The New “Red Flags” Rule for Healthcare Providers

Identity theft is rampant in today’s society. As many as ten million individuals per year become victims of identity theft and the number of medical identity theft cases are on the rise. In response to this growing problem, several federal agencies jointly promulgated regulations that require certain entities to implement a plan to detect, prevent, and correct identity theft. The “Red Flags Rule” applies to various types of entities, including most healthcare providers. Thus, entities ranging from a small doctor’s office to a hospital must be in compliance with the new Red Flags Rule by the date on which the Federal Trade Commission (“FTC”) will begin enforcing the Rule.   After that date, an entity may be penalized up to $3,500 per violation. Thus, healthcare providers need to take steps to comply, including creating an Identity Theft Prevention Program.

Before understanding the Rule, a healthcare provider must determine whether it is subject to the Rule in the first place. Under the Red Flags Rule, any “creditor” that offers or maintains one or more “covered accounts” is required to develop and implement a written Identity Theft Prevention Program. A “creditor” is defined as any person who regularly extends, renews, or continues credit. Healthcare providers will be considered a “creditor” if they regularly bill patients after the completion of services, allow payment plans after services have been rendered, or aid patients in obtaining credit from other sources (see note).

Under the Rule, a “covered account” is defined as (1) an account a creditor offers or maintains that involves or is designed to permit multiple payments or transactions, and (2) any other account the creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft. The second portion of the definition is very broad and may include records that an entity may not recognize as a “covered account.” For healthcare providers, this definition of “covered account” generally encompasses patient and employee records. Thus, the vast majority of healthcare providers are subject to the Red Flags Rule and must comply.

Continue reading »

The New Security Breach Notification Rule

On August 24, 2009, the Department of Health and Human Services (“HHS”) published in the Federal Register interim final regulations and accompanying commentary with regard to breach notification requirements for unsecured protected health information (“PHI”) under the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

This HHS publication triggers two key deadlines, one commencing September 23, 2009, when employers and health care providers (“covered entities”) will be required to comply with the Act’s security breach notification requirements; and, the other, is February 22, 2010, the 180 day enforcement grace period announced by HHS. Accordingly, during this 180 day grace period, covered entities need to digest the new requirements, revise existing HIPAA policies and procedures and develop new ones, put in place a security incident response plan, train employees, confer with business associates about security breach response and negotiate modifications to existing business associate agreements. Employers and health care providers who discover a security breach after that date and fail to provide the required notices may be targeted for an enforcement action.

A security breach notification will only apply to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

Continue reading »

Kicking the Habit and Getting Fit Helps Employers’ Bottom Lines

Employee costs are the bottom line

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

Continue reading »

Missouri’s Cafeteria Plan Mandate: Effective January 1, 2008

As part of the “Missouri Health Insurance Portability and Accountability Act” (§§ 376.350 to 376.454), Missouri passed new legislation joining other states in requiring certain employers to establish cafeteria plans, meeting Section 125 of the Internal Revenue Code.

All cafeteria plans let employees pay for health coverage with pre-tax dollars, which effectively lowers the cost of coverage and may make it more affordable for employees.

Continue reading »

George Clooney and HIPAA

A recent entertainment news story involving celebrity medical records is an example of the problems associated with employee activities and reminds us of the need for continuous vigilance in protecting sensitive medical data. This story highlights that it is a good time for additional training of workforce members on these issues.

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

Continue reading »

Recent Cases Involving Patient Privacy—How Far Does the Duty Go for Employees?

On May 24, 2006, the Illinois Supreme Court granted an appeal for a defendant hospital’s petition for leave. A decision in this case concerns the extent of an employer’s liability for an employee’s off-site and off-duty breach of a patient’s privacy.

The case alleged that plaintiff was a patient at a particular medical group. Blood samples and/or records were sent to a hospital and examined by a phlebotomist. The phlebotomist revealed the results of those records at a public tavern to the plaintiff’s twin sister. The hospital admitted the phlebotomist had revealed one fact about the plaintiff, discovered from her medical records, to the plaintiff’s sister at a tavern, but also alleged that when the phlebotomist revealed the information, she was not acting within the scope of her employment with hospital. Although HIPAA does not provide a private cause of action, in Illinois a common-law right-of privacy cause of action existed for the doctor’s violation of plaintiff’s right to privacy.

Continue reading »

Physician Practices and Records Transfer in the HIPAA Era

In the current environment, it seems that businesses are constantly changing hands, merging or dissolving. The question then is what happens with a patient’s medical records when a medically-based business is bought, sold or dissolved? State laws and HIPAA inform the answer.

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

Continue reading »

Personnel Records: What Goes Where

Confusion abounds when it comes to deciding which employee personnel records go where, who can access which records and who cannot, and how records should be segregated. Human resource employees have long understood that an employee’s workers’ compensation records should be segregated from the employee’s typical personnel file containing such things as an application for employment, resume and salary change forms.

For the small employer, however, these kinds of decisions must be addressed by management, who may not always be experienced in the nuances of human resource law. In essence, three files should be maintained for each employee:

Continue reading »

Employer-Sponsored Group Health Plans & HIPAA’s Third Installment

If small business employers think that the Health Insurance Portability and Accountability Act—or what we fondly refer to as “HIPAA”—only applies to health care providers, they need to think again. Small business owners need to get hip to HIPAA because those that offer employer-sponsored health plans (as most do) must also protect the privacy of employees’ medical information.

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Continue reading »