Patient's Rights and the Required Standardization (Health Insurance and Portability and Accountability Act (HIPAA) of all Medical Forms-

Part I

(4/5/09)- The results of a survey that was published in the online edition of the New England Journal of Medicine showed that only 9% of the more than 2,900 U.S. hospitals that were questioned have electronic health records. The federal government and the Robert Wood Johnson Foundation funded the survey.

David Blumenthal, a Harvard professor, who was recently named by President Obama as the National Coordinator For Health Information Technology, was one of the authors of the survey results.

The survey was sent to hospitals in March 2008. Only 1.5% of hospitals that responded have adopted what the survey's authors define as a comprehensive, hospital-wide system. The Obama stimulus package contains over $19 billion in funding to improve the electronic health system in this country.

The same online edition of the Journal has a second article in which two experts in health information technology at Children's Hospital Boston assert that indiscriminate spending of money on health technology could be a massive waste. The authors of the article, Dr. Kenneth D. Mandl and Dr. Isaac S. Kohane portray the current health record suppliers as offering pre-Internet era software.

The proprietary software would lead to confusion and the inability of one system to communicate with another system. The system should be open to outside programmers, so that they could add on their own applications to the already existing system, similar to what Apple has done with its iPhone.

(3/25/09)- The Social Security Administration (SSA) and MedVirginia LLC (a provider-owned organization, based in Richmond Virginia) announced a first-of-a-kind electronic records exchange system to speed the process of granting disability benefits for million of Americans.

Through the use of new software and services, the SSA will shave the amount of time to process requests for medical records needed to evaluate disability benefits from months to minutes. Applicants must agree to have those medical records released before they can be used in the program.

This project is part of the U.S. Department of Health and Human Services Nationwide Health Information Network (NHIN) Cooperative that was initiated 14 months ago. IBM's Health Information Provider (HSP) developed the new system.

The recently enacted American Recovery and Reinvestment Act of 2009 allocated $19 billion for grants and incentives that utilize health IT in order to save lives by reducing waste and decreasing medical errors.

The SSA uses individual medical records to determine almost 3 million disability claims each year. It is the largest independent federal agency, and will pay $615 billion in Social Security benefits to over 51 million beneficiaries, and provide more than $43 billion in assistance to over 7 million SSI recipients with limited income and assets.

MedViginia LLC was established in 2000, and its organizational purpose is to improve the quality, safety and efficiency of patients through the use of health information technology.

(2/18/09)- The new $787 billion stimulus plan that was passed by Congress, and signed by the president yesterday, contains $19 billion therein for health-information technology. Physicians would get bonuses of between $44,000 to $64,000, and hospitals would get up to $11 million if they show they have computerized their medical-records systems.

The measure also includes Medicare payment penalties for physicians and hospitals that are not using electronic health-records by 2014. Please see our item dated 2/6/09 below.

(2/6/09)- On January 1, 2009 the Centers for Medicare and Medicaid Services (CMS) began paying doctors a bonus if they used e-prescribe for their Medicare patients. The bonus amounts to 2% of charges billed to Medicare for 2009 and 2010, and declines to 0.5% by 2013. Starting in 2012, those physicians who do not prescribe by e-prescribe will have their Medicare reimbursements reduced by 1% and by 2014 by 2%.

The cost of the technology to maintain full electronic medical records is estimated to be between $25,000 to $45,000 per physician. While free software and hardware programs are being offered to some doctors, generally the cost of a stand-alone e-prescribing system, including software and training can cost anywhere between $500 to $2,500.

It is estimated that all chain and about 45% of independent pharmacies now accept electronic prescriptions. According to the Healthcare Information and Management Systems Society, a trade group, about 20% of written prescriptions are never filled.

About 70,000 physicians, or about 12% of all office-based doctors now use e-prescribe. E-prescribing allows doctors to transmit prescriptions via a secure Internet network directly to pharmacies using an office or laptop computer, or a handheld digital device. The Obama administration plans to invest $50 billion over 5 years to encourage broader adoption of health- information technology.

One of the major barriers to e-prescribing are the Federal drug laws that prohibit electronic prescribing of controlled medications such as narcotics, insomnia drugs and anti-depressants.

(1/22/09)- The Centers for Medicare and Medicaid Services (CMS) has adopted a new coding system known as ICD-10 that must be adopted by all doctors and hospitals by 2013. It will increase the number of codes used to describe diagnoses to 68,000 from 13,000 in the current system.

Under the new coding system, hospitals will have 87,000 codes to record medical procedures, up from 3,000 today. The current coding system was adopted about 30 years ago.

(6/26/08)- A proposal from the Drug Enforcement Agency (DEA) is expected that would allow digital prescribing of restricted medications, such as the sleep drugs Ambien and Lunesta. The proposal requires a comment period and could be altered somewhat before becoming final.

This proposal along with the legislation being floated in Congress as discussed in our item dated 6/10/08 should go a long way to encourage the usage of e-prescription writing.

The DEA's proposal is expected to detail certain security requirements for assuring that the controlled drugs, also called scheduled drugs, are being legitimately prescribed by approved medical practitioners. The higher the number is for a restricted drug, the less restricted it is considered. It is expected that drugs in the Schedule II category would be allowed to be e-prescribed.

The results of a government sponsored survey showed that less than 9% of small medical offices with one to three doctors were using computerized medical records. The survey's results were published in a recent edition of the New England Journal of Medicine. Fewer than one in five doctors nationally have started to use computerized medical records, mainly because of the expense initially involved in starting such a program.

Medicare announced a $150 million project that will offer doctors incentives to move from paper to electronic patient record keeping.

(6/20/08)- Microsoft may be beating out Google in the area of consumer-self-controlled personal health record keeping. Kaiser Permanente, the nation's largest nonprofit health maintenance organization with 8.7 members in nine states and the District of Columbia announced it was entering into a partnership with Microsoft with a pilot project beginning in November for such a system.

The initial pilot program will be open for enrollment to 156,000 members of Kaiser.

The product linking Kaiser's patient information with Microsoft's Health Vault person health record service thus adds them to a list of other health providers such as the Mayo Clinic and New York-Presbyterian Hospital.

Google has the Cleveland Clinic and Beth Israel Deaconess Medical Center signed on as its partners in a similar venture.

These programs are aimed at giving the consumer control of their own health records, as well as the responsibility for them. The adoption of Kaiser's internal health record is growing at 100% a year, with 2.25 million of its patients using it to date, according to Anna-Lisa Silvestre, Kaiser's vice president for online services.

Microsoft and Kaiser are using the same Web based format, called Continuity of Care Document, or CCD. Google's format is called Continuity of Care Record, or CCR. Both companies are however committed to supporting both formats.

(6/10/08)- Both Senator Max Baucus (Dem-Mont), chairman of the Senate Finance Committee and Senator Charles Grassley (Rep-Io) the ranking Republican on the panel backed e-prescribing in partial bill outlines that they floated last week.

The e-prescriptions provisions are included in bills that are being presented as part of an overall Medicare legislation intended to deal with the provision in the Medicare law that calls for a cut in physician payments after July 1 by 10.6%. The Senate Finance Committee oversees all Medicare legislation introduced in the Senate.

Both bill outlines propose that for physicians who adopt e-prescribing technology, Medicare payments would be increased by 2% in 2009 and 2010, then a bit less over the next three years. For doctors who don't use e-prescribing, their Medicare payments would be cut by 1% in 2011, increasing up to 2% for 2013 and beyond. Both bills allow for some exceptions.

An estimated 35,000 or fewer than 10% of the doctors in this country use e-prescription technology. Under this system, the prescriptions that they fill out on their computers are sent directly to the patient's pharmacy where it is to be filled. The technology programs can flag dangerous combinations of drugs if it has a full history of the patient's prescription record.

The leading companies in this country that make e-prescribing possible are Cerner Corp.; Quality Systems Inc.'s Next-Gen Healthcare Information Systems Inc. and Allscripts Healthcare Solutions Inc., a company that supplies basic software for physicians free of charge through a coalition, the National ePrescribing Patient Safety Iniative.

(3/4/08)- The Health Insurance Portability and Accountability Act (HIPAA) applies only to "covered entities" who are restricted in revealing any health information that they become aware of. Tech and Internet companies that gather personal health records services are not considered "covered entities", and are therefore not bound by HIPAA provision. The medical record itself is not covered by the act.

"Just because it's medical information, consumers assume that it's protected under federal law; that's not the case", says Pam Dixon, executive director of the World Privacy Forum, a San Diego research group that focuses on privacy issues and that commissioned a report on this matter.

More than 200 vendors, including insurance companies, Internet companies and tech companies are vying to provide digital-health records for consumers. Some employers also promote public health records in conjunction with group-sponsored health plans. In the case of this writer, my employer's health company offers employees $75 in credit card credit if the employee will answer certain health care information

(10/24/07)- Willie Sutton, the notorious bank robber when asked as to why he robbed banks would reply: " I go where the money is" In this same vein, identity thieves are now going after health-care ID and pharmacy cards, since this can be quite a lucrative area for them.

Medical identity theft is on the rise, with at least half-million Americans having been affected by this type of crime, according to Pam Dixon, executive director of the World Privacy Forum, a San Diego research group that focuses on privacy issues.

Strangely enough the Health Insurance Portability and Accountability Act is proving to be an obstacle for many individuals trying to find out if they have been subjected to this type of crime. All patients have the right to access their own medical records, generally within 30 days. In the case of medical identity theft the actual patient, is the criminal, so this might make things more difficult for the victim to straighten out the matter.

The World Privacy Forum has a Web site ( that provides a detailed guide on how to gain access to your medical records, and seek amendments to it, with sample letters that you can send to health-care providers.

Remember that most health-care insurance and pharmacy plans give you the option of following their records on a Web site. In following the record of your health or pharmacy claims, and if you see something amiss, notify the carrier of the problem imediately.

(9/25/07)- The Dossia Network announced that AT&T and the American unit of the French pharmaceutical company Sanofi-Aventis SA have joined with 6 other large companies in the group. For more on the group please see our article dated 7/31/07 below.

The Dossia Network also announced that it would hire a Boston-area hospital group, the Children's Hospital Informatics Program to take over development and eventually operate its Web-based health-records initiative from the Omnimedix Institute. The 8 companies hope to begin testing the electronic-health-record software later this year.

(7/31/07)- The software developer behind the Dossia Network project that involved creating health and medical records for some of the largest American corporations has stopped work on the program. Omnimedix Institute, a Portland Ore., nonprofit organization that was retained to produce the database and network-access has halted work on the project while the two parties have gone to arbitration in connection with their differences.

The publicly identified members of the consortium are: Intel, Applied Materials Inc., BP Plc, Cardinal Health Inc., Pitney Bowes and Wal-Mart. There are two other companies that have signed on to the program but have not disclosed their role in it.

Initially, five corporate sponsors each contributed $1.5 million to fund the project. Dossia had planned to provide a version of its electronic-record software to employers by the middle of 2007, and to begin enrollment in the plan by the fall of this year.

Dossia obtained an injunction in Oregon state court last month preventing Omnimedix from filing suit against it. The two parties are now in arbitration discussions to see if the matter can be resolved.

(7/7/07)- From the "how often has it happened to you department" is the oft told tale of being denied an answer to your question about a loved ones medical problem. The most frequently given reason for the denial is because of "HIPAA". The act, which was passed in 1996, is probably the most misunderstood act encountered by medical professionals.

The act does allow health care providers to share information with others unless the patient denies that permission. The disclosures under the act are voluntary, but at the same time it allows health care providers with a broad discretion.

Mark Rothstein, chairman of a privacy subcommittee that advises the Department of Health and Human Services called unnecessary secrecy a "significant problem". Medical professionals can talk freely to family and friends, unless the patient objects. No signed authorization is needed, and the person receiving the information need not have the legal standing from a health care proxy or power of attorney.

HIPAA defers to state law in the matter of disclosures. Of the 27,758 privacy complaints filed since 2003, the only cases investigated were complaints filed by patients who were denied access to their own health records.

The next time that you are told that you can not have the medical information of a loved one, be polite but adamant, that as long as the patient has not said no, you can get basic information about that loved one.

(12/6/06)- A group of large employers, led by Intel Corp., Wal-Mart Stores Inc., and British Petroleum have announced their plan to provide digital health records to their employees, and to store them in a multimillion-dollar-data warehouse linking hospitals, doctors and pharmacies. The goal of the new plan is to cut costs by having consumers coordinate their own health care among doctors and hospitals.

Each of the employers in the plan will contribute $1.5 million to construct a data warehouse to store and update the e-records. One in place, the plan would allow consumers and insurers to evaluate price and performance data from millions of employees.

The legality of the plan has come into question however, since it may violate the right to privacy of medical records under the Health Insurance and Portability and Accountability Act. The employers forming the group will expect their employees to pick doctors and hospitals willing to use and update their medical records in the database.

The government presently posts pricing information using the fees charged to Medicaid. Groups including- Hospital Quality Alliance, Ambulatory Quality Alliance and the Wisconsin Collaborative for Healthcare Quality rate hospitals and doctor groups on quality.

(8/27/06)- President Bush has signed an executive order that would require federal agencies to disclose the quality and cost of care provided to Medicare beneficiaries, federal employees, the military and veterans. These groups would cover about one-fourth of Americans with health insurance.

President Bush signed the order while visiting in Minnesota along with Health and Human Services Secretary Michael Leavitt. Messieurs Bush and Leavitt called for large employers, unions and state and local governments to follow suit.

Some of the private insurers such as Aetna Inc. and Humana Inc. are already giving more information to their members to help them compare the quality and cost of their insurance.

The order also would require the agencies and their contractors to promote the use of health-care technology and reward consumers who shop for medical care based on quality and value.

(6/15/06)- Effective December 2, 2006, the FDA will require drug wholesalers to be able to trace the "pedigree" of the drugs that they handle, that will enable the authorities to trace every middleman who has handled the drug. The FDA said that the pedigree, which can be either in paper or electronic form, would have to trace the drug's history back to the manufacturer, and hold information including addresses and the lot number of the drug.

In an exception to the rule that was issued by the FDA that stemmed from a law passed in 1988 intended to combat counterfeiting, the three largest wholesalers who would be designated "authorized distributors" need not supply electronic pedigrees. Those three companies are McKesson Corp., Cardinal Health Inc and AmerisourceBergen Corp. The drug companies would be the ones who designate who is an "authorized dealer".

The FDA had repeatedly put a stay on the rules because the drug industry said it lacked practical methods for tracking and tracing all of its products. The tags that will be used can store more information than bar codes, and can be scanned from farther away. Bunches of them can be scanned simultaneously.

The FDA has become an advocate for radio frequency identification, or RFID, after major retailers like Wal-Mart, manufacturers like P&G and the Department of Defense agreed to back standards for tagging in 2003.

A remaining uncertainty is the effect of the radio signals on biological drugs, which consist of purified proteins.

The FDA said that after many years of opening 10 or fewer investigations annually, the caseload jumped to 58 in fiscal year ended September 30, 2004, and that 32 cases have begun so far in fiscal 2005.

(6/6/06)- A trade group for the managed care industry announced that a survey of its members found that 75% of current claims were now electronic, compared with 44% four years ago. These are the types of numbers that demonstrate how the medical industry, the drug industry, and the insurance industry are moving more and more into the electronic era for claims payments.

Almost all pharmacy claims have been submitted electronically since the 1980's. Medicare payments, which were not included in the survey, must be submitted electronically.

The survey was based on a week's worth of transactions some time since last Oct.1 by each of 26 insurance companies in the group, which has 150 member companies over all. The survey also showed that 98% of the accepted claims were paid within 30-days of being received. One in seven claims were returned to the doctor or hospital as "incomplete or incorrect." The survey did not say how many of the claims were denied.

Twenty-nine percent of the claims arrived at the insurer more than a month after the patient was treated.

(11/12/05)- The Department of Health and Human Services (HHS) awarded contracts to 4 consortiums as part of a pilot project that would enable computer technology to help expedite health care record keeping and information. The contracts totaled $18.6 million, which is expected to be only a small fraction of what the 4 groups will invest in their regions. The systems that they build will cover 12 different regions throughout the country.

The four consortiums that won out on these contracts had to beat out a total of 70 corporate groups that bid on this matter. The four winning groups are: Accenture; Computer Sciences Corporation; I.B.M.; and Northrup Grumman. The object of these systems will be to link doctor's offices, clinics and hospitals in computer networks using open data standards so that the different medical professionals could easily exchange medical information

The details of how to achieve the objectives are being left to the companies without interference from the federal government. "This is a hands-off government approach," said Dr. David J.Brailer, who is the coordinator for health information technology in the government.

The companies will create personal digital health records and provide physicians with affordable online access to patient records, diagnostic information and billing. These same electronic networks will also be used to monitor and respond to health emergencies such as epidemics or bio-terrorist attacks.

Each of the four groups has three regions in which it must develop local health networks over the next year. Please keep in mind that patient privacy laws must be adhered to also. The 12 regions in this pilot project include both urban and rural areas.

(10/25/05)- The CMS announced that as of October 1. 2005 it will no longer process any electronic fee-for-service Medicare claim that does not meet standards set by the Health Insurance Portability and Accountability Act  (HIPAA) of 1996. 

IBM became the first major U.S. corporation to start a program that would enable all its 180,000 employees in this country to store all their health information in electronic form. The company's employees initially will be able to input their health information into a Web-based system that will track things like prescription drugs and chronic medical conditions.

Next year, IBM will automatically add insurance-claims information and data about prescriptions filled. In the future the company expects to add test results and medical images such as MRI scans. The company said that it would adhere to all medical privacy regulations, and not sell the information even for those interested in doing statistical health studies about the company's employees.

(7/31/05)- Medicare officials recently announced that they would give, free of charge, software to doctors that would enable them to computerize their offices. The program will begin in August, and the software is a version of a well-proven electronic health record system, called Vista. VA doctors and hospitals have used this system for over two decades

Medicare will also provide a list of companies that have been trained to install and maintain the system. Vista is a system that is particularly difficult to install, but Medicare officials claim that this will not be true for the latest generation of the system. Vista is now in use in over 1,300 Veterans Administration inpatient and outpatient facilities, which maintain more than 10 million records and treat more than 5 million veterans or their families a year.

(6/13/05)- A new ruling handed down by the Justice Department sharply limits the government's ability to criminally prosecute individuals for violations of HIPAA. The ruling, that was signed by Steven G. Bradbury, principal deputy assistant attorney general in charge of the office of legal counsel.

The ruling stated that people who work for an entity covered by the act are not automatically covered by that law and therefore may not be subject to its criminal penalties, which include a $250,000 fine and 10 years in prison for the most serious violations. The opinion comes from the office of legal counsel to the Justice Department and is binding on the executive branch of the government, but not on judges.

(4/27/05)-The latest aspect for increased security as required under the Health Insurance Portability Act of 1996 went into effect on April 1, 2005. The first aspect of the law went into effect in 2002 required providers and payers to use the same format in submitting and processing electronic claims. The second rule went into effect in 2003, and it imposed limits on who is permitted to get medical information about a patient, and supposedly made it easier to get your own medical records, and request changes if you found any errors in the records.

The latest rule requires each medical organization to have an information security chief, a new analysis of security risks, safeguards to address vulnerabilities, and training for employees on how to comply. It requires health-care entities to meet 13 standards on issues involving security of records, and how to respond to security breaches.

Violations of the rule can result in criminal penalties of $250,000 and 10 years in jail. The Department of Health and Human Services is not proactively enforcing the new rule, but it is following up on any complaints filed in connection with any violations of it.

(3/4/05)-The industry group that is supposed to develop the electronic health record standard is the Certification Commission for Healthcare Information Technology. Its members consists of individuals drawn from the technology industry, insurance industry, physicians and other medical professionals, and also from the non-profit industry.

Dr. David J. Brailer, national health information technology coordinator has stated that if the group does not come up with some standardized procedures that would force the federal government to impose such standards, and that could provide a hardship for all parties involved in trying to negotiate such standards. A recent convention held in Dallas, sponsored by the Healthcare Information and Management Systems Society was attended by over 23,000 people shows the growing interest in this area.

In the absence of a national electronic records keeping system regional networks are popping up, and hopefully later on, they will be able to link together to form the core for the national network. Nationally, only about 14% of hospitals and far fewer doctors' offices have purchased their own electronic systems. The Department of Health and Human Services has pledged about $100 million to fund some small pilot projects.

Access to the latest technology will depend on where you live. Residents of Delaware, Massachusetts, California, New York, Colorado and Tennessee are in the forefront of states taking action in this area. Regional medical centers such as the University of Pittsburgh Medical Center is also in the forefront of the electronization of medical records. In Oakland, California the Kaiser Permanente system is being electronized. Altogether there are about 100 state and local groups moving to establish their own local networks.

(2/10/05)- The Bush administration has sent a letter to Congress saying it intended to restore $50 million to the 2005 budget for the office of the administrations' national health information technology coordinator Dr. David J. Brailor. President Bush created the post in May 2004, when at the same time he declared that modernization of America's health system was a priority.

Congress had deleted the $50 million for Dr. Brailor's office in November in the omnibus appropriations bill. At the time Dr. Brailor described the setback as "a bad bounce." The administration has the authority to move $50 million form elsewhere in the budget of the Health and Human Services Department to Dr. Brailor's office. The move does require the approval to do it from Congress, but that is not expected to be a problem

The money will be used to pay for pilot programs that demonstrate the advantages of using electronic records, to develop technology standards for sharing health information while protecting patient privacy and to study policies to encourage investment.

(12/10/04)- The recently approved federal spending bill eliminated the provision for an allocation of $50 million for the National Health Information Technology Office under the leadership of Dr. David J. Brailer, who was appointed the national health information technology coordinator in May 2004. President Bush has previously been on record as favoring the electonicization of all health records. In one of the debates that he held with Senator John Kerry, he stated "We've got to introduce high technology into health care". Even though the amount of this appropriation was a small one, at least it was a step in the right direction. Now even this small amount is no longer available from the federal government, so it will be up to the private sector to assume the leadership in this area.

(12/4/04)- Although we received this email from Stanley Nachimson, several months ago it got lost in the shuffle. We at therubins belatedly send our thanks to him and pass it along to those of you who may be able to take advantage of the sites mentioned therein:

"Dear HIPAA-Regs listserv subscriber:

We want to make you aware the HHS Office for Civil Rights (OCR), which is responsible for implementation of the HIPAA Privacy Rule, has
announced the creation of a listserv to distribute announcements, notices of available resources, and other educational information about
the HIPAA Privacy Rule.
You are receiving this initial mailing because of your interest as a subscriber to other HHS lists relating to similar topics. We encourage
you to take advantage of this new opportunity and register for this tool to receive up-to-date information from OCR.

To subscribe, please follow the attached link, or cut and paste the following URL address into your browser window. or you may go to go to and under browse, select

These instructions can also be found on the OCR website at

OCR also invites you to visit its website,, where a wide range of helpful guidance and technical assistance
materials about the Privacy Rule as well as civil rights are available. OCR continues to add materials to this site, such as a recent letter to
healthcare providers highlighting how educational materials and technical assistance information available at the website respond to
myths about the Privacy Rule. The letter itself can be found at

We trust this information will be helpful to you.

This email is from the US Department of Health and Human Services HIPAA-Regs Listserv. For information on subscribing or unsubscribing,
please go to"

(10/28/04)-The Bush administration hopes to accelerate the transition to electronic patient records. In a report written by Dr. David J. Brailer, who was appointed in May 2004 as the national coordinator for health information, a newly created post. The report "The Decade of Health Information Technology" states that the government should work closely with the private sector to insure common product standards for storing electronic health records, while at the same time protecting the right of privacy that medical patients are entitled to receive.

In the health care industry, the investment in information technology is about $3,000 for each worker, compared with $7,000 per worker for private industry and nearly $15,000 for each worker in the banking industry. A Health Information Technology Leadership Panel of industry executives and health care experts will be created to advise the government on the costs and benefits of health technology, and will report in the fall. Among other steps, the government will create a Web site where Medicare beneficiaries can review customized information about services that they have received. A pilot test of the Web site will be conducted in Indiana some time later this year.

The Mayo Clinic and IBM have agreed to a multi-year collaboration aimed at designing individualization of patient treatment. The goal is to enable a medical professional to ask the computer how the last 100 Mayo clinic patients with the same gender, age and medical history responded to particular treatments. The database is expected to contain the medical records of over 4.4 million patients.

IBM and the Mayo clinic have been working since 2001 to computerize all of Mayo's files from its three hospitals, in Jacksonville, Fla., Scottsdale, Ariz., and Rochester, Minn. The records include lab tests, scans, cardiograms, patient protein and genetic make-up and X-rays. The database will not include any information that could identify specific individuals, so it will not compromise any of the patient privacy laws.

A pilot program that was begun in Louisville, Ky. and Cincinnati, Ohio will be expanded to doctors in Albany, N.Y. and Boston, Mass. that will assist medical professionals financially for implementing technology based patient management systems. The program is called Bridges to Excellence and is run in conjunction with the National Committee for Quality Assurance, a nonprofit organization that monitors health-care quality.

The program is part of a "pay for performance" trend that rewards doctors for quality care. Companies participating in the program include GE, Proctor & Gamble, Ford, Verizon Communications Inc. and United Parcel Services. GE has already paid over $50,000 to reward physicians under the program. The plan is to encourage physicians to switch over to electronic record keeping and patient information records for both quality assuredness and safety. Electronic record keeping is the wave of the future, but the cost will be extremely high.

To qualify for the incentives, doctors have to show that they have implemented certain electronic systems for managing patient care. The annual per-patient bonus is as much as $50. Bridges to Excellence estimate that "the short-term savings achieved by adopting these IT systems are about 4% to 5% of the total cost of care.

In a speech to the American Association of Community Colleges President Bush announced the creation of the office of national health information technology within the Department of Health and Human Services. The purpose of the new office will be to promote the nationwide computerization of U.S. medical records over the next decade.

The new office will begin operating no later than July 2004, and it will be part of the HHS secretary's office. The new office will coordinate and assess all current health-information technology within the HHS. It will set the technical standards for the computerization within the medical industry so that all information will work on one common standard.

The president called the medical record keeping system as it now exists a "19th century" system of keeping medical records, which in turn has been causing patient inconvenience and costly medical mistakes both financially and incorrect medical treatment. As more and more health records will be available over an electronic system computer security of these records becomes more and more of an issue.

URAC, a nonprofit group that audits and accredits quality measures in health-care organizations reported that very few of these organizations are prepared to safeguard the confidentiality of patient data. In April, 2005 new provisions are due to go into effect under a HIPAA that are designed to protect data transmitted and stored electronically.

The URAC report found that just three of the 300 health-care organizations that it examined had comprehensive security -management programs that would meet the HIPAA standards. Lisa A. Galget, a health-information security expert and author of the URAC report, says that most of the health-care organizations have not done the most basic risk analyses and aren't adequately addressing the technical issues and employee practices that affect security. Karen Trudel, acting director of HIPAA standards for CMS, says that she hasn't seen evidence that health-care organizations are far away from compliance with the security rule.

Under proposed rules, which are open for public comment until May 28 banks and other lenders will not be allowed to take your health into account when you apply for a loan. The Fair and Accurate Credit Transaction Act of 2003 prohibits lenders from obtaining or using medical information to determine credit eligibility. Some exceptions will be allowed to this rule. Under one of the proposed exceptions there will be certain situations where the sharing of the information will be allowed for legitimate business purposes..

Bank and credit union regulators including the Federal Reserve drafted the new proposed rules. Under the proposed exception if the lender does take medical information into its formula for determining a loan, it must give equal weight to other financial information on the individual who is applying for the loan. If an applicant for a loan for example owes money to a hospital for a particular treatment that the applicant had undergone, he/she can not be disqualified for the loan just because of that bill. A lender will be able to use medical data with the applicant consent. Medical debts become available when an applicant applies for a mortgage and at the same time needs medical treatment also.

According to eHealth Initiative, a Washington, D.C. based non-profit advocacy group, a nationwide "e-prescription" system could minimize confusion and errors caused by handwritten prescriptions. About $2 billion in savings would come from reduced hospital and doctor visits due to fewer prescribing errors, according to the Center for Information Technology Leadership (CITL), a research organization in Wellesley, Mass., that contributed to the report.

There were 3.7 billion prescriptions issued in 2003 in the U.S., with 8.8 million instances of serious illnesses from drug errors, more than 3 million of which were preventable. According to a survey by the Boston Consulting Group only about 16% of the physicians in this country using the electronic system. The CITL estimates that an electronic system can cost a physician about $122, 000 over a five year period of time.

Milt Freudenheim, writing in an article in the N.Y.Times on April 6, 2004, wrote about how many hospitals are resisting the effort to computerize patient care. The article was entitled: "Many Hospitals Resist Computerized Patient Care." The article spoke about the fact that despite the fact that it is estimated that 98,000 avoidable deaths occur each year caused by mistakes of doctors, nurses and other hospital personnel, only a few dozen medical centers across the country are making use of the latest computerized patient safety systems.

Those facilities that have resisted the effort to computerize argue that it is doubtful that the systems will ever repay for their multi-million dollar costs, and that the systems become outmoded shortly after they have been installed. The article went on to point out that doctors at the Cedars-Sinai Medical Center in Los Angles rebelled at the system that the hospital had installed because the computerized system was too great a distraction from their medical duties. Their resistance forced the hospital to withdraw the computerized system that had already gone online in two-thirds of the 870-bed facility.

President Bush, in his State of the Union address asked Congress for $100 million in next year's budget to finance demonstration projects that would show the effectiveness of the information technology in medical treatment. Senator John Kerry is calling for federal reimbursements to help install computerized patient safety systems in every hospital by the end of the decade.

The article went on to point out that "about 300 of the nation's 4,900 non-governmental hospitals have the systems, including 15 in the New York area". According to a study done for the American Hospital Association and the Federation of American Hospitals by the First Consulting Group of Long Beach California the initial cost for an average-size hospital to install a system was estimated at $7.9 million, including hardware, software licenses and other expenses. The up-keep costs thereafter were estimated to cost about $1.34 million a year.

Mark B. McClellan, former commissioner of the FDA and other officials of the Department of Health and Human Services announced that prescription and over-the-counter medications given to patients in hospitals would require bar codes as a safeguard against medical errors. Bar codes will be required for vaccines, as well as machine-readable information on blood and blood products.

When a patient is admitted into a hospital, the patient will be given a bracelet containing embedded information that can be read when medication is dispensed to him/her. A hand held computer will tell the medical professional whether it is the right medication and whether or not it is being given in the right dosage. According to Dr. McClellan this system can prevent an estimated 500,000 adverse events and transfusion errors over a 20-year period of time.

Drugs already on the market will have two years to comply with the new requirement, while newly approved drugs must include bar codes within 60 days of approval. The drug must contain the drug's National Drug Code number, but manufacturers can also include additional information such as lot or expiration date.

According to data compiled by the Markle Foundation, a nonprofit organization involved in promoting health-care connectivity, only 5% of doctors and about 19% of health-care organizations are using fully operational systems. Wellpoint Health Networks announced that it would spend about $30 million to give either a computer system to automate claims administration, or a hand-held device to facilitate electronic prescriptions for patients to about 20% of its network physicians who treat the largest number of Wellpoint's medical members.

There are about 176,000 network physicians in the company's network, and the other 80% will be able to purchase the equipment at discounted prices. The purpose of the networking improvement is to allow faster submission of claims and receipt of reimbursements. The offer amounts to about a $1,600 gift to approximately 19,000 physicians in California, Georgia, Missouri and Wisconsin. Consultants Cap Gemini Ernst & Young will administer the rollout of the equipment.

England's National Health Service (NHS) plans to spend 10 billion pounds in an effort to electronically link every hospital, clinic and doctor's office in the country. When completed it will electronically connect 30,000 doctors to about 270 hospitals and health trusts. Each of England's 50 million residents will also get an electronic patient record that can be accessed from anywhere in the country.

The nation will be broken into several regions for the purpose of setting up the system. Two contracts valued at 1.9 billion pounds were awarded to Accenture and to Computer Sciences Corp. The contract with Accenture will be for the eastern region of England, which encompasses 9.5 million people, 125 hospitals, 1,500 doctors' offices and 200,000 national health-services staff. Accenture had also won the contract to wire the health systems in northeast England. Computer Sciences won the contract for northwest England.

Under the system patients will be able to book doctor appointments online and physicians can send prescriptions electronically to the pharmacy selected by the patient The plan does not apply to Scotland and Wales, which operate separate health systems.

A lawsuit filed by several doctors, psychotherapists, individuals and 10 consumer groups is about to go to trial in the federal court in Philadelphia in which HHS is accused of violating patients' rights and failing to follow the intent of Congress when it implemented its rules to HIPAA. The plaintiffs are seeking an injunction against rule changes and HHS is seeking to have the case dismissed.

The plaintiffs in the lawsuit allege that the exceptions that HHS provided to the law for "routine use" opens up patients records to a wide variety of organizations even when the patient does not want that information disseminated to any such organizations. These include organizations using the records for decisions abut setting insurance rates, or "business planning and development," "business management and general administrative activity, and or sale, merger or consolidation of health-care entities. Patients do not know that such information is being shared because the HIPAA rules as interpreted by HHS make no requirement that notice be given to the patient.

The plaintiffs allege in their lawsuit that under the HHS rules the medical institution can provide marketing companies with information about the patients for example as part of a marketing survey to see if the patients are satisfied with the treatment that they received in the hospital. HHS states that the consent requirement was removed from the regulations for routine uses of medical information because of the harmful effects that too tight an interpretation of the law could be detrimental to the patients and to medical study information.

There is a new plan in the works that would make patient's medical records more portable, and still be within the limits set by the HIPAA standards. The new plan known as Continuity of Care Record (CCR) would include all relevant facts about a patient's medical condition such as medications, ailments, recent treatments, etc. That data would be electronically capable of being transferred from one medical professional to another without being in violation of HIPAA.

The record could be printed or faxed from one physician to another, and also could be delivered by hand when a patient sees another physician or other medical professional for the first time. CCR has the backing of such prodigious organizations as the American Academy of Family Physicians and the Massachusetts Medical Society. ASTM International, the organization that sets standards on everything from bolts to apparel sizes helped develop the technical standards for the CCR. The Healthcare Information and Management Systems Society, which represents information-technology professionals and companies, is also backing the effort.

Dr. Thomas Sullivan, president of the Massachusetts Medical Society says his group plans to make the electronic form available online early next year. The system will be compatible with any standards the national HL7 Group eventually agrees on as explained below. The system costs about $50,000 but General Electric Co., Siemens AG and six other companies that make the equipment and software have agreed to cut the prices for the system sharply.

Medical-industry leaders have rejected the initial draft, developed at the direction of the Health and Human Services Secretary, Tommy Thompson for an electronic health record system. The system was intended to provide immediate access to patient information, lab reports, medication ordering, drug-interaction checking and public health surveillance operations. Industry representatives voted against the draft at a meeting in Memphis, Tenn.

The proposed draft was to be the first step in electronically joining the nation's hospitals and the doctor's offices. The defeat of the proposal is just another indication as to how complex the issue will be before agreement can be effected in this area. Mr. Thompson had asked the nonprofit standards development group Health Level 7 (HL7) and the National Academy of Science's Institute of Medicine to devise a model system that could be adopted throughout the industry within a two-year time frame. The EHR Collaborative, a combined public-private partnership assumed the task of bringing the industry into the process

Beginning October 16, 2003 all medical organizations, including hospitals, health insurers and the clearing houses they use are supposed to comply with the national standards for electronic transactions for medical claims. Both private companies and Medicare must comply under the terms of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The purpose of this provision was to allow electronic payments to be made under a simplified computerized system.

As of the first two weeks of August, only 11% of Medicare's transactions with providers met the new standards. Under the law, private insurers and Medicare technically are barred from reimbursing doctors and other health professionals for claims that are not formatted correctly after the deadline. Under the terms of the law providers are not even allowed to submit claims unless they are submitted under the new format.

CMS said however that it would continue to pay Medicare claims, as long as the providers filling them out were making a good faith effort to meet the terms of the act. Most insurers have stated that they would be able to use the older systems if necessary, but that will not be the case forever.

Under the law, those that do not comply could be fined $100 per offense up to $25,000 a year. CMS officials said that a grace period would be allowed so that fines would not be imposed unless an organization failed to respond to complaints filed against it for non-compliance. CMS has launched an advertising campaign picturing a faucet gushing money. "Get compliant. Your cash flow depends on it." will be what the ad warns.

Health and Human Services Secretary Tommy Thompson announced that an agreement had been reached with the College of American Pathologists to license the college's medical vocabulary, nicknamed SNOMED. This will improve the ability of medical computers to talk to and understand each other, and lessen the chances for errors to be made. The idea is to use standard terms in patient's computerized files so that information can be transmitted more easily for one medical or insurance facility to another.

He also stated that the Institute of Medicine is developing a standard health record, that the CMS plans to make available to all medical professionals. Presently only 5% of American primary-care providers and 10% to 20% of hospitals use electronic medical records. The software for SNOMED will be made available free of charge, but the medical profession will have to invest money for additional computers and training of their employees. HHS spokesman Bill hall said doctors could begin implementing the electronic system as early as 2004.

The Centers for Disease Control and Prevention (CDC) has posted a memo online at to help clarify the rules about public health and the provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The memo does state that health information can be disclosed without authorization "for the purpose of preventing or controlling disease, injury, or disability," including "public health surveillance, investigation, and intervention."

Bill Pierce, a spokesman for the CMS, says providers and patients should use "simple common sense" in evaluating the law and its intent in connection with health decisions. He pointed out that patients have the responsibility to learn about the new law and act according whenever they feel their rights are being abused or restricted by their medical providers.

The Wall Street Journal had an article in its April 24, 2003 issue written by Charles Forelle entitled "Record Keepers' Bane is Tech Sector's Boon." The article dealt with the subject of how HIPAA is creating a great opportunity for the data storage industry. As an example it discussed the fact that in order to comply with the act's provision's medical tests such as MRIs and CT scans, which had been stored on films which consumed a tremendous amount of space, could instead be stored electronically.

"A provision of HIPAA that went into effect on April 14 requires hospitals to have a system that keeps a log whenever any part of a patient's record is accessed for certain non-medical purposes-a task that is painful if the records are kept on paper or film and scattered across a hospital.""Another provision of HIPAA requires that all electronic patient information be secured."

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is divided into two Titles. Title I "protects health insurance coverage for workers and their families when they change or lose their jobs." Title II of the Act requires "the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data." If you are interested in seeing the exact details of the act please go to

In the majority of cases April 14, 2003 was the date when the new federal rules took effect. Small health plans do not have to comply with the act until April 14, 2004. In general the secretary of HHS can impose civil monetary penalties (CMP) of up to $100 for each violation with the proviso that the total amount of the fine imposed for violations of an identical requirement or prohibition during a calendar year may not exceed $25,000. A CMP may not be imposed for an act that "constitutes an offense punishable" under the criminal provision of U.S.C. 1320d-5(b)(1). The enforcement of the act will be done under the Health and Human Services Department's Office for Civil Rights (OCR) headed by Richard Campbell. With respect to the privacy rules promulgated by the OCR please see

A person or entity, upon whom the Secretary seeks to impose a CMP, must be given written notice and an opportunity for a hearing. He is entitled to be represented by counsel at the hearing, to present witnesses, and to cross-examine any witnesses. If the person wishes to appeal the ruling, he must do so in the U.S. Court of Appeals for the circuit in which the person resides.

The HIPAA provisions apply only to the following persons:

HHS issued the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), and to view these standards in full please go to The new regulations provide protection for the privacy of certain individually identifiable health information, referred to as Protected Health Information (PHI). Public health practice is provided for as an exception in certain situations in the collection and surveillance of health data.

Statistical data or data stripped of individual identifiers require no individual privacy protections and are not covered by the Privacy Rule. With respect to individuals, they are vested with the following rights:

The act goes on to specify when and how PHIs may be disclosed by a covered entity. Please consult the Privacy Rule and OCR guidance rules to see the exact nature as to when and how the disclosure can be made. Wide latitude is given in the cases wherein public health matters are involved. The covered entity must provide an accounting of the disclosures upon written request by an individual whose PHI was divulged.

Notice must be given of any disclosures of PHIs . The notices must be in plain language and clearly posted. The Privacy Rule provides for disclosures without individual authorization for public health and for certain research purposes. The Privacy Rule preemptsany contrary state laws relating to an individual's health information.  

The new rules will require doctors, hospitals, health plans and others to take steps to protect any medical information that may be in their possession. At the same time the act will also enable patients to manage their medical records. Patient's consent will be required before doctors can disclose data to employers, marketers or life insurance companies.

Under the act, health insurance providers will be required to give you a lengthy form that will state your rights. The form must also explain the health provider's obligations and tell you how to file a complaint. You can file a written complaint with the HHS in case you feel that a violation of the act has taken place against you. The complaint must be filed within 180 days of the alleged violation. HHS has plans to set up a site at that will give you information about how to file a complaint for a violation of the act. You also will be able to complain to the privacy officer at the place where the violation supposedly occurred.

If you are hospitalized, you can ask the hospital not to discuss your condition with certain people, including the media. You will be entitled to get a copy of all your medical records and request any changes if you find that it contains some error or errors. You will be able to request that your medical professional can call you only at work or only at home depending on what in particular is your choice. You can request that appointment notifications be sent in a closed envelope and not by open post card.

Your consent is not required when one of your physicians discusses your case with another physician as long as the discussion is in the course of the usual "health-care operations." Medical payments may be discussed among health-care professionals as long as it is part of the usual "health-care operation."

Your consent must be required before your health information can be used for marketing purposes. In most cases the form that explains the patients rights will have to be signed by the patient, but if you don't sign it, it does not mean that you are not protected by the act. The health-care provider will simply note your refusal to sign the form.

Materials that seem like advertising still can be sent to patients without their consent. Thus a drug company can still pay a pharmacy to send out a letter about a new product to patients with a certain disease. The pharmacy need not disclose that the drug company has paid them to send out the letter. The reasoning behind this involves the dissemination of information that may be helpful as an educational piece of information, and also it meets the constitutional requirement of free speech.

Hospitals are allowed to continue to provide basic information to callers who ask about a specific patient by name. This may mean only a one or two word description as to the patient's condition, and also the room number and/or telephone number for the patient, unless requested not to do so by the patient. The new rules will not necessarily mean that a teenager can keep their medical information secret from their parents. In these cases, the state law on confidentiality will prevail.

According to the results of a survey of 300 technology officers conducted by the Healthcare Information and Management Systems Society, the top priority issue that they faced was to reduce the errors in the medical profession. Over 60% of those responding listed this as the top issue versus the 46% that listed it as the top issue last year. Even though hospitals have only until April 2003 to comply with the rules governing the electronic transfer of patient information to outsiders such as insurance companies and other providers, the issue of errors was deemed to be more pressing by those responding to the survey.

Some 55% of health-care technology executives cited internal breaches of patient records as their biggest security issue. Amazingly enough, some 70% of the health-care executives projected an increase in their information-technology budgets over the next 12 months. About 25% of the respondents to the survey said that lack of financial support would prevent them from obtaining new technology in this area.

The mandated requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were due to go into effect in 2002. For anybody associated with the health care industry this act will means changes, and that in turn means we will all be affected by the act. Because of problems encountered in setting rates and computerizing the systems of the various components, the requirements did not go into effect until April 14, 2003. 

A little know portion of the act requires the standardization of all forms utilized in connection with medical information. This means that all medical bills, lab reports, hospital records, etc must be formatted in the exact same manner. The agency that heads the project in regards to setting out all the various rules and regulations to be set under the law is the Centers for Medicare and Medicaid Service's (CMS) Office of Clinical Standards and Quality.

The changes required by HIPAA may be quite costly for the health-care industry. It will mean that new software will have to be developed to conform to the new rules and regulations, while at the same time making obsolete much of the present software that the industry uses. Consultants are estimating that the hospitals alone will incur many billions of dollars in expense in connection with the changes.

On the other hand we can look at it from the point of view as to how much can be saved by the efficiencies that such a system will create over the long haul. Under a standardized system every insurance company will have to use the same forms. Every medical record will be standardized. Medicare and Medicaid records and the medical industry in general will work off the same basic forms instead of the myriad of forms that are now in use in the industry.

The following is an email that we received from the Department of Health and Human Services concerning obtaining continuing information about HIPAA:

Dear HIPAA-Regs listserv subscriber:
We want to make you aware the HHS Office for Civil Rights (OCR), which is responsible for implementation of the HIPAA Privacy Rule, has announced the creation of a listserv to distribute announcements, notices of available resources, and other educational information about the HIPAA Privacy Rule.

You are receiving this initial mailing because of your interest as a subscriber to other HHS lists relating to similar topics. We encourage you to take advantage of this new opportunity and register for this tool to receive up-to-date information from OCR.

OCR also invites you to visit its website,, where a wide range of helpful guidance and technical assistance materials about the Privacy Rule as well as civil rights are available. OCR continues to add materials to this site, such as a recent letter to healthcare providers highlighting how educational materials and technical assistance information available at the website respond to myths about the Privacy Rule.

We trust this information will be helpful to you.

This email is from the US Department of Health and Human Services HIPAA-Regs Listserv. For information on subscribing or un-subscribing,
please go to

Please do not reply to this message. 

To view Patient's Rights and the Required Standardization (Health Insurance and Portability and Accountability Act (HIPAA) of all Medical Forms-Part II


By Allan Rubin
updated April 5, 2009

To e-mail: or

Return to Home