Whoa, Monica! Back off a bit!. Please note that my comments are specific to the Health Insurance Portability & Accountability Act and its enabling regulations. HIPAA specifically addresses standards for health care claims and other financial transactions. I have applauded the CDC's and HL7's support, endorsement and adoption of the ebMS - and have also been a vocal supporter of ebXML in all of the health care venues in which I participate. Furthermore, it is my hope that CDC and HL7 may lead the way to DHHS/CMS to relaxing its current position re the use of the Internet. As per the extract from this PM: ============== Program Memorandum Department of Health & Human Services (DHHS) Intermediaries/Carriers Centers for Medicare & Medicaid Services (CMS) Transmittal AB-02-145 Date: OCTOBER 25, 2002 CHANGE REQUEST 2264 SUBJECT: Electronic Patient Records Via Non-Internet Means Recently, a number of contractors have asked whether it would be a violation of CMS security policy to allow a provider to send electronic patient records to the contractor via non-Internet means. Electronic patient records are patient medical diagnosis and treatment documentation in any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, archived, retrieved, or distributed by a computer system. The purpose of this Program Memorandum (PM) is to clarify the CMS policy with respect to the authority the contractor has to accept electronic patient records from providers via non-Internet telecommunication networks. Section 5 of the Business Partners Systems Security Manual (www.cms.hhs.gov/manuals/ 117_systems_security/BP_Sys_Security_man.asp) states that Health care transactions (such as claims, remittances, medical records, etc.) "are prohibited between Medicare carriers/intermediaries and providers over the Internet. This Internet prohibition also applies to using the Internet to transport CMS Privacy Act-protected data between carriers/intermediaries and any other party. (See http://www.hcfa.gov/security/isecplcy.htm for a definition of protected data.). [emphasis added]" The Manual is silent on the transmission of electronic patient records over non-Internet networks (e.g., dial up telephone lines, leased telephone lines, private networks). ================ Notwithstanding the CDC and HL7 efforts, CMS (The Centers for Medicare and Medicaid Services), within the U.S. Department of Health & Human Services, continues to steadfastly prohibit the use of the Internet for the transmission of Medicare patient data, and this prohibition is forestalling the effective use of Internet web-based solutions for the electronic exchange of health care claim attachments, among others. Neither the CDC nor HL7 are subject to the HIPAA legislation and its enabling regulations. And lastly, even though ebMS addresses the issue of security, etc., it does not ipso facto mean that there are now affordable, easy-to-use, interoperable encryption solutions that can be used by the vast majority of small health care providers, health plans, billing services, and the myriad small businesses providing services to health care. Actually, as a result of HIPAA's privacy and security regulations many health care provider organizations now have prohibited the use of email until such time as such easy, affordable and interoperable solutions are available. Additionally, many small health care providers won't even allow Internet access to their office staff. The health care industry has miles to go before it will be ubiquitously leveraging the Internet and portions of the ebXML framework. Rachel -----Original Message----- From: Monica J. Martin [mailto:Monica.Martin@Sun.COM] Sent: Tuesday, July 13, 2004 1:00 PM To: rachel@rfa-edi.com Cc: ebxml-dev@lists.ebxml.org Subject: Re: SV: [Fwd: Re: [xml-dev] Edi complexity, does ebxml really reduce it?] >Foerster: The second major hurdle is the HIPAA Security Regulation >which requires that HIPAA covered entities must **address** the use of >encryption when using insecure networks to transmit electronic >protected health information (ePHI). Given that more than 80% of health care organizations in the U.S. >can be classified as small businesses, they are totally reliant on >their application systems and other vendors to provide the enabling >technologies at an affordable cost. Without a **standard** >interoperable encryption solution that can be used by the hundreds of >thousands of small healthcare providers as easily as they use a fax >today with diverse and disparate systems, exploiting the Internet and >ebXML will remain a dream and a vision (although one that I've been >dreaming of for years!!!) > > mm1: Then answer why a major health related exchange has implemented the use of ebMS and encryption, the Center of Disease Control and why HL7 is recommending use of ebMS? Reference for both at: www.ebxmlforum.org/ (latter) andhttp://www.ebxml.org/case_studies/documents/casestudy_cdc_phinms.pdf (former). Making generalized statements can only cause confusion. Thanks. The ebxml-dev list is sponsored by OASIS <http://www.oasis-open.org> The list archives are at http://lists.ebxml.org/archives/ebxml-dev/ To subscribe or unsubscribe from this list use the subscription manager: <http://www.oasis-open.org/mlmanage/> The ebxml-dev list is sponsored by OASIS <http://www.oasis-open.org> The list archives are at http://lists.ebxml.org/archives/ebxml-dev/ To subscribe or unsubscribe from this list use the subscription manager: <http://www.oasis-open.org/mlmanage/>
<<attachment: winmail.dat>>