Security model for picture archiving and communication systems.
The modern information revolution has facilitated a metamorphosis of health care delivery wrought with the challenges of securing patient sensitive data. To accommodate this reality, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). While final guidance has not fully been resolved at this time, it is up to the health care community to develop and implement comprehensive security strategies founded on procedural, hardware and software solutions in preparation for future controls. The Virtual Radiology Environment (VRE) Project, a landmark US Army picture archiving and communications system (PACS) implemented across 10 geographically dispersed medical facilities, has addressed that challenge by planning for the secure transmission of medical images and reports over their local (LAN) and wide area network (WAN) infrastructure. Their model, which is transferable to general PACS implementations, encompasses a strategy of application risk and dataflow identification, data auditing, security policy definition, and procedural controls. When combined with hardware and software solutions that are both non-performance limiting and scalable, the comprehensive approach will not only sufficiently address the current security requirements, but also accommodate the natural evolution of the enterprise security model. (+info
Early experience with 'new federalism' in health insurance regulation.
The authors monitored the implementation of the Health Insurance Portability and Accountability Act (HIPAA) from 1997 to 1999. Regulators in all states and relevant federal agencies were interviewed and applicable laws and regulations studied. The authors found that HIPAA changed legal protections for consumers' health coverage in several ways. They examine how the process of regulating such coverage was affected at the state and federal levels and under an emerging partnership of the two. Despite some early implementation challenges, HIPAA's successes have been significant, although limited by the law's incremental nature. (+info
Health care programs: fraud and abuse; revised OIG civil money penalties resulting from public law 104-191. Office of Inspector General (OIG), HHS. Final rule.
This final rule revises the OIG's civil money penalty (CMP) authorities, in conjunction with new and revised provisions set forth in the Health Insurance Portability and Accountability Act of 1996. Among other provisions, this final rulemaking codifies new CMPs for excluded individuals retaining ownership or control interest in an entity; upcoding and claims for medically unnecessary services; offering inducements to beneficiaries; and false certification of eligibility for home health services. This rule also codifies a number of technical corrections to the regulations governing OIG's sanction authorities. (+info
Privacy Act; implementation. Office of Inspector General (OIG), HHS. Final rule.
This final rule exempts the new system of records, the Healthcare Integrity and Protection Data Bank (HIPDB), from certain provisions of the Privacy Act (5 U.S.C. 552a). The establishment of the HIPDB is required by section 1128E of the Social Security Act (the Act), as added by section 221(a) of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Section 1128E of the Act directed the Secretary to establish a national health care fraud and abuse data collection program for the reporting and disclosing of certain final adverse actions taken against health care providers, suppliers or practitioners, and to maintain a data base of final adverse actions taken against health care providers, suppliers and practitioners. Regulations implementing the new HIPDB were published in the Federal Register on October 26, 1999 (64 FR 57740). The exemption being set forth in this rule applies to investigative materials compiled for law enforcement purposes. (+info
Fraud-and-abuse enforcement in Medicare: finding middle ground.
Medicare fraud and abuse cost billions of dollars each year. Yet Congress is considering legislation to hamper enforcement. Providers' anger over enforcement led to a congressional compromise several years ago to limit excesses. If providers and their advocates were to hobble enforcement, this could provoke a backlash. Instead, the existing compromise should be strengthened to accommodate legitimate provider concerns while allowing enforcement against major fraud and abuse. Government should further confine, structure, and check its discretion in applying the False Claims Act. Enhancing the Health Care Financing Administration's capacity to ensure that contractors pay claims properly would remove additional points of friction. (+info
Amendments to Summary Plan Description regulations. Pension and Welfare Benefits Administration, Labor. Final rule.
This document contains a final rule amending the regulations governing the content of the Summary Plan Description (SPD) required to be furnished to employee benefit plan participants and beneficiaries under the Employee Retirement Income Security Act of 1974, as amended (ERISA). These amendments implement information disclosure recommendations of the President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry, as set forth in their November 20, 1997, report, "Consumer Bill of Rights and Responsibilities." Specifically, the amendments clarify benefit, medical provider, and other information required to be disclosed in, or as part of, the SPD of a group health plan and repeal the limited exemption with respect to SPDs of welfare plans providing benefits through qualified health maintenance organizations (HMOs). In addition, this document contains several amendments updating and clarifying provisions relating to the content of SPDs that affect both pension and welfare benefit plans. This document also adopts in final form certain regulations that were effective on an interim basis implementing amendments to ERISA enacted as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This final rule will affect employee pension and welfare benefit plans, including group health plans, as well as administrators, fiduciaries, participants and beneficiaries of such plans. (+info
Standards for privacy of individually identifiable health information. Office of the Assistant Secretary for Planning and Evaluation, DHHS. Final rule.
This rule includes standards to protect the privacy of individually identifiable health information. The rules below, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections will begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result in, a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. (+info
Giving patients access to their medical records via the internet: the PCASSO experience.
OBJECTIVE: The Patient-Centered Access to Secure Systems Online (PCASSO) project is designed to apply state-of-the-art-security to the communication of clinical information over the Internet. DESIGN: The authors report the legal and regulatory issues associated with deploying the system, and results of its use by providers and patients. Human subject protection concerns raised by the Institutional Review Board focused on three areas-unauthorized access to information by persons other than the patient; the effect of startling or poorly understood information; and the effect of patient access to records on the record-keeping behavior of providers. MEASUREMENTS: Objective and subjective measures of security and usability were obtained. RESULTS: During its initial deployment phase, the project enrolled 216 physicians and 41 patients; of these, 68 physicians and 26 patients used the system one or more times. The system performed as designed, with no unauthorized information access or intrusions detected. Providers rated the usability of the system low because of the complexity of the secure login and other security features and restrictions limiting their access to those patients with whom they had a professional relationship. In contrast, patients rated the usability and functionality of the system favorably. CONCLUSION: High-assurance systems that serve both patients and providers will need to address differing expectations regarding security and ease of use. (+info