Top Searches
November 20, 2008
| Digital Health Care > Issues > Karen Trudel of CMS Talks about HIPAA Audits and NPI Issues

Add to Del.icio.us Add to furl Add to digg Add to Connotea
EMail Page
Printer Friendly
Book Mark
Reprint Rights
Karen Trudel of CMS Talks about HIPAA Audits and NPI Issues


By Cindy Atoji

August 19, 2008 | In the wake of one of the largest fines levied by HHS for a HIPAA (Health Insurance Portability and Accountability Act) violation, HIPAA official Karen Trudel says to expect further audits and enforcement proceedings as federal officials begin to extend compliance reviews. “Where appropriate, we will not hesitate to use all of the tools that we have at our disposal,” says Trudel, deputy director of the CMS (Centers for Medicare and Medicaid) Office of HIPAA Standards.

The security breach at Providence Health and Services resulted in a $100,000 HHS (Health and Human Services) fine and a corrective plan to protect patient information, after the Seattle-based firm allegedly failed to properly secure electronic backup media and laptops containing patient health data. “From our perspective, enforcement, especially for security, is something that is multi-faceted,” says Trudel. “So we have the compliance review, our enforcement process and the penalties we can bring to bear if necessary—and all of these are important.”

On the NPI front, despite industry rumblings of a large increase in rejected claims after this spring’s NPI (National Provider Identifier) deadline, Trudel says, “we are rejecting almost no claims because of a lack of NPI. I’d say things are going well.” Trudel spoke with Digital HealthCare & Productivity about HIPAA developments at CMS, which include ePrescribing and personal health records, as well as her thoughts on how well NPI is working.

DHP: What is your role at CMS? 

Trudel: I’m the executive director of the office of e-health standards and services. We have responsibility for HIPAA standards development, with the exception of privacy, which is the Office for Civil Rights, and the HIPAA enforcement process. I also oversee e-prescribing and a number of HIT initiatives, including personal health records.

DHP: CMS hired PricewaterhouseCoopers (PWC) to determine whether health care organizations are complying with HIPAA security standards. How have those reviews been going?

Trudel: At this point they’re looking at covered entities where there has already been a compliant filed. So PWC is looking at the complaint itself and how the covered entity has addressed or fixed the issues involved. In particular, they’re looking at remote access policies and procedures, because remote access, whether it’s laptops, PDAs, or other portable devices, account for a considerable number of the security breaches in the news. It’s an ever increasing problem as these devices proliferate.

We’re about half way through the number of audits we propose to do, and we’ll be turning each of these reviews into a de-identified use case that we’ll be posting on our web site, which will discuss the problem was, the findings, and what they used to solve problem. We hope that this will be instructive to other covered entities that are looking to improve their security compliance. We all know that security is not something that happens—it’s a program that is put into effect. And you have to keep looking at it make sure additional problems aren’t occurring or that people are not following procedures.

DHP: When you say you’re halfway through—are you looking at 10-20 different organizations?

Trudel: We had initially thought 10-14, depending on the size and complexity; I think we are going to look at 10.

DHP: So you’re not going to be looking at entities where there is no filed complaint?

Trudel: Not with this particular contract. In future years, we will begin to expand into compliance reviews of other entities.

DHP: So the May 23 NPI deadline has come and gone. How is it going?

Trudel: We’re not hearing very much—it seems to be going pretty well. Our own Medicare processes are running well. We had started using NPIs in advance of the May 23 date, so we had some expectation of what we were going to see. I know there was a lot of concern but we haven’t seen that concern translate into significant problems where providers are not being reimbursed. There are always pockets of concern when you do something this big but I’m seeing nothing systemic.

DHP: Part of your task is to educate and inform institutions on HIPAA. What are the most common questions or difficulties you encounter?

Trudel: Sometimes just knowing when a person is a covered entity or not and that would seem to be very simplistic. But with respect to the NPI, there was a number of people who didn’t get NPIs because they thought they weren’t covered entities because they didn’t do any billing, such as a physician working in clinic. But they needed an NPI anyway, because that NPI had to go on the clinic bill.

I think with respect to security, one of the most difficult messages has been that we did not provide specific technology requirements. People want a checklist: “tell me what I need to do to become compliant.” We deliberately didn’t do that, because it’s not a one-size-fits-all approach, and what is good for making a small physician’s office HIPAA compliant is not the same as what makes a large hospital system HIPAA compliant, with respect to security. They have figure out, in their own security risk analysis, what their risks are, and what’s best for them to address those risks.

DHP: Can you discuss what CMS is doing to bring the benefits of health information technology to Medicare beneficiaries?

Trudel: One of the main things we’re working on is ePrescribing initiatives. We have developed a number of standards for use under Medicare part D that basically allow for the interoperability of prescription transactions, including medication history transaction, formulary, and benefit information. All of that information can flow between prescribers, pharmacies, and health plans in a structured manner.

We’re also doing some pilot testing to look at potential new standards that will allow us to structure prescription dosing instructions that a physician now writes out in free text. We’re trying to develop standards that will allow that to be structured and codified so that a computer can read it more easily. And we’re pilot testing a drug terminology called RXnorm that would make it easier for physicians to identify a clinical drug.

DHP: What about personal health records (PHRs)? Are you working on anything in that field?

Trudel: We’re really excited about personal health records because we think this is something extremely useful to Medicare beneficiaries, especially those with chronic conditions. As personal health records become more widespread, as people come into Medicare in the next five to ten years, they will have already have experience with PHRs, and they’ll be interested in using them as they come into Medicare. One of the projects that we’re doing right now is a pilot taking place in South Carolina, called MyPHRSC. It provides free access for any Medicare beneficiary who wants to sign up for the PHR tool, called HealthTrio. We’re working with HealthTrio to automatically populate the PHR with Medicare claims data. If you’re familiar with PHRs, this is something of a departure, because many of the PHR tools require a lot of manual entry of information. We’ll go back and do an evaluation to see how beneficial this tool is for Medicare beneficiaries to give us a better idea of how we can better serve this population.

Click here to log in.

0 Comments

Add Comment

Text Only 2000 character limit

Page 1 of 1
White Papers & Special Reports

Waters white paper image
Software Helps Doping Control Lab Streamline Results Management
Sponsored by Waters
The Karolinska University Hospital’s Doping Control Lab tests thousands of samples annually for stimulants, diuretics, and other masking agents. Increased regulatory pressure and new technologies increased the number of samples analyzed creating data management challenges. Waters® NuGenesis® Scientific Data Management System and TargetLynx™ Application Manager software were used to reduce the time required to calculate, review and search results.
Download the case study.


sas whitepaper92
Managed Innovation, Assured Compliance
Sponsored by SAS
Discovery organizations are identifying a lot of promising compounds, but clinical research processes haven't kept pace with timely testing of all those potential therapies. This white paper describes how SAS® Drug Development supports true innovation across the clinical trial process.

In this white paper you will learn how to:

  • Assemble data to foster better collaboration
  • Get up-to-date information during clinical trials
  • Make informed decisions earlier in the trial process
Download now


BlueArc white paper image
Addressing Life Sciences Constantly Growing Data Challenges Research Environments
Sponsored by BlueArc
The continued explosion of raw experimental data, the increased use of video, the growing adoption of new data retention practices, and the move to high throughput computational workflows are all placing new demands on the way life sciences organizations store and manage their data.

Download this white paper to learn about:

  • Factors driving the data explosion in the life sciences
  • New data management issues that must be addressed
  • HPC trends that are placing new demands on storage
  • Storage solution attributes that address performance, manageability, and energy efficiency.
Download now
More White Papers & Special Reports
Life Science Webcasts & Podcasts

Medidata Solutions

Rising Clinical Trial Delays and Costs - Addressing the Cause, Not the Symptoms 

medidata podcastProtocol complexity is taking a toll on clinical study speed and efficiency: increasingly complicated and ambitious protocols are not only burdening sites and study volunteers but are also prolonging trials and increasing expenses. In response, sponsors have turned to global study placement, restructured site relationships and new site management practices, but the problem remains.

This podcast will discuss:

  • Why these responses address only the symptoms, not the underlying cause, of rising clinical trial delays and costs.
  • Results of a recent joint Tufts University / Medidata Solutions study.
  • New metrics benchmarking protocol design trends.
  • Systematic protocol design improvements and why they are essential to clinical trial performance excellence.

Speakers: Ken Getz, Senior Research Fellow at the Tufts Center for the Study of Drug Development, and Ed Seguine, General Manager, Trial Planning Solutions at Medidata.

Download Now 

More Podcasts

Job Openings

Director, Center For Information Technology (CIT) - National Institutes of Health  (NIH), Department of Health and Human Service
Located in Bethesda, MD. This position requires:
• High-level vision, leadership, management, and modernization of CIT programs and services.
• Strategic direction and policy development for CIT long-term operations and objectives.
• Serve as a key IT advisor to the NIH Chief Information Officer.
A TOP SECRET security clearance will be required.  More job detail is found at:  http://www.jobs.nih.gov under the Executive Jobs section.Or contact Ms.Winnie Garner at seniorre@od.nih.gov.  Applications must be received ELECTRONICALLY by (11:59 p.m.), December 17, 2008.  DHHS and NIH are Equal Opportunity Employers

Bioinformatics Manager- Lilly Singapore Centre for Drug Discovery
For more information click here 

Related Resources & Products

Cardiotoxicity: Issues, Technologies, and Solutions for the Future
Cardiotoxicity: Issues, Technologies, and Solutions for the Future
Auditing Techniques for Clinical Research

HIPAA and Human Subjects Research: A Question & Answer Reference Guide (March 2003)

For reprints and/or copyright permission, please contact The YGS Group, 1808 Colonial Village Lane, Lancaster, PA;

(717) 399-1900 ext. 125, or via email to Ashley.Zander@theYGSgroup.com.

Cambridge Healthtech Institute

Footer Image
  • 250 First Avenue, Suite 300
  • Needham MA 02494
  • phone: 781-972-5400
  • fax: 781-972-5425
  • chi@healthtech.com