactivation due to death of the health care provider.




     ----- Original Message #2-----
     From: CMS CMSProviderResource
     Sent: Monday, August 03, 2009
     Subject: National Plan and Provider Enumeration System (NPPES)
                  Update Announcement for Physicians

     PHYSICIANS!

     Did an academic medical institution or university obtain your NPI
for you?
     If so, is your NPPES record up to date?

     Health care providers, including physicians, began applying for
National Provider Identifiers (NPIs) on May 23, 2005.  Since then, the
National Plan and Provider Enumeration System (NPPES) has assigned
nearly 3 million NPIs.  More than 700,000 NPIs have been assigned to
physicians.

     Many physicians were assigned their NPIs upon their graduation from
medical school.  Often, the administrative staff at the physicians'
academic medical centers or universities applied for the physicians'
NPIs.  The administrative staff handled similar actions for their new
physicians and had, in their records, all the information that needed to
be furnished on the application for an NPI.  Some of these NPIs may have
been assigned as long as 4 years ago.

     The Centers for Medicare & Medicaid Services (CMS) is required by
regulation to make available to the public certain information about
health care providers that is contained in their NPPES records.  This
information includes the name, provider type (e.g., physician), business
practice location address, business mailing address, and business
practice location telephone number.  Publicly available NPPES
information can be found in the NPI Registry, a query-only database
which anyone can access on the Internet
(https://nppes.cms.hhs.gov/NPPES/NPIRegistryHome.do), and in a monthly
downloadable file that individuals with the necessary technical
expertise can download from the Internet
(http://nppesdata.cms.hhs.gov/CMS_NPI_files.html).  Health plans, health
care clearinghouses, health care providers, and others with a need to
know can easily use the NPI Registry to view data for a particular
health care provider simply by entering the health care provider's name
or NPI.  The downloadable file is used primarily by health plans and
other large health industry organizations that need information for all
or most of the health care providers who have NPIs and who may need to
sort or otherwise manipulate the data in the file to suit their business
needs.

     Now, months or years later, many of the physicians whose academic
medical centers or universities obtain their NPIs for them have moved on
in their careers to new locations.  Many have not updated their NPPES
information to show new business practice location addresses, business
mailing addresses, or business practice location telephone numbers.  As
a result, the information in the NPI Registry and in the downloadable
file is out of date.  Academic medical centers and universities whose
addresses and telephone numbers were entered into NPPES as the business
practice locations, business mailing addresses, and business practice
location telephone numbers for the physicians who they formerly employed
are now being burdened with the receipt of mail and telephone calls for
physicians who are no longer there.

     It is not the responsibility of the academic medical centers or the
universities to continue to update the NPPES records of physicians who
are no longer working for them.  In most cases, the academic medical
centers and universities do not have the updated information and,
therefore, are unable to contact the physicians to ask that they update
their NPPES information.

     Unless physicians have agreements in place for others to keep their
NPPES information up to date, the physicians themselves are responsible
for ensuring that their NPPES records contain accurate and current
information.

     Some of these physicians may have enrolled in health plans and may
be sending claims electronically to health plans or conducting other
electronic health transactions with health plans.  These physicians are
"covered entities" under the Health Insurance Portability and
Accountability Act (HIPAA).  As covered entities, they are required by
regulation to update their NPPES records within 30 days of any change.
Those who have NPIs but who do not conduct electronic health
transactions with health plans, and, thus, are not covered entities, are
encouraged to keep their NPPES information up to date.

     We remind all health care providers who have NPIs, not just the
physicians specially noted above, to view their NPPES records and, if
corrections are necessary, to furnish the updates.  Health care
providers who established User IDs and passwords in NPPES can easily
access their NPPES records to make updates.  Those who did not establish
User IDs and passwords may do so at any time.  For assistance in setting
up User IDs and passwords, or in situations where the User ID or
password has been forgotten, health care providers should contact the
NPI Enumerator at 1-800-465-3203.  If they prefer, health care providers
may furnish their updates by filling out the paper NPI application (Form
CMS-10114) and mailing the completed form to the NPI Enumerator.  The
instructions are on the form, along with the mailing address of the NPI
Enumerator.  The form may be downloaded from the CMS forms web page
(www.cms.hhs.gov/cmsforms) or one may be obtained by contacting the NPI
Enumerator at the number above.

###

Reply | Forward | Messages in this Topic (1)
#619 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Wed Aug 5, 2009 6:13 pm
Subject: Fw: CMS to Host Second National Medicare Fee-For-Service (FFS) Education Call on HIPAA Version 5010 		dafeinberg
Offline Offline
Send Email Send Email
 

Topic is X12 Acknowledgement Transactions.    --DAF
 
----- Original Message -----
Sent: Wednesday, August 05, 2009
Subject: 5010: Taking Electronic Data Interchange (EDI) to the Next Level - Second National Medicare Fee-For-Service (FFS) Education Call on HIPAA Version 5010

Medicare Learning Network logo

5010:  Taking EDI to the Next Level

 

Second National Medicare Fee-For-Service (FFS) Education Call on HIPAA Version 5010

 

Conference call details:

 

Date:  August 26, 2009                    

Conference Title:  Version 5010: Medicare FFS Error Handling Transactions         

Time: 2:00 p.m. – 3:30 p.m. ET 

 

The Centers for Medicare & Medicaid Services (CMS) presents the second in a series of national provider training calls on Medicare's Fee-For-Service (FFS) implementation of HIPAA Version 5010.  The target audiences for this call are clearinghouses and billing software vendors.  The topic for this call is error handling transactions (TA1, 999, and 277CA).  The discussion will cover CMS’ planned use of each transaction, including rules and exceptions, for the Medicare FFS program. There will be a Q&A session following the presentation where you will have a chance to ask questions from CMS subject matter experts.

                       

In order to receive the call-in information, you must register for the call. It is important to note that if you are planning to sit in with a group, only one person needs to register to receive the call-in data.  This registration is solely to reserve a phone line, NOT to allow participation. 

 

Registration will close at 2:00 p.m. ET on August 25, 2009, or when available space has been filled.  No exceptions will be made, so please be sure to register prior to this time.

 

1.      To register for the call participants need to go to:

http://www2.eventsvc.com/palmettogba/082609

 

2.      Fill in all required data. 

 

3.      Verify your time zone is displayed correctly the drop down box.

 

4.      Click "Register".

 

5.      You will be taken to the “Thank you for registering” page and will receive a confirmation email shortly thereafter.   Note: Please print and save this page, in the event that your server blocks the confirmation emails.  If you do not receive the confirmation email, please check your spam/junk mail filter as it may have been directed there.

 

6.      A few days prior to the call (not before August 24th), check the Educational Resources page on CMS’ 5010 web page at http://www.cms.hhs.gov/Versions5010andD0/40_Educational_Resources.asp to obtain a copy of the presentation that will be used during the call.

 

Learn more about 5010, visit CMS’ dedicated page at http://www.cms.hhs.gov/Versions5010andD0/ on the web.

 ###


Reply | Forward | Messages in this Topic (1)
#618 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Tue Aug 4, 2009 3:36 pm
Subject: HHS Secretary delegates HIPAA Security Rule to OCR 		hitrecruiting
Offline Offline
Send Email Send Email
 

From: OCR HIPAA Privacy Rule information distribution [mailto:OCR-PRIVACY-LIST@...] On Behalf Of OS OCR PrivacyList, OCR (HHS/OS)
Sent: Monday, August 03, 2009 5:31 PM
To: OCR-PRIVACY-LIST@...
Subject: HHS Secretary delegates HIPAA Security Rule to OCR

 

Announcement

 

Monday, August 3, 2009

 

Secretary Delegates HIPAA Security Rule to OCR

On August 3, 2009 OCR announced that the Secretary of Health and Human Services has delegated to the Director of OCR the authority to administer and enforce the HIPAA Security Rule. This action by Secretary Sebelius will improve HHS’ ability to protect individuals’ health information by combining the authority for administration and enforcement of the Federal standards for health information privacy and security called for in the HIPAA.

The transition of authority for the administration and enforcement of the Security Rule is expected to be seamless with no interruption in the management or processing of any complaints filed prior to the transition. Consumers may continue to submit HIPAA security complaints using the on-line resource – the Administrative Simplification Enforcement Tool (ASET), found at https:htct.hhs.gov/aset.  New security complaints may also be sent to the Office for Civil Rights.  For more information and detailed instructions on how to submit a complaint to OCR, visit the OCR website:   http://www.hhs.gov/ocr/privacy/hipaa/complaints/.   The transition of security complaints from CMS to OCR has no impact on how complaints about Transactions and Codes Sets or Unique Identifiers are filed or processed.   CMS retains its enforcement authority for these other HIPAA rules. 

 

View the Federal Register notice of the Delegation of Authority at http://www.hhs.gov/ocr/privacy/srdelegationofauthority2009.pdf and the Secretary’s press release at http://www.hhs.gov/news/press/2009pres/08/20090803a.html.

**********************************************************************

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy Rule. For additional information on a wide range of topics about the the Privacy Rule, please visit the OCR Privacy website at www.hhs.gov/ocr/hipaa/. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at www.hhs.gov/ocr

If you believe that a person or organization covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at http://www.hhs.gov/ocr/privacyhowtofile.htm .

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1


Reply | Forward | Messages in this Topic (1)
#617 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Sat Aug 1, 2009 2:39 am
Subject: RE: NIST Computer Security Division Releases 2 Special Publications 		hitrecruiting
Offline Offline
Send Email Send Email
 

LISTEN UP YA’LL IF YOU ARE RESPONSIBLE FOR ELECTRONIC INFORMATION SECURITY, PAY ATTENTION TO THE FOLLOWING MESSAGE! i AM NOT KIDDING. THIS IS YOUR NEXT PROMOTION AND THIS IS IMPORTANT FOR THE SECURITY AND PRIVACY PROTECTION OF YOUR CLIENTS, CUSTOMERS, PATIENTS, WHATEVER YOU WANT TO CALL THEM. THIS IS THE 3 MGTON SECURITY IS BOMB!

I am now the Education Director for Beckman Oral Motor. It is an awesome protocol for  poor suck, folks with swallowing difficulties, or oro facial weaknesses. I am now setting up the 2010 Beckman Oral Motor Conference Schedule. If you are interested in hosting or sponsoring a Beckman Oral Motor Assessment and Intervention Conference, please give me a call at 407-590-4859 or email me at info@..., or fax me at 843-824-8537. Or visit the website at www.beckmanoralmotor.com

 

Carry on,

Barbara McGowin

 

 

From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of O'Reilly, Patrick D.
Sent: Friday, July 31, 2009 4:00 PM
To: Multiple recipients of list
Subject: NIST Computer Security Division Releases 2 Special Publications

 

NIST’s Computer Security Division is proud to announce the release of 2 Special Publications – 1 draft and 1 final.

#1 is Special Publication 800-53 Rev. 3 and #2 is Draft Special Publication 800-126

 

PUBLICATION #1: Special Publication 800-53 Revision 3 --

URL to SP 800-53 Rev. 3:   http://csrc.nist.gov/publications/PubsSPs.html#800-53_Rev3

 

NIST announces the final publication of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. In addition to the expansion of the security control catalog, Special Publication 800-53, Revision 3 contains significant changes including:

 

  • A simplified, six-step Risk Management Framework;
  • Additional security controls and control enhancements for advanced cyber threats;
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment;
  • Revised security control structure with a new references section;
  • Elimination of security requirements from Supplemental Guidance sections;
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services;
  • Updates to security control baselines consistent with current threat information and known cyber attacks;
  • Organization-level security controls for managing information security programs;
  • Guidance on the management of common controls within organizations; and
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

 

The important changes described in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. Following the final publication of Special Publication

 

  • 800-53, Revision 3, the collaborative work between the national security and non national security communities will continue with updates to other key publications such as:
  • NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;
  • NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View;
  • NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and
  • NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.

 

The schedule for the development of all key FISMA-related publications based on new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.

 

- - - - - - - - -

PUBLICATION #2: DRAFT Special Publication 800-126 --

URL to Draft SP 800-126:   http://csrc.nist.gov/publications/PubsDrafts.html#800-126

 

NIST announces that Draft Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.

 

NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@... with "Comments SP 800-126" in the subject line.

 


Reply | Forward | Messages in this Topic (1)
#616 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Thu Jul 23, 2009 3:48 am
Subject: Public Comment Period for X12's 5010 837 Health Care Predetermination TR3s 		dafeinberg
Offline Offline
Send Email Send Email
  
The following X12N version 005010 draft Implementation Guides are
presently available for free download, review, and public comment:
    005010X291     Health Care Predetermination:  Professional
    005010X292     Health Care Predetermination:  Institutional.
Public comment on these Implementation Guides is a key step in their X12
Type 3 Technical Report (TR3) publication process.

The public comment period for these guides begins on 23 July 2009 and
will close on Saturday, 22 August 2009, at 5:00 p.m. Eastern time.

The Health Care Predetermination Implementation Guides describe the use
of the ANSI ASC X12 Health Care Claim (837) transaction set for the
submission and transfer of predeterminations to health care payers and
clearinghouses.

The authors especially solicit comments on what is needed to support
predetermination or estimate requests for property and casualty
(including worker's comp) and ambulance and other transport-related
services.

This is X12's only unconstrained public comment period.  The authors of
these guides will consider all comments during and following the public
comment period.  For a complete understanding of changes being suggested
and/or made to these guides, reviewers should monitor the on-line
conferences during the public comment period and consider all author
responses prior to the Informational Forums.  Official authoring work
group responses will be posted to the on-line conferences at least 15
days prior to the Informational Forums.

An announcement of the Informational Forums will be made later.  The
Informational Forums, held during an X12 Trimester Meeting, are the
final X12 opportunity to comment:  but generally only on modifications
based on the received public comments.  After that, the guides are
finalized for movement through the Insurance Subcommittee (X12N) and X12
publication approval processes.

The two draft implementation guides are available for free download at:
http://store.x12.org/x291 and  http://store.x12.org/x292 . Comments on
the drafts may be submitted by anybody -- X12 member or not -- via the
on-line conferences at:
http://www.wpc-edi.com/conferences/tg2/implementationguides .

The two Health Care Predetermination Implementation Guides, 005010X291
and 005010X292, are not counterparts of any that have been adopted
under HIPAA, and no official discussions regarding any such adoption are
presently contemplated.  At this juncture, only voluntary use of these
TR3s is anticipated.

Participation in X12's public comment period for the two Health Care
Predetermination Implementation Guides is open to all who may be
interested; whether or not members of Accredited Standards Committee
X12.  Please participate -- this is the highest leverage opportunity for
anybody outside of the authors to impact this document.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

Reply | Forward | Messages in this Topic (1)
#615 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Tue Jul 21, 2009 1:53 am
Subject: Fw: CMS' Dedicated Website for Information & Education on Versions 5010, D.0 and 3.0 Now Available! 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Friday, July 17, 2009
Subject: CMS' Dedicated Website for Information & Education on Versions 5010, D.0 and 3.0 Now Available!

CMS Dedicated Website for Information & Education on Versions 5010, D.0 and 3.0 Now Available!

                         

5010:  Taking EDI to the Next Level

CMS has launched its website for agency-wide information and education on Versions 5010, D.0 and 3.0. As you may already know, Version 5010 is the new version of the X12 standards for HIPAA transactions; version D.0 is the new version of the National Council for Prescription Drug Program (NCPDP) standards for pharmacy and supplier transactions; and version 3.0 is a new NCPDP standard for Medicaid pharmacy subrogation.

 

On this website, you can view background information on the new standards, regulatory information, the latest outreach messages from CMS, educational resources, resources specific to D.0 and 3.0, as well as implementation information for the Medicare Fee-For-Service systems.  CMS plans to add additional information as it becomes available so bookmark the site today!

http://www.cms.hhs.gov/Versions5010andD0

 

You can also view the presentation, transcript and listen to the audiofile from the June 9th national provider conference call on Versions 5010 and D.0 on the Educational Resources page or at http://www.cms.hhs.gov/Versions5010andD0/Downloads/6-9-2009_National_Provider_Call.pdf on the CMS website. 

 

###


Reply | Forward | Messages in this Topic (1)
#614 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Fri Jul 3, 2009 3:32 pm
Subject: Forthcoming Public Comment Periods for X12's 5010 837 Predetermination TR3s 		dafeinberg
Offline Offline
Send Email Send Email
  
For your near term planning, be advised that X12N is currently putting
the final touches on drafts of two new version 005010 Type 3 Technical
Reports (TR3s):
    005010X291     Health Care Predetermination:  Professional
    005010X292     Health Care Predetermination:  Institutional.
These TR3s describe "the use of the ANSI ASC X12 Health Care Claim (837)
transaction set for the submission and transfer of  ...
predeterminations to health care payers and clearinghouses."

In accordance with X12N's TR3 creation procedures, both of these new
TR3s will be made available for at least thirty days of public comment.
As of the moment, these public comment periods are targeted to begin
sometime during the latter half of this month:  July, 2009.

Thought you might want to know about this as you make your summer
reading lists.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

Reply | Forward | Messages in this Topic (1)
#613 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Tue Jun 16, 2009 5:34 pm
Subject: NIST Computer Security Division Releases 2 documents (1 draft and 1 final) 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of O'Reilly, Patrick D.
Sent: Tuesday, June 16, 2009 1:03 PM
To: Multiple recipients of list
Subject: NIST Computer Security Division Releases 2 documents (1 draft and 1 final)

 

NIST Computer Security Division announces the release of two documents (1 draft NIST IR and 1 final Special Publication (SP)).

 

 #1: SP 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, has been published as final. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002.

 

URL to SP 800-46 Rev. 1:

http://csrc.nist.gov/publications/PubsSPs.html#800-46-rev1

 

 

#2: The second public draft of NIST IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.

 

NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@... with "Comments IR 7502" in the subject line.

 

URL to Draft NIST IR 7502:

http://csrc.nist.gov/publications/PubsDrafts.html#NISTIR_7502

 


Reply | Forward | Messages in this Topic (1)
#612 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Mon Jun 8, 2009 1:17 am
Subject: NIST Released Final Draft Special Publication 800-53 Revision 3 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of O'Reilly, Patrick D.
Sent: Wednesday, June 03, 2009 2:16 PM
To: Multiple recipients of list
Subject: NIST Released Final Draft Special Publication 800-53 Revision 3

 

NIST announces the release of the final public draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. The final public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

 

The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. The important changes in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The final publication of Special Publication 800-53, Revision 3 is targeted for July 31, 2009. Comments will be accepted until June 30, 2009 and should be sent to sec-cert@...

 

URL to Draft SP 800-53 Rev. 3:

http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3

 

 

 


Reply | Forward | Messages in this Topic (1)
#611 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Fri Jun 5, 2009 2:21 pm
Subject: Fw: Second in Series: General Equivalence Mappings – ICD-9-CM to and from ICD-10-CM and ICD-10-PCS Fact Sheet 		dafeinberg
Offline Offline
Send Email Send Email
 

----- Original Message -----
Sent: Wednesday, June 03, 2009
Subject: Second in Series: General Equivalence Mappings – ICD-9-CM to and from ICD-10-CM and ICD-10-PCS Fact Sheet

The Second in Series:  General Equivalence Mappings – ICD-9-CM to and from ICD-10-CM and ICD-10-PCS Fact Sheet (May 2009), which provides basic information about the General Equivalence Mappings (GEM) including possible users of the GEMs, why the GEMs are needed, and how the GEMs files are formatted as well as Reimbursement Mappings information, is now available in downloadable format from the Centers for Medicare & Medicaid Services Medicare Learning Network at http://www.cms.hhs.gov/MLNProducts/downloads/ICD-10Mappingfctsht.pdf .

 

###


Reply | Forward | Messages in this Topic (1)
#610 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Wed May 27, 2009 12:43 am
Subject: Fw: Survey: Timeframe to rollout possible revised 1500 claim form 		dafeinberg
Offline Offline
Send Email Send Email
  
----- Somewhat Edited Original Message -----
From: Nancy Spector
Sent: Thursday, May 21, 2009 2:01 PM
Subject: Survey: Timeframe to rollout possible revised 1500 claim form

The National Uniform Claim Committee (NUCC) is researching the needs for
a possible revised 1500 claim form.  No decision has been made yet about
whether or not we will revise the form, but we need to know if we do
revise it, when would be the best time to roll it out, with the 5010 and
ICD-10 work going on.

We want to make sure that we get the provider perspective on when would
be the best time to roll out a revised form.

The following is a link to a survey asking about the best timeframe to
rollout a revised form.

http://www.surveymonkey.com/s.aspx?sm=E6dM98zYy8EsJp4v_2fqC6hg_3d_3d

Please distribute this link to your constituents and encourage them to
complete the survey.  The deadline for completing the survey is close of
business Wednesday June 10th.

Thanks,

Nancy

Nancy Spector, RN MSC
Director, Electronic Medical Systems
American Medical Association
515 N. State St
Chicago, IL 60654
Phone: 312-464-4059

Reply | Forward | Messages in this Topic (1)
#609 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Thu May 14, 2009 7:19 pm
Subject: Fw: CMS to Host First National Provider Education Call on HIPAA Version 5010 - June 9, 2009 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Thursday, May 14, 2009
Subject: CMS to Host First National Provider Education Call on HIPAA Version 5010 - June 9, 2009

CMS to Host First National Provider Education Call on HIPAA Version 5010 - June 9, 2009

 

The Centers for Medicare & Medicaid Services (CMS) will host a national education conference call to address the implementation of HIPAA Version 5010. This call is being conducted for all Medicare fee-for-service providers.  The call will give a general overview of the transition to HIPAA Version 5010 and address some of the exceptions and situations you may encounter as the new version is implemented. A presentation will be given and CMS Subject Matter Experts will be available to answer questions. A PowerPoint presentation will be posted on the CMS 5010 Web page prior to the call. The 5010 Web page is located at http://www.cms.hhs.gov/ElectronicBillingEDITrans/18_5010D0.asp

 

 

Conference call details:

 

Date:  June 9, 2009

           

Conference Title: 

 

CMS audio conference call: HIPAA Version 5010 What you need to know!

           

Time:   2:30 4:00 p.m. ET               

 

In order to receive the call-in information, you must register for the call. It is important to note that if you are planning to sit in with a group, only one person needs to register to receive the call-in data.  This registration is solely to reserve a phone line, NOT to allow participation.  If you cannot attend the call, replay information is available below.

 

Registration will close at 2:30 p.m. ET on June 8, 2009, or when available space has been filled.  No exceptions will be made, so please be sure to register prior to this time.

 

  1. To register for the call participants need to go to: http://www2.eventsvc.com/palmettogba/060909

 

  1. Fill in all required data. 

 

  1. Verify your time zone is displayed correctly the drop down box.

 

  1. Click "Register".

 

  1. You will be taken to the Thank you for registering page and will receive a confirmation email shortly thereafter.   Note: Please print and save this page, in the event that your server blocks the confirmation emails.  If you do not receive the confirmation email, please check your spam/junk mail filter as it may have been directed there.

 

###


Reply | Forward | Messages in this Topic (1)
#608 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Thu May 14, 2009 6:38 am
Subject: Fw: X12 Multiple Transactions Surveys 		dafeinberg
Offline Offline
Send Email Send Email
 
The following is a consolidation of four messages from Gail Kocher, co-chair of Accredited Standard Committee (ASC) X12's HIPAA Implementation and Coordination Work Group.
 
                    Dave Feinberg
                    Rensis Corporation  [A Consulting Company]
                    206-617-1717
                    DAFeinberg@...
                    Author of  "Understanding HIPAA Communications"
 
 
----- Consolidated Original Messages ----- 
The ASC X12 Insurance Subcommittee Health Care Task Group HIPAA Implementation and Coordination Work Group (X12N TG2 WG21) is conducting a short survey designed to capture the health care industrys capability to simultaneously support in long-term production multiple mandated versions of the X12 transactions. Support of multiple versions due to transition periods are out of scope, i.e. supporting a version that will be sunset upon a compliance date in lieu of the other version is not part of this survey.

 

In addition to capability, we are looking to collect some baseline information around the impacts to various stakeholders, specifically implementation costs and timeframes. Costs would include dollars associated with procurement, maintenance, and resources/labor.

 

Survey Links:

 

For software application vendors:

http://www.surveymonkey.com/s.aspx?sm=ilRLrhBMbRk6R8Y3IbRVqg_3d_3d

 

For providers:

http://www.surveymonkey.com/s.aspx?sm=_2bdQ_2bTEOxtjgGT_2fXN_2bh4JYQ_3d_3d

 

For payers:

http://www.surveymonkey.com/s.aspx?sm=qBbJYaI_2buT5BbvhTfa3lMA_3d_3d

 

For clearinghouses or billing services:

http://www.surveymonkey.com/s.aspx?sm=uJ_2bFNr8MlppiH7uvuw3PZg_3d_3d

 

 

Absolutely NO identifying information about responses or respondents will be captured in the survey. Taking the time to respond to the few questions will assist our Work Groups in gathering important information for the development work of X12. All of the questions are visible on one webpage so you may view it first to determine whether you need to consult additional staff within your organization prior to submitting the survey.

 

The survey will close on May 29th.

 

We thank you in advance for your willingness to participate in this survey.

 

###


Reply | Forward | Messages in this Topic (1)
#607 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Mon May 11, 2009 3:19 pm
Subject: Fw: Reminder and New/Revised Materials for ICD-10-CM/PCS Conference Call 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Monday, May 11, 2009
Subject: Reminder and New/Revised Materials for ICD-10-CM/PCS Conference Call

Reminder:

Providers may now register for the Centers for Medicare & Medicaid Services ICD-10-CM/PCS Implementation and General Equivalence Mappings (Crosswalks) National Provider Conference Call that will be conducted on May 19, 2009 from 1:00 p.m. 2:30 p.m. Eastern Daylight Time. This conference call will include a discussion of the following topics:

         An overview of the ICD-10 final rule, which requires the implementation of ICD-10-CM/PCS on October 1, 2013;

         The differences between ICD-9-CM and ICD-10-CM/PCS codes; 

         The use of the General Equivalence Mappings that have been created to assist in converting policies, edits, and trend data from ICD-9-CM to ICD-10-CM/PCS; and

         The resources that are available to assist in planning for the transition from ICD-9-CM to ICD-10-CM/PCS.

 

Note:

A new fact sheet has been developed that provides additional information about the ICD-10 General Equivalence Mappings, and the slide presentation that will be discussed during the conference call has been revised. These discussion materials have been posted in the Downloads Section at http://www.cms.hhs.gov/ICD10/07a_2009_CMS_Sponsored_Calls.asp . If you are unable to access the hyperlink in this message, please copy and paste the URL into your Internet browser. 

###

 


Reply | Forward | Messages in this Topic (1)
#606 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Wed May 6, 2009 3:40 am
Subject: Fw: CMS Releases Special Edition MLN Matters Article 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Monday, May 04, 2009
Subject: CMS Releases Special Edition MLN Matters Article

New from the Medicare Learning Network (MLN):  The Centers for Medicare & Medicaid Services (CMS) Releases a New MLN Matters Article of Particular Interest!

 

SE0904 An Introductory Overview of the HIPAA 5010

http://www.cms.hhs.gov/MLNMattersArticles/downloads/SE0904.pdf

 

The implementation of HIPAA 5010 presents substantial changes in the content of the data that providers submit with their claims, as well as the data available to them in response to their electronic inquiries.  This Special Edition MLN Matters article alerts providers of these HIPAA changes and how they need to plan for their implementation.

 

###

 


Reply | Forward | Messages in this Topic (1)
#605 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Wed Apr 22, 2009 12:13 am
Subject: NIST Released Draft SP 800-118 Guide to Enterprise Password Management 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of Patrick O'Reilly
Sent: Tuesday, April 21, 2009 3:00 PM
To: Multiple recipients of list
Subject: NIST Released Draft SP 800-118

 

DRAFT SP 800-118 Guide to Enterprise Password Management

 

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.

 

NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@... with "Comments SP 800-118" in the subject line.

 

Drafts page URL for 800-118:

http://csrc.nist.gov/publications/PubsDrafts.html#800-118

 

 


Reply | Forward | Messages in this Topic (1)
#604 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Sat Apr 18, 2009 4:07 pm
Subject: HITECH Act Breach Notification Guidance and Request for Public Comment 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: OCR HIPAA Privacy Rule information distribution [mailto:OCR-PRIVACY-LIST@...] On Behalf Of OS OCR PrivacyList, OCR (HHS/OS)
Sent: Friday, April 17, 2009 5:01 PM
To: OCR-PRIVACY-LIST@...
Subject: HITECH Act Breach Notification Guidance and Request for Public Comment

 

HITECH Act Breach Notification Guidance and Request for Public Comment

 

April 17, 2009

 

The U.S. Department of Health and Human Services (HHS) issued guidance today specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).  This guidance was developed through a joint effort by the HHS Office for Civil Rights (OCR), Office of the National Coordinator for Health Information Technology (ONC), and Centers for Medicare and Medicaid Services (CMS).

 

This guidance relates to two forthcoming breach notification regulations – one to be issued by HHS for covered entities and their business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Sec. 13402 of HITECH) and one to be issued by the Federal Trade Commission (FTC) for vendors of personal health records and other non-HIPAA covered entities (Sec. 13407 of HITECH).  HITECH requires these regulations to be published within 180 days of enactment.  If the entities subject to the regulations apply the technologies and methodologies specified in the guidance to secure information, they will not be required to provide the notifications required by the regulations in the event the information is breached.  

 

In addition to this guidance, HHS has also concurrently issued a request for information (RFI) soliciting public comment on the breach notification provisions of the HITECH Act to inform future rulemaking and updates to the guidance.  The guidance and RFI is available at www.hhs.gov/ocr/privacy.  Once published in the Federal Register, the guidance and RFI will also be available for public comment at www.regulations.gov.

**********************************************************************

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy Rule. For additional information on a wide range of topics about the the Privacy Rule, please visit the OCR Privacy website at www.hhs.gov/ocr/hipaa/. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at www.hhs.gov/ocr

If you believe that a person or organization covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at http://www.hhs.gov/ocr/privacyhowtofile.htm .

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1


Reply | Forward | Messages in this Topic (1)
#603 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Fri Apr 17, 2009 7:09 pm
Subject: Proposed FTC Breach Notification Rule for EHI 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: NESNIPPRIVACY@yahoogroups.com [mailto:NESNIPPRIVACY@yahoogroups.com] On Behalf Of Sheila Wrobel
Sent: Friday, April 17, 2009 9:11 AM
To: NESNIPPRIVACY@yahoogroups.com
Subject: [NESNIPPRIVACY] Proposed FTC Breach Notification Rule for EHI

 




http://www.ftc.gov/opa/2009/04/healthbreach.shtm

http://www.ftc.gov/os/2009/04/R911002healthbreach.pdf


Sheila A. Wrobel, JD, MBA
Compliance Officer/Privacy Officer
University of Nebraska Medical Center
987810 Nebraska Medical Center
Omaha, Nebraska 68198-7810
Ph: (402)559-6767
Fax: (402)559-7845


Reply | Forward | Messages in this Topic (1)
#602 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Wed Apr 15, 2009 4:27 am
Subject: X12 Version 005010 -- X12N's Responses to NPRM Technical Comments 		dafeinberg
Offline Offline
Send Email Send Email
  
In the Final Rule adopting X12 version 005010 Type 3 Technical Reports
for HIPAA {Federal Register, Vol. 74, No. 11, 16 January 2009, page
3298, middle of second column and top of third column}, CMS wrote,

     "After publication of the final rule, all of the technical comments
      reviewed by the X12 workgroup, with the dispositions, will be
      posted on the CMS Web site ... as well as on the X12 portal [sic]
      ... ."

X12N's original of this report -- 239 pages -- is now posted at
http://www.x12.org/x12org/subcommittees/X12N/N0221_X12Responses_to_Tech.pdf

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

Reply | Forward | Messages in this Topic (1)
#601 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Mon Apr 6, 2009 11:56 pm
Subject: Fw: ICD-10 ... New Medicare Learning Network Publication and FAQs Now Available 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Monday, April 06, 2009 11:54 AM
Subject: New Medicare Learning Network Publication and FAQs Now Available for ICD-10

The General Equivalence Mappings ICD-9-CM To and From ICD-10-CM and ICD-10-PCS Fact Sheet (March 2009), which provides information and resources regarding the General Equivalence Mappings that were developed as a tool to assist with the conversion of International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM) codes to International Classification of Diseases, 10th Edition (ICD-10) and the conversion of ICD-10 codes back to ICD-9-CM, is now available in downloadable format from the Centers for Medicare & Medicaid Services (CMS) Medicare Learning Network at http://www.cms.hhs.gov/MLNProducts/downloads/ICD-10_GEM_factsheet.pdf . The General Equivalence Mappings information discussed in this fact sheet has also been posted in the CMS Frequently Asked Questions database at https://questions.cms.hhs.gov/cgi-bin/cmshhs.cfg/php/enduser/std_alp.php?p_sid=l2s5Zouj . If you are unable to access any of the hyperlinks in this message, please copy and paste the URL into your Internet browser.

--------------------------------------------------------------------------------------------------------------------

Note:  If you have problems accessing any hyperlink in this message, please copy and paste the URL into your Internet browser. 

 


 


Reply | Forward | Messages in this Topic (1)
#600 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Sat Mar 21, 2009 5:25 pm
Subject: NIST Announces the Release of Information Security Training Draft Special Publication 800-16 Revision 1 		hitrecruiting
Offline Offline
Send Email Send Email
  
-----Original Message-----
From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of
Patrick O'Reilly
Sent: Friday, March 20, 2009 4:55 PM
To: Multiple recipients of list
Subject: NIST Announces the Release of Draft Special Publication 800-16
Revision 1


NIST announces the release of the Initial Public Draft (IPD) of
Special Publication 800-16, Revision 1, Information Security Training
Requirements: A Role- and Performance-Based Model. This publication
is now available for public comment.

The comprehensive training methodology provided in this publication
is intended to be used by federal information security professionals
and instructional design specialists to design (1) role-based
training courses or modules for personnel who have been identified as
having significant responsibilities for information security, and (2)
a basics and literacy course for all users of information systems.

We encourage readers to pay special attention to the Notes to
Reviewers section, as we are looking for feedback on the many changes
we have made to this document.

Comments will be accepted until June 26, 2009. Comments should be
forwarded via email to 800-16comments@....

URL to Draft SP 800-16 Rev. 1:
http://csrc.nist.gov/publications/PubsDrafts.html#800-16-rev1


Quick update - in the email sent to list on March 3, the NIST IR 7536
2008 Computer Security Division Annual Report was released.  We have
updated the PDF file for this document.  We now have a final layout
version available which includes charts, graphics, etc.  The text
inside this report did not change.  For those interested in viewing
the final printed version can find the updated PDF file here:

It is a PDF file and depending on your Internet speed, it may take a
couple extra seconds to load - PDF file is about 3.9 MB.
http://csrc.nist.gov/publications/nistir/ir7536/NISTIR-7536_2008-CSD-Annual-
Report.pdf

Reply | Forward | Messages in this Topic (1)
#599 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Thu Mar 19, 2009 2:16 pm
Subject: X12 Version 005010 and ICD-10 Regulations Now In Effect 		dafeinberg
Offline Offline
Send Email Send Email
  
The official updated HIPAA transactions and code sets regulations
including X12 Version 005010,  ICD-10-CM,  ICD-10-PCS,  and various
NCPDP standards are now in effect as of 3/17/2009.  The online Code of
Federal Regulations (CFR) was updated last night, 3/18/2009, to
incorporate the modifications published in the Federal Register on
1/16/2009.  These most recent complete regulations may be viewed at
http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=/ecfrbrowse/Title45/45c\
fr162_main_02.tpl
starting at Subpart I -- General Provisions for Transactions.


Copies of X12's Type 3 Technical Reports (TR3s) incorporated by
reference into the updated regulations may be obtained via the
following link:
         http://store.X12.org .

As CMS is no longer subsidizing X12 for these documents, it will cost
you directly to have them downloaded or shipped.  Note, though, that
there is a single price for a package of all nine of the adopted version
005010 TR3s, and significant discounts are available to X12 members.

The first page of an online X12 membership application, including a dues
schedule, is located at
https://www.disa.org/apps/memberservices/x12/X12MembershipSection1.cfm


A summary of the changes between the current X12 version 004010 and
004010A1 Implementation Guides and the newly adopted version 005010 TR3s
is available at
http://www.x12.org/x12org/subcommittees/X12N/N0221_WEDI-X12-V5010_file.pdf.
Additionally, playbacks of webinars about the adopted X12 version 005010
TR3s can be arranged via
         http://www.x12.org/webinars/5010.cfm.
Topics covered in these webinars include:
   + the business justification for solutions included in version 005010
   + examples of how the implementation of version 005010 transactions
      addresses industry-requested requirements
   + specific answers to some of the questions from public comments to
      the Notice of Proposed Rule Making (NPRM)
   + details of changes across all affected transactions, including the
      explanatory, technical and structural modifications
   + details of how version 005010 is improved compared to version
      004010 and 004010A1
   + insight from original subject matter experts.
Again note that X12 members receive a discount on webinar fees.


Researched questions regarding the contents of any of X12's version
005010 TR3s for health care, as well as the current HIPAA-adopted 004010
and 004010A1 Implementation Guides, may be submitted to X12's Insurance
Subcommittee Interpretations Portal at www.x12n.org/portal .  Responses
to prior questions -- approximately 575 to date -- are easily located
via the Portal's search feature, and links to other useful sites are
also provided.  The Portal is open to all, and there is no charge for
using it.


Happy implementing to all.  Contact me should you have any questions or
desire any additional information.  And keep in mind that work on the
next iteration, presently version 005050, of the nine HIPAA-adopted X12
TR3s is already in progress.

                     Dave Feinberg
                     Rensis Corporation  [A Consulting Company]
                     206-617-1717
                     DAFeinberg@...
                     Author of  "Understanding HIPAA Communications"

Reply | Forward | Messages in this Topic (1)
#598 From: "David A. Feinberg, C.D.P." <DAFeinberg@...>
Date: Fri Feb 27, 2009 9:05 pm
Subject: Fw: Enhancements/Updates to NPPES effective March 7, 2009 		dafeinberg
Offline Offline
Send Email Send Email
 
----- Original Message -----
Sent: Friday, February 27, 2009
Subject: Enhancements/Updates to NPPES effective March 7, 2009

On March 7, 2009, the National Plan and Provider Enumeration System (NPPES) will undergo system maintenance.  As such, neither NPPES nor the National Provider Identifier (NPI) Registry will be available on March 7, 2009. 

 

The following enhancements will be incorporated into NPPES:

 

        The NPPES application help page text will be revised to ensure consistency  with the instructions found on the revised National Provider Identifier (NPI) Application/Update Form (CMS-10114 (11/08)).

 

        NPPES web users will be required to change their passwords after the Enumerator has reset them.  When the Enumerator resets a users password, the user will be redirected to the password reset page in order to change the reset password to a password of his/her choice.  NPPES will also enforce a minimum password length of 8 characters. 

 

The following enhancements will be incorporated into the NPI Registry:

 

        The doing business as (DBA) search feature will be restored.

 

        The NPI Registry will be updated daily. 

 

        The NPI Registry will display all results in all capital letters..  This change will not affect the way information is displayed in a health care providers NPPES record.

 

Electronic File Interchange (EFI)

In addition, the EFI User Manual and Technical Companion Guide have been revised. The upcoming changes will not impact the EFI XML Schema. 

 

Additional Information

 

Health care providers can apply for an NPI online at https://nppes.cms.hhs.gov .  Health care providers needing assistance with applying for an NPI or updating their data in NPPES records may contact the NPI Enumerator at 1-800-465-3203 or email the request to the NPI Enumerator at CustomerService@....

 

 

-------------------------------------------------------------------------------------------------------------------------------------------------------

Note:  If you have problems accessing any hyperlink in this message, please copy and paste the URL into your Internet browser. 

Please DO NOT respond to this email. This email is a service of CMS and routed through an electronic mail server to communicate Medicare policy and operational changes and/or updates. Responses to this email are not routed to CMS personnel. Inquiries may be sent by going to (http://www.cms.hhs.gov/ContactCMS). Thank you.


Reply | Forward | Messages in this Topic (1)
#597 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Sat Feb 28, 2009 8:23 pm
Subject: NIST Releases 2 Draft Documents and Mark-up Copy of SP 800-53 Rev. 3 		hitrecruiting
Offline Offline
Send Email Send Email
  
-----Original Message-----
From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of
Patrick O'Reilly
Sent: Friday, February 27, 2009 5:33 PM
To: Multiple recipients of list
Subject: NIST Releases 2 Draft Documents and Mark-up Copy of SP 800-53 Rev.
3


NIST Computer Security Division released 2 draft publications
(Special Publication & NIST Interagency Report) today and 1 Mark-up
Copy of Draft SP --

1. Mark-up copy of Draft Special Publication (SP) 800-53 Revision 3
2. Draft Special Publication 800-81 Revision 1
3. Draft NIST Interagency Report (IR) 7517

1. Draft SP 800-53 Rev. 3: Recommended Security Controls for Federal
Information Systems and Organizations
The following document provides a line-by-line (mark-up copy)
comparison between SP 800-53, Revision 2 and Draft SP 800-53,
Revision 3. It should also be noted that the section of the
publication addressing scoping considerations for scalability, was
inadvertently omitted from the public draft and will be reinstated in
the final publication.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3

******

2. Draft SP 800-81 Rev. 1: Secure Domain Name System (DNS) Deployment Guide
NIST has drafted a new version of the document "Secure Domain Name
System (DNS) Deployment Guide (SP 800-81)". This document, after a
review and comment cycle will be published as NIST SP 800-81r1. There
will be two rounds of public comments and this is our posting for the
first one. Federal agencies and private organizations as well as
individuals are invited to review the draft Guidelines and submit
comments to NIST by sending them to SecureDNS@... before March
31, 2009. Comments will be reviewed and posted on the CSRC website.
All comments will be analyzed, consolidated, and used in revising the
draft Guidelines before final publication.

Reviewers of the draft revised Guidelines should note the following
differences and additions:
    (1) Updated Recommendations for all cryptographic operations
relating to digital signing of DNS records, verification of the
signatures, Zone Transfer, Dynamic Updates, key Management and
Authenticated Denial of Existence.
    (2) The additional IETF RFC documents that have formed the basis
for the updated recommendations include: DNNSEC Operational Practices
(RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors
(RFC 5011), DNS Security (DNSSEC) Hashed Authenticated Denial of
Existence (RFC 5155) and HMAC SHA TSIG Algorithm Identifiers (RFC 4635).
    (3) The FIPS standards and NIST guidelines incorporated into the
updated recommendations include: The Keyed-Hash Message
Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard
(FIPS 186-3) and Recommendations for Key Management (SP 800-57P1 & SP
800-57P3).
    (4) Illustration of Secure configuration examples using DNS
Software offering NSD, in addition to BIND.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#800-81-rev1

******

3: DRAFT The Common Misuse Scoring System (CMSS): Metrics for
Software Feature Misuse Vulnerabilities
Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring
System (CMSS), is now available for public comment. This report
proposes a specification for CMSS, a set of standardized measures for
the severity of software feature misuse vulnerabilities. NISTIR 7517
also provides examples of how CMSS measures and scores would be
determined. Once CMSS is finalized, CMSS data can assist
organizations in making security decisions based on standardized,
quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please
submit comments to IR7517comments@... with "Comments IR 7517" in
the subject line.

URL: http://csrc.nist.gov/publications/PubsDrafts.html#nistir-7517

Reply | Forward | Messages in this Topic (1)
#596 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Tue Feb 17, 2009 8:38 pm
Subject: NIST Releases 2 Draft Special Publications 		hitrecruiting
Offline Offline
Send Email Send Email
  
-----Original Message-----
From: compsecpubs@... [mailto:compsecpubs@...] On Behalf Of
Patrick O'Reilly
Sent: Tuesday, February 17, 2009 1:15 PM
To: Multiple recipients of list
Subject: NIST Releases 2 Draft Special Publications


You may already have seen these 2 new drafts from Feb. 5-6 on CSRC website.
If not, please review the announcement below --

Document #1:  Draft Special Publication 800-85A-1 "PIV Card
Application and Middleware Interface Test Guidelines (SP800-73-2
compliance)"

NIST has a revised version of NIST Special Publication SP 800-85A
"PIV Card Application and Middleware Interface Test Guidelines
(SP800-73 compliance)". The revised document is titled Draft SP
800-85A-1 "PIV Card Application and Middleware Interface Test
Guidelines (SP800-73-2 compliance)" and is posted on the Computer
Security Resource Center Web site (www.csrc.nist.gov). The revisions
include the additional tests necessary to test some of the optional
features added to the PIV Data Model and Card Interface as well as
the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and
3. A short summary of the changes is available here. This document,
after a review and comment period, will be published as NIST SP
800-85A-1. Federal agencies and private organizations including test
laboratories as well as individuals are invited to review the draft
Guidelines and submit comments to NIST by sending them to
PIVtesting@... with "Comments on Public Draft SP 800-85A-1" in
the subject line. Comments should be submitted using the comment
template (Excel spreadsheet). The comment period closes at 5:00 EST
(US and Canada) on February 28, 2009. All comments will be analyzed,
consolidated, and used in revising the draft Guidelines before final
publication..

URL to this Draft document:
http://csrc.nist.gov/publications/PubsDrafts.html

--------------

Document #2: Draft Special Publication 800-53 Rev. 3 Recommended
Security Controls for Federal Information Systems and Organizations

NIST announces the release of the Initial Public Draft (IPD) of
Special Publication 800-53, Revision 3, Recommended Security Controls
for Federal Information Systems and Organizations. This is the first
major update of Special Publication 800-53 since its initial
publication in December 2005. We have received excellent feedback
from our customers during the past three years and have taken this
opportunity to provide significant improvements to the security
control catalog. In addition, the changing threat environment and
growing sophistication of cyber attacks necessitated specific changes
to the allocation of security controls and control enhancements in
the low-impact, moderate-impact, and high-impact baselines. We also
continue to work closely with the Department of Defense and the
Office of the Director of National Intelligence under the auspices of
the Committee on National Security Systems on the harmonization of
security control specifications across the federal government. And
lastly, we have added new security controls to address
organization-wide security programs and introduced the concept of a
security program plan to capture security program management
requirements for organizations. The privacy-related material,
originally scheduled to be included in Special Publication 800-53,
Revision 3, will undergo a separate public review process in the near
future and be incorporated into this publication, when completed.
Comments will be accepted until March 27, 2009. Comments should be
forwarded via email to sec-cert@....

URL to Draft SP 800-53 Rev. 3
http://csrc.nist.gov/publications/PubsDrafts.html

Reply | Forward | Messages in this Topic (1)
#595 From: "Barbara McGowin" <barbaramcgowin@...>
Date: Wed Feb 11, 2009 1:43 pm
Subject: HHS OCR posts new Web site for health information privacy 		hitrecruiting
Offline Offline
Send Email Send Email
 

 

 

From: OCR HIPAA Privacy Rule information distribution [mailto:OCR-PRIVACY-LIST@...] On Behalf Of OS OCR PrivacyList, OCR (HHS/OS)
Sent: Tuesday, February 10, 2009 5:08 PM
To: OCR-PRIVACY-LIST@...
Subject: HHS OCR posts new Web site for health information privacy

 

HHS OCR posts new website for health information privacy

 

The Department of Health and Human Services, Office for Civil Rights has posted its new Web site.  The health information privacy (HIP) pages have been extensively revised to improve organization and ease of use for consumers, covered entities and others seeking reliable advice on the HIPAA Privacy Rule and the Patient Safety Rule.

The Web site contains significant new content including

  • For Consumers pages (with new information on):
  • Medical Records
  • Employers and Health Information in the Workplace
  • Personal Representatives
  • Family Members and Friends
  • Court Orders and Subpoenas
  • Notice of Privacy Practices
  • Privacy Rule home page—rulemaking timeline 
  • Enforcement Rule home page—rulemaking timeline 
  • Emergency Preparedness home page 
  • Genetic Information Nondiscrimination Act page  
  • Special Topics home page 
  • Before you File a HIP Complaint 
  • Patient Safety Rule home page 
  • Patient Safety Statute home page 
  • Patient Safety Enforcement Activities and Results home page

You can reach the new health information privacy web pages at http://www.hhs.gov/ocr/privacy/index.html

**********************************************************************

This email is being sent to you from the OCR-Privacy-list listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services.

This is an announce-only list, a resource to distribute information about the HIPAA Privacy Rule. For additional information on a wide range of topics about the the Privacy Rule, please visit the OCR Privacy website at www.hhs.gov/ocr/hipaa/. You can also call the OCR Privacy toll-free phone line at (866) 627-7748. Information about OCR's civil rights authorities and responsibilities can be found on the OCR home page at www.hhs.gov/ocr

If you believe that a person or organization covered by the Privacy Rule (a "covered entity") violated your health information privacy rights or otherwise violated the Privacy Rule, you may file a complaint with OCR. For additional information about how to file a complaint, see the Fact Sheet "How to File a Health Information Privacy Complaint," available at http://www.hhs.gov/ocr/privacyhowtofile.htm .

To subscribe to or unsubscribe from the list serv, please go to: http://list.nih.gov/cgi-bin/wa?SUBED1=ocr-privacy-list&A;=1


Reply | Forward | Messages in this Topic (1)
#594 From: "iTech" <expediumx12n@...>
Date: Tue Feb 10, 2009 11:55 am
Subject: expEDIum Claim Browser as a Free Download 		expediumx12n
Offline Offline
Send Email Send Email
 

Hello,

iTech Workshop (iTech), a Data Integration for Healthcare company announces the availability of expEDIum Claim Browser (eCB) tool that supports electronic EDI 837P claim file browsing as a free download. This utility is aimed at the healthcare market participants that use HIPAA EDI. This tool is available at http://www.itechws.com/downloads.shtml

Loken Singh

Inside Sales - Support Executive

loken@...

www.itechws.com


Reply | Forward | Messages in this Topic (1)
Messages 594 - 623 of 641   Newest  |  < Newer  |  Older >  |  Oldest
Message #
Search:
Advanced
Add to My Yahoo!      XML What's This?
Copyright 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help