RE: attached a four page paper Did not go through

June 1, 2003

Emmanuel Segmen, thanks for all your thoughts.

I am interested in your attachments - that did not seem to go through - at

least at my end.

Can you send them to me either directly or repost.

eddy

Ed Kasper LAc.

Licensed Acupuncturist & Herbalist

Santa Cruz, CA.

Acupuncture is a jab well done

www.HappyHerbalist.com

-

---

Outgoing mail is certified Virus Free.

Checked by AVG anti-virus system (http://www.grisoft.com).

Version: 6.0.480 / Virus Database: 276 - Release 5/12/2003

June 2, 2003

I am interested in your attachments - that did not seem to go through - atleast at my end.Can you send them to me either directly or repost.

Ed Kasper LAc.

Ed, here it is. Nothing scholarly here. This was a quick and dirty one hour effort to collate my thoughts and some websites. I've been aware of the legislation since 1996, but never fully connected the dots until this year. This does not address registration which is unique in each of the 50 states. It's presents what HIPAA is and some tech aspects of implementation. I find the tech issues more interesting and even somewhat mind blowing. As a legal hot topic check http://www.gcglaw.com/resources/hipaa/index.html. Enjoy.

Emmanuel Segmen

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be seen online at http://aspe.hhs.gov/admnsimp/pl104191.htm. HIPAA dramatically altered the role that states traditionally had in regulating the health care. Congress enacted HIPAA as an incremental approach to health care reform whereby state and federal government, the private and not for profit healthcare industry as well as individual doctors and clinics must be able to develop a standard approach to consumer protections and marketplace standards. HIPAA actually establishes a federal floor of consumer protections and marketplace standards while allowing states to continue to enforce their own laws that may differ from or exceeed boundaries established by the federal government.

The government’s HIPAA summary website - http://aspe.hhs.gov/admnsimp/H3103SUM.HTM - summarizes the provisions as follows:

"Standards for electronic health information transactions. Within 18 months of enactment, the Secretary of HHS is required to adopt standards from among those already approved by private standards developing organizations for certain electronic health transactions, including claims, enrollment, eligibility, payment, and coordination of benefits. These standards also must address the security of electronic health information systems.

Mandate on providers and health plans, and timetable. Providers and health plans are required to use the standards for the specified electronic transactions 24 months after they are adopted. Plans and providers may comply directly, or may use a health care clearinghouse. Certain health plans, in particular workers compensation, are not covered.

Privacy. The Secretary is required to recommend privacy standards for health information to Congress 12 months after enactment. If Congress does not enact privacy legislation within 3 years of enactment, the Secretary shall promulgate privacy regulations for individually identifiable electronic health information.

Pre-emption of State Law. The bill supersedes state laws, except where the Secretary determines that the State law is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance or health plans, addresses controlled substances, or for other purposes. If the Secretary promulgates privacy regulations, those regulations do not pre-empt state laws that impose more stringent requirements. These provisions do not limit a State's ability to require health plan reporting or audits.

Penalties. The bill imposes civil money penalties and prison for certain violations."

The National Governor’s Association provides an HIPAA overview website at http://www.nga.org/center/topics/1,1188,D_4324,00.html in which all 50 states have summarized their approach to this problem under the NGA guidance. If you read all or most of the overview links on the above page, it becomes obvious what the problems are and why it's taken 7 years to kind of get seemingly nowhere in implimenting HIPAA. In terms of governmental agencies on the federal level alone, there has to be inter-agency agreement regarding the language of all provisions. Add to this the larger complexity of 50 states and the entire range of private healthcare industry from HMO corporations to individual clinics.

The legal issues are around privacy and access. Somehow private

doctors and clinics need to communicate seamlessly with hospitals and HMO organizations along with governmental agencies in manner that details a patient's history without compromising their right to privacy. Medical records are legal documents that are the private property of individuals yet how can you move these records around between so many disparate entities?

A simultaneous hurdle of HIPAA is technological. You have to have a universal software like Microsoft Windows that everyone is using who has the legal right of access to such records. Yet this must be an encrypted software, and it has to travel on the Internet. The software apparently must have lots of bells and whistles to keep out people who are not supposed to see and include people whose job it is to see. The complexity of this project is enormous. Also government and the insurance industry as well as private medical clinics have to agree to cross each other's boundaries. Competing companies will find this difficult. Different governmental agencies will find this difficult. On top of that a whole universe of people have to learn how to use this software and administrate it.

A good article illustrating the IT problems is provided at http://governing.com/1it.htm, The Anti-Silo Solution Coming up with the cash and willpower to build IT projects across agency lines by Ellen Perlman. In this article Perlman notes that the central question is how do you build and fund a high-performance information technology project that can serve more than one agency? She does not even address private industry in this article. She just notes how members of competing governmental agencies find it difficult to agree on policy much less how to supply, share and support data in a common data base. My own feeling after reading Perman’s article is that the medical profession will become every more the medical industry as tech support plays as big a role as the accounting department in HMOs as well as in the agencies under Health and Human Services.

Perlman also notes that funding for IT projects are straightforward when done within a single government department with a committee of four to six people. When it is done across many agencies funding gets complex, and their may be six or eight committees that have jurisdiction over the various agencies. She writes that Governor Leavitt of Utah is attempting to pressure all of the agencies in his state to work together to provide a single one stop business registration center.

The Alaska state government website for HIPAA at http://health.hss.state.ak.us/das/is/hipaa/electrans.htm notes that health care organizations both large and small use quite different systems for administration and financial reimbursements. The HIPAA electronic transaction and code set regulations force all agencies to use standardized administrative and financial transactions in an effort to reduce paperwork and increase efficiency and accuracy.

The Alaska government site at http://health.hss.state.ak.us/das/is/hipaa/privacy.htm further states that the compliance date for privacy regulations to be implemented is April, 2003. The Alaska website describes the HIPAA privacy requirements as follows.

Health care organizations are required to create privacy-conscious business practices and data systems, which include the requirement that only the minimum amount of health information necessary is used or disclosed to conduct business. Health care organizations must:

Ensure the internal protection of individual health information and implement physical and administrative safeguards.

Implement procedures that limit the use and disclosure of PHI to meet the "minimum necessary" standards.

Develop mechanisms for the accounting and auditing of all disclosures made for purposes other than treatment, payment or operations.

Establish policies and procedures to allow individuals to inspect, copy or correct their health information.

Establish contracts and agreements with business associates that ensurethe protection of PHI, which is shared or traded.

Provide privacy training to members of its workforce who have access to PHI.

Establish policies and procedures to allow individuals to log complaints about the entities information practices.

Designate a privacy official.

Enforce penalties for misuse or inappropriate use of health information.

Create and make available documentation regarding the compliance with all the requirements of the regulation.

Phoenix Health Systems provides an HIPAA advisory at http://www.hipaadvisory.com/tech/aspsec.htm that looks at security issues and quotes an article by Paul Krill a columnist with InfoWorld in Santa Clara, CA. Krill notes that an ASP (application service provider) need of course to register with the appropriate state agency and then carefully examine SLAs (service level agreements). An ASP would be a clinic or HMO in a particular state. An SLA is a contract between the clinic and the individual or family receiving services from that organization. There is a state mandated code of requirements which comply (or will comply) with HIPAA that governs implementation of the SLA. Issues that Krill brings up include have a third party audit of the ASP, and he describes security as a "process" rather than a "tool" that you can purchase somewhere. Developing a good computer operating system for a multi-shared server will be better than building firewalls to protect data. Privacy and security can be contradictory in multi-shared computer systems. He did not detail specific examples, but I can imagine that many providers may input and retrieve data about a specific patient. Can privacy be maintained in such an environment when medical or even psychiatric data interfaces with accounting department data as well as those who assess risk thresholds? Privacy can only be maintained when each type of access to the patient’s data utilizes its own stream of access.

So it has been seven years, and HIPAA is still very much a work in progress. Of course, it may always be such as Internet and information technology advances. It seems that the National Governors Association will take a leading role in arranging for shared funding as well as the sharing of new technologies so that implementation occurs in a uniform manner across the country. A Google search keying for "HIPAA regarding law and security" reveals that all of the 50 states have their own HIPAA oriented website that details the information required by ASPs (application service providers) for registration and compliance in that state. Security and compliance with privacy laws will no doubt evolve with new operating system and Internet technologies. We are not there yet. Many compliance dates exist for year 2003 as you read the state overviews. Thus, there are some strong expectations on the part of state governments for the healthcare industry as a whole to integrate its efforts at data collection and to comply quickly with new HIPAA regulations. Clearly anyone working in the management of an HMO or healthcare clinic in the U. S. will need to learn to interface with new server technologies and become familiar with HIPAA regulations and methods of compliance