| www.healthlawyer.com |
|---|
Health Care Financing Administration Region II Letter Regarding the Use of the Internet
"Health Care Financing Administration
DEPARTMENT OF HEALTH & HUMAN SERVICES
Refer to Region II
Federal Building
26 Federal Plaza
New York NY 10278
REGIONAL OFFICE HMO/CMP LETTER # 97-1 I
TO: ALL REGION II HMOs/CMPs
SUBJECT: Use of Internet Technology Involving Beneficiary Identifiable Information
Reply Requested by October 10, 1997 - ACTION
The purpose of this bulletin is to outline HCFA policies and expectations concerning the use of Internet technology involving beneficiary identifiable information. It also reminds plans that any member and product outreach marketing materials must be approved by the HCFA Regional Office prior to release on the Internet.
In an effort to decrease administrative costs and provide customer friendly services, many plans and insurers have taken advantage of technology for many administrative functions, such as claim submissions, eligibility inquiries, and claim status inquires. Traditionally, electronic data interchange (EDI) he been employed for these functions, using both batch and interactive transactions.
The increasing use of the Internet promotes potential opportunities for functions currently limited to EDI. However, the open communication environment of the Internet presents many security issues.
Privacy Act provisions apply to any record in a 'systems of records' that is retrievable by an individual's name, social security number or other personal identifier. "Other personal identifier'' includes any new identifier assigned by the plan to designate a member. Any personally identifiable and confidential information must be properly protected from disclosure sad be made available only to approved staff on a "need-to-know" basis. The Privacy Act protects information maintained in hard copy and electronic formats.
HCFA Information Systems Security Officers have determined that acceptable encryption mechanisms are not currently available for Internet we to insure the degree of privacy HCFA, plans, and contractors are required to maintain. This determination does not include internal networks with dedicated communication lines (e.g., a T1 line) which are secured from external access. Therefore, individually identifiable information may not be made available through the Internet or any internal environment which is not secured from external users.
As a result, any activities using the Internet or an unsecured internal network where the plan provides individual Information must cease immediately. Prohibited activities include, but are not limited to, claim/encounter submission, claim status inquiries/responses eligibility inquiries/responses, remittance notification and individual utilization information. The above activities may take place on secured end dedicated communication lines on a 'need-to-know' basis.
Please submit, to the attention of Mitchell Croll of my staff, a summary of any activities you engage in using the Internet or externally accessible systems . If you have 'dial-up' systems that do not use secured, dedicated communication lines, please include a summary of activities using these systems, as well. The summary should include not only administrative activities mentioned above, but also any member and product outreach, which is subject to review as marketing materials prior to release.
The prohibition of Internet use is not intended to decrease administrative savings available using EDI. Plans are encouraged to utilize EDI to reduce administrative costs and increase efficiency. Final regulations regarding the standardization of EDI transactions are due out no later than February 1998. These regulations are being promulgated under the authority of subtitle F of the Health Insurance Portability and Accountability Ace (HIPAA) of 1996 and will impact all insurers end all lines of business. If you need further information regarding the standardization requirements defined in HIPAA, there are many Internet resources. Please see the attachment to this bulletin for more information regarding HIPAA and EDI standardization activities. If technological advances are achieved that will provide the proper level of security, HCFA will readdress its policy relates to the use of the Internet end internal networks. We will notify plans of any future policy changes regarding the use of the Internet as well as the status of regulation regarding EDI.
Please call Mitchell Croll at (212) 264-2668, if you have any questions regarding the use of the Internet or EDI standardization activities.
Gail Weinreb
Director
Health Plans Branch"
DISCLAIMER: This World Wide Web site provides general information only and should not substitute for professional advice on your specific legal situation. This World Wide Web site may be considered advertising under the Rules of the Supreme Judicial Court of Massachusetts. Nothing set forth at this site expressly or impliedly constitutes an agreement to give or gives legal advice or assistance. Neither access to this World Wide Web site nor communication via this site creates a lawyer-client relationship.
To contact the Webmaster: Via Internet Email
Copyright © 1998, Alan S. Goldberg, Boston, MA, All Rights Reserved
Last Updated: 5/12/98