The Act amends the definition of a creditor to mean any creditor that (i) in the ordinary course of business obtains or uses credit reports in connection with a credit transaction, (ii) furnishes information to a credit reporting agency in connection with a credit transaction, or (iii) advances funds to a person on the obligation of repayment. Under this new definition, typically physicians and attorneys will not be considered creditors for purposes of the Red Flags Rule.

Certain healthcare providers, however, that use or obtain consumer reports routinely in connection with credit transactions or that furnish information to consumer reporting agencies may still meet the definition and thus be subject to the Red Flags Rule. This potentially means that hospitals or physician groups that routinely submit information about non-paying patients to collection agencies, which in turn submit such information to credit reporting agencies, will need to be in compliance with the Red Flags Rule.

In the end, the underlying reason for implementing an identity theft program, such as the one required under the Red Flags Rule, is to help prevent identity theft. Therefore, whether or not a health care provider is directly affected by the Red Flags Rule by falling within the definition of creditor, providers should still be encouraged to implement an Identity Theft Prevention Program to detect warning signs, or “red flags”, that could indicate identity theft.

Identity theft is rampant in today’s society. As many as ten million individuals per year become victims of identity theft and the number of medical identity theft cases are on the rise. In response to this growing problem, several federal agencies jointly promulgated regulations that require certain entities to implement a plan to detect, prevent, and correct identity theft. The “Red Flags Rule” applies to various types of entities, including most healthcare providers. Thus, entities ranging from a small doctor’s office to a hospital must be in compliance with the new Red Flags Rule by the date on which the Federal Trade Commission (“FTC”) will begin enforcing the Rule.   After that date, an entity may be penalized up to $3,500 per violation. Thus, healthcare providers need to take steps to comply, including creating an Identity Theft Prevention Program.

Before understanding the Rule, a healthcare provider must determine whether it is subject to the Rule in the first place. Under the Red Flags Rule, any “creditor” that offers or maintains one or more “covered accounts” is required to develop and implement a written Identity Theft Prevention Program. A “creditor” is defined as any person who regularly extends, renews, or continues credit. Healthcare providers will be considered a “creditor” if they regularly bill patients after the completion of services, allow payment plans after services have been rendered, or aid patients in obtaining credit from other sources (see note).

Under the Rule, a “covered account” is defined as (1) an account a creditor offers or maintains that involves or is designed to permit multiple payments or transactions, and (2) any other account the creditor offers or maintains for which there is a reasonably foreseeable risk of identity theft. The second portion of the definition is very broad and may include records that an entity may not recognize as a “covered account.” For healthcare providers, this definition of “covered account” generally encompasses patient and employee records. Thus, the vast majority of healthcare providers are subject to the Red Flags Rule and must comply.

Development of Identity Theft Prevention Program

With proper guidance, a healthcare provider can establish an Identity Theft Prevention Program that will comply with the Red Flags Rule. The Red Flags Rule does not require any specific practices or procedures, because it provides flexibility to tailor a Program to the nature of the business and the risks its faces. In other words, the Program is scalable to the size and complexity of the entity and the nature and scope of its activities. In the case of a company at high risk for identity theft, such as a large hospital system, the Program may need more robust procedures, including strict verification procedures for each and every patient’s identity. However, such extensive procedures would be inappropriate for a low-risk company, such as a solo practitioner, who can identify and verify each patient. Thus, there are no set procedures for a Program, but it is a discretionary decision that should be made by someone knowledgeable about the business and its day-to-day operations.

Although the Red Flags Rule does not establish specific procedures, it does require that any Program include “reasonable” policies and procedures to:

• Identify relevant patterns, practices, and specific kinds of activity that may be “red flags” signaling possible identity theft;
• Detect red flags;
• Respond to those detected red flags to prevent and mitigate identity theft; and 
• Update the Program periodically to reflect changes in identity theft risks.

For red flag identification, a healthcare provider should review its own experiences with identity theft and incorporate that knowledge into the Program. Red flags should include concerns raised by patients — both internally and externally. Some examples of such red flags could be suspicious account activity, inconsistent personally identifying information, inconsistent medical histories, and possibly altered identification documents. For red flag detection, a healthcare provider should state what procedures will be in place in the day-to-day operations to detect red flags, which may include procedures to authenticate a new patient and verify the validity of any changed information. For prevention and mitigation of identity theft, a healthcare provider should take necessary steps such as notifying the real patient or law enforcement, monitoring an account and correcting the medical record. Lastly, a healthcare provider must periodically review and reflect on its experience with identity theft and update its Program to verify the effectiveness of the Program.

Even if the Red Flags Rule does not apply to your practice, it may still be advisable to develop an Identity Theft Prevention Program. In the event of a medical identity theft, the federal government and health insurance companies may require a healthcare provider to pay reimbursement for claims made. Furthermore, if a healthcare provider files a claim and later learns that medical identity theft has occurred without taking corrective measures, the provider may be subject to criminal and civil penalties based upon fraud. Importantly, medical identity theft also puts the life of the victim at risk, which plainly could lead to potential civil liability for a healthcare provider. False entries in a medical history can lead to improper medical treatment, denial or exhaustion of health insurance, or an individual’s uninsurability for life or health insurance. An Identity Theft Prevention Programis an important tool for a healthcare provider to minimize its liability and risks, and risks to its patients, even if it is not subject to the new Red Flags Rule.

The task of developing an Identity Theft Prevention Programmay seem daunting, but a provider should not feel overwhelmed. A successful Program for a healthcare provider will build on existing efforts already in use to combat fraud and protect patient privacy. A healthcare provider should review and adapt its current tools used to comply with HIPAA and state privacy, security, and breach notification laws to satisfy the new Red Flags Rule. Thus, with its current tools and available resources, a healthcare provider is already on the way to developing a compliant Identity Theft Prevention Program.

Implementation and Administration

Healthcare providers must be mindful of key issues regarding the implementation and administration of an Identity Theft Prevention Program. Staff training and delegation of duties may generate issues for a healthcare provider attempting to implement and administer such a Program. Internal staff must be trained as necessary. If a healthcare provider outsources or subcontracts portions of its operations that would be covered by the Red Flags Rule, then the Program must address how the provider will monitor the contractor’s compliance. Furthermore, periodic supervision and review after any incident of identity theft will be invaluable to the proper functioning of a Program.

Management and the board of directors of a healthcare provider are required by the Red Flags Rule to play a central role in the creation, implementation and continued administration of the Program. According to the regulations, either the board of directors, or an appropriate committee thereof, must approve the initial written Program. Other responsibilities include assigning specific responsibility for the Program’s implementation, reviewing staff reports about how the practice is complying with the Rule, and approving important changes to the Program. The board of directors should also receive at least annual reports regarding the administration of the Program. Thus, it is critical that a board of directors or management remain active in the administration of the Program to ensure compliance with the Rule. Mere creation of a Program will not shield a healthcare provider from civil fines under the Red Flags Rule.

Conclusion

When the FTC begins enforcing the Red Flags Rule, it will require any entity that regularly extends, renews, or continues credit concerning a “covered account” to develop and implement an Identity Theft Prevention Program. The Rule does not set specific procedures, but the Program must identify how the entity will:

• Identify red flags; 
• Detect red flags; 
• Prevent and mitigate identity theft; and 
• Update its Program.

As long as a healthcare provider begins with its current tools and available resources, it can develop a Program that complies with the Rule. In the implementation and administration, a healthcare provider must be mindful of certain issues, such as delegation of operations, and its board of directors and management must maintain periodic supervision. Although the task may seem daunting, a healthcare provider can successfully comply with the requirements of the new Red Flags Rule, if it takes the proper steps now.

This article was co-authored by Laura Gerdes Long & David Binder.

Note updated 1/24/2011.

This HHS publication triggers two key deadlines, one commencing September 23, 2009, when employers and health care providers (“covered entities”) will be required to comply with the Act’s security breach notification requirements; and, the other, is February 22, 2010, the 180 day enforcement grace period announced by HHS. Accordingly, during this 180 day grace period, covered entities need to digest the new requirements, revise existing HIPAA policies and procedures and develop new ones, put in place a security incident response plan, train employees, confer with business associates about security breach response and negotiate modifications to existing business associate agreements. Employers and health care providers who discover a security breach after that date and fail to provide the required notices may be targeted for an enforcement action.

A security breach notification will only apply to “unsecured PHI”. PHI that is not encrypted or completely destroyed is considered “unsecured” by HHS. The only way, generally, that HHS has said that PHI would be considered “secured” is if it encrypted or completely destroyed. If that is the case, then the covered entity does not need to develop internal procedures for notification of security breaches. In any event, those practices should review their existing Notice of Privacy Practices to update it with respect to the new notification rule.

WHAT IS A “BREACH” REQUIRING NOTIFICATION UNDER THE RULE?

HHS has defined “breach” to mean a use or disclosure of unsecured PHI in violation of the HIPAA Privacy Rule. As we learned when the Privacy Rule was implemented, PHI generally cannot be used or disclosed without the individual’s prior, written authorization. However, the Privacy Rule also contains a laundry list of exceptions to the general rule. Consequently, covered entities may often have to scrutinize the Privacy Rule to determine whether a breach, indeed, even occurred. Hence, a breach will only occur if the following requirements are met:

• the information is “unsecure” PHI;
• the information was used or disclosed in an unauthorized manner (see, HIPAA Privacy Rule); and
• the use or disclosure poses a “significant risk of financial, reputational, or other harm to the individual”. To determine if such a harm has occurred, the covered entity must review factors such as:

(a) to whom the information was disclosed;
(b) the type of information disclosed;
(c) what steps were taken that mitigate the potential harm to the individual; and
(d) whether the use or disclosure falls under an exception listed in the statute. The exceptions are:

(i) Unintentional access by a covered entity’s or business associate’s employee. Such access must be in good faith, within the employee’s course and scope of employment and not result in further use or disclosure. HHS provided an example of a nurse mistakenly sending an e-mail with PHI to a hospital billing employee, who opened it in the normal course of business; however, the billing employee deletes the e-mail and notifies the nurse.
(ii) Inadvertent disclosure from one covered entity or business associate employee to another similarly situated employee. HHS explains that the information should not be further used and that “similarly situated” means both employees must be authorized to access the information. For example, a doctor and billing employee may be similarly situated, because they are both authorized to view PHI, but a doctor and a receptionist may not be or, for example, when a doctor inadvertently gives a patient chart to a nurse who is not responsible for the doctor’s patients.
(iii)The recipient would not reasonably have been able to retain the information. For example, a nurse gives out incorrect discharge papers, but immediately discovers the error and takes them back.

NOTIFICATION OF BREACHES

If a breach occurs, then the covered entity must notify the individual “without unreasonable delay”, but no later than 60 days after discovery of the breach. HHS notes that, if a business associate is an “agent” of the covered entity, the business associate’s discovery of the breach will be imputed to the covered entity.

If the breach involves 500 or more individuals, the covered entity must notify HHS at the same time it notifies the affected individuals. Breaches involving fewer than 500 individuals must be logged, and a log must be submitted to HHS by March 1st of the following calendar year.

There are also provisions for what needs to be done if a breach involves 500 or more individuals from an entire state or jurisdiction. Since business associates are impacted by the discovery and breach notification, covered entities should address those matters in their business associates agreements or vendor agreements, by rewriting or amending those agreements.

WHAT MUST THE NOTICE SAY?

The Notice must be written in plain language and contain five (5) subject areas:

1. a brief description of what happened, including the date of the breach and the date the breach was discovered, if known
2. the types of unsecured PHI involved in the breach (e.g., Social Security number, full name, date of birth, home address, account number, diagnosis)
3. steps that affected individuals can take to reduce the risk of harm from the breach
4. a brief description of the covered entity’s investigation, efforts to mitigate harm to affected individuals and steps taken to prevent a recurrence of breaches
5. contact information for people to ask questions and obtain information, including a toll-free telephone number, e-mail address, website or postal address.

HHS has devised electronic notification forms on its website for submitting notice of breach to the Secretary. These requirements are in accord with the Privacy Rule that requires each covered entity to take reasonable steps to mitigate the harmful effects of an unauthorized use or disclosure of PHI.

There are also provisions for substitute notice under the HHS rules.

THE EFFECT ON STATE SECURITY BREACH NOTIFICATION LAWS

HHS has said that the HIPAA requirements do not pre-empt state notice law and that covered entities will be required to comply with both sets of laws when both are applicable. For example, where a state law requires notification within five days, HHS says notice within this period also would satisfy the new HIPAA requirements, so the two laws do not conflict. Similarly, if a state law requires additional elements be included in a notice, HHS says there would be no conflict because a covered entity could develop a notice that satisfies both laws.

STEPS FOR COVERED ENTITIES

• Establish notice procedures for a security breach response plan
• Implement systems for detecting a security breach
• Maintain a breach log
• Train workforce members on their role in responding to a security breach
• Revise business associate agreements to address security breaches
• Revise HIPAA policies and procedures regarding training, complaints, and sanctions, as applicable
• Update address lists for patients and/or plan participants to reduce the number of return notices in the event of a breach.

This is only a short review of considerations. Consultation with an attorney is advised to ensure that all matters specific to your practice have been covered. If you have further questions or if you would like to set up an appointment to discuss your practice’s protected health information needs, please contact Laura Gerdes Long, Esq.

The fact is that employee costs, and curbing those costs, are the “bottom line” for most employers. For years, employers have been struggling to control and minimize the rising costs of health care for their employees. Employers are increasingly forced to transfer health care costs to their employees through higher premiums, copayments and deductibles. Only in the past few years have employers realized that they can assist their employees in improving their overall wellness, while at the same time potentially reducing the employers’ health care costs. The methods that employers have begun experimenting with include implementing wellness programs, offering health risk assessments, and education.

Hard, Cruel Facts

Since 2000 U.S. healthcare cost increases have exceeded the overall inflation rate by a factor of two to five times. (National Coalition on Healthcare, Economic Cost Fact Sheets.)

At the same time, employees’ contributions to employer-provided health insurance have increased an average of 143%, with their out-of-pocket costs, including co-payments and deductibles, also increasing an average of 115%. Id.

Countless studies have shown that certain conditions impact employers’ costs, overall, and not only for health care.

• For example, survey findings recently reported in the Archives of Internal Medicine found that obese employee medical claim costs were seven times higher than average and those employees missed 13 times more work days. (Ostbye T., et al., Obesity and Workers’ Compensation, 167 Arch Intern. Med. 766-773 April 23, 2007).

• A study conducted by the Centers for Disease Control found that the cost increase for obese employees, combining medical costs and absenteeism,range from an additional $460.00 to $2,500.00 per employee. (Forbes, 10/05/2006, U.S. Companies Embrace Wellness Programs).

• Some estimates put the annual medical costs of smoking and the illnesses that link to it, such as cancer and heart disease, at $150 billion or more. (September 2007, HR Magazine, 115).

How wellness programs can help employers

With all of this bad news, what is an employer to do? Final federal regulations have been released for wellness programs and may provide one approach for improving employee health and potentially reducing health care costs. (71 Fed. Reg. 75014 (Dec. 13, 2006); 45 C.F.R. Part 146). These new, final rules and guidelines are detailed in the Health Insurance Portability and Accountability Act’s (HIPAA) non-discrimination and wellness program rules. These HIPAA regulations were issued, and will be enforced, by the Internal Revenue Service, the Department of  Labor, and the Department of Health and Human Services.

What is a wellness program?

A wellness program is defined as “any program designed to promote health or prevent disease.” (71 Fed. Reg. at 75035; 45 C.F.R. at § 146.121(f)). The wellness plan must make participation in the program available to all similarly situated individuals, and cannot condition a reward on an individual satisfying a standard based on a health factor. Id. For example, an employer can provide a waiver of co-payments for preventive care; reimbursement for participation in a smoking cessation program, without regard to success; rewards for attendance at monthly health education seminars; a diagnostic testing program that provides a reward for participation and does not base any part of the reward on outcomes; and reimbursement of fitness center memberships. Id.

What are some employers doing?

Wellness programs take a myriad of forms. Some wellness programs include employers providing educational materials about health choices, health risk assessments or free gym memberships. Other plans integrate a variety of elements, including nutritional counseling, screenings, use of health data to target high cost diseases, and incentives to motivate physical activity.

Recently, Guardian Insurance, in conjunction with Healthways’ Whole Health Networks, started offering programs, including complimentary nutrition coaches, tai chi, yoga and pilates, and membership fees at gyms such as Bally’s Total Fitness, in addition to discounts for weight loss programs, Jenny Craig and Weight Watchers (Forbes/2007/05/29/pilates-yoga-taichi-leadmanage-ex).

Some of the nitty gritty (the regulations, a/k/a, “boring lawyer stuff”)

Under the HIPAA prohibition against discrimination on the basis of health status, there exist eight health factors:

• health status,
• medical condition (both physical and mental),
• claims experience,
• receipt of health care,
• medical history,
• genetic information,
• evidence of insurability, and
• disability.

What this means is that employees cannot be denied eligibility or charged a higher premium based on one or more of those health factors. It is essential that the employer be aware that the HIPAA non-discrimination rules generally prohibit group health plans from discriminating against individuals based on certain health factors. In other words, a plan cannot penalize an employee who is unsuccessful in ending their nicotine habit after attending a smoking cessation program. Similarly, an employee cannot charge greater premiums to employees with a body mass index over 25.

Thus, if a wellness program conditions a reward on satisfying some standard, based on such health factors, then the
regulations require the program to meet five criteria:

• the value of the reward must not exceed 20% of the cost of employee-only coverage (or 20% of the cost of the coverage in which any employee and any dependents are enrolled);
• the program must be reasonably designed to promote health or prevent disease;
• the program must give individuals an opportunity to qualify for the reward under the program at least once per year;
• the reward must be available to all similarly situated individuals, including a reasonable alternative which must be offered to those individuals for whom it is unreasonably difficult or medically unadvisable to participate; and
• the health plan must disclose the availability of the alternative standard in any plan materials describing the terms of the wellness program.

(71 Fed. Reg. at 75036; 45 C.F.R. § 146.121(f)(2).)

As for the fifth criteria, a wellness program must include some sort of alternative standard for employees who cannot reach a particular target. Sometimes employers have to fashion alternative standards on a case-by-case basis. For example, a premium discount may be offered to employees who walk five miles per week, but there must be an alternative, such as teaching a class about cardio fitness, instead, or offering swimming opportunities.Employers may also pay for employees’ gym memberships or nutritionist services, or give policy discounts to employees who lower their cholesterol. But if an individual is genetically predisposed to having high cholesterol, and provides verification from a doctor, that individual cannot be penalized.

This “alternative method” is a common sense approach, which HIPAA requires by using a “reasonably designed” standard to balance the needs of employers to experiment with various programs to provide employees incentive to participate, while at the same time, protecting employees from plans that are mere subterfuge for discrimination. Many examples of such alternatives and the kind of language that may be used to satisfy these requirements are  included in the comments to the Federal Rules at 71 Fed. Reg. at 75036-75038.

A summary:

Thus, Wellness Programs allow for a lot of experimentation by employers while, at the same time, providing employees an opportunity to receive an offered reward for their efforts at maintaining a healthy lifestyle. Of course, other laws may intersect with various provisions of the regulations, such as the Americans With Disabilities Act (ADA). Generally, to comply with the ADA, the incentives should be voluntary, and any medical information gathered in connection with the incentive should be kept confidential and separate from the employees’ personnel records.

In summary, by following a few simple rules and sometimes thinking “outside the box” in terms of developing a program to assist your employees with creating and maintaining a healthy lifestyle, employers may gain a group of employees who are healthier, less likely to become sick, and who are, hopefully, happier. Definitely, a win-win situation for both employees and employers.

Caveat: As usual, these rules can be complicated stuff. They are not all inclusive or applicable in all contexts and, although the author is a lawyer, she is not your lawyer. So, enjoy the article, but if you are ready to jump onto the wellness parade, please consult a lawyer qualified to advise you on these matters relative to your specific situation.

View PDF

All cafeteria plans let employees pay for health coverage with pre-tax dollars, which effectively lowers the cost of coverage and may make it more affordable for employees.

Missouri House Bill 818 (new Missouri Revised Statute § 376.453) applies to employers who provide and contribute to insured health coverage. The law, however, does not apply to employers who offer health insurance through any self-insured or self-funded group health benefit plan. No penalty for non-compliance has been described in the law. Thus, any other employer providing insured health coverage, and pays any portion of the premium, must now establish a premium-only section 125 plan.

Unfortunately, state regulators have not issued any guidance yet, and the law is fairly ambiguous. There are open questions as to the size of employer affected, the application of the law to employers that are headquartered outside of Missouri, and to employers that provide both insured and self-insured plans.

Employers are cautioned to watch for State regulations and communications from their insurance carriers.

A second provision in the Missouri law, which is also unclear, permits small employers (without specifically defining “small employer”) to contribute through a cafeteria plan to the individually underwritten health benefit plan of an employee who is eligible for coverage under the employer’s plan.

View PDF

Following a motorcycle accident involving George Clooney and his girlfriend, they were seen at the Palisades Medical Center in New Jersey for their injuries. More than two dozen employees were suspended for a month, without pay, for allegedly accessing Clooney’s confidential medical records. A union representing seven of the suspended nurses said that the employees, although they looked at Clooney’s records, did not divulge any confidential information.

The interesting thing about this case is that it shows the tight link between the HIPAA Privacy and Security Rules. Due to the number of employees who allegedly, inappropriately accessed his records, it is likely that it was done by looking at electronic information—a security breach by “inside employees.” Fortunately, it appears that the hospital’s audit practices, which are required under the Security Rule, caught the breach. Unfortunately, it appears that the staff was not trained well enough to keep from inappropriately accessing the information in the first place, and apparently were not aware they could be caught and disciplined.

The case also illustrates some of the differences between privacy risks posed by paper versus electronic records. Electronic records can lead to a breach of a patient’s privacy without even having physical access to the health records. And, after a patient’s privacy is breached electronically, it can never be recovered.

Punitive Damages for Breaches of Medical Privacy

A case out of New York also serves as a cautionary tale with regard to the monetary damages that may be awarded for breaches of medical privacy.

In J. v. Long Island Surgi-Center (N.Y.A.D. 2nd Dept., September 25, 2007), a 20 year-old, unmarried woman who lived with her parents decided to terminate her pregnancy at the Long Island Surgi-Center. Since her parents disapproved of pre-marital sex and were implacably opposed to abortion, she was determined to keep her decision from them.

When she first contacted the clinic to arrange for the procedure, she provided her cell phone number and gave specific instructions never to call her at home. The day after her abortion, nevertheless, one of the clinic’s nurses telephoned the young woman’s home and spoke with the person she knew to be her mother. In the course of the conversation, the nurse revealed information sufficient to allow the mother to conclude that her daughter had had an abortion.

On appeal, the Court of Appeals held that, in the young woman’s subsequent action to recover damages for wrongful disclosure of confidential medical information under New York’s Public Health Law, the trial court was “not in error” to submit the issue of punitive damages to the jury.

View PDF

The case alleged that plaintiff was a patient at a particular medical group. Blood samples and/or records were sent to a hospital and examined by a phlebotomist. The phlebotomist revealed the results of those records at a public tavern to the plaintiff’s twin sister. The hospital admitted the phlebotomist had revealed one fact about the plaintiff, discovered from her medical records, to the plaintiff’s sister at a tavern, but also alleged that when the phlebotomist revealed the information, she was not acting within the scope of her employment with hospital. Although HIPAA does not provide a private cause of action, in Illinois a common-law right-of privacy cause of action existed for the doctor’s violation of plaintiff’s right to privacy.

The court held that the question whether the phlebotomist was acting in the scope of her employment with the hospital was a question for the jury. The court went on to note, however, that the defendant hospital and employee had a duty not to disclose confidential information, without limitation as to time or place.

The court reasoned that the “hospital’s training of its employees did not limit the duty of the employee to maintain confidentiality of patients’ medical information only during working hours. Rather, that duty, imposed by the hospital in its execution of its duties, was, according to its own training, to extend to all times and to all places. In effect, for purposes of patient confidentiality, [the phlebotomist] was on duty 24 hours a day, 7 days a week.” Thus, the defendant had a continuing off-shift duty to maintain the confidentiality of patient records. This duty derived not only from the hospital’s rules of employment, but also from the patient’s right to privacy.

The court further included employees of lawyers, therapists, and other employers who maintain confidential information, as examples of other workers who have a constant duty to keep confidentiality.

View PDF

In Missouri, patient records under the care, custody and control of a medical licensee must be maintained for a minimum of seven years from the date of when the last professional service was provided. (R.S.Mo. § 334.097).

If selling a practice, a series of steps must be accomplished when notifying patients of the sale, including notifying the patient of the process for obtaining a copy of medical records and the potential need for the written authorization before medical records can be transferred to another provider. Moreover, under HIPAA, a specific authorization is required for the release of information considered sensitive, such as HIV/AIDS status, psychiatric history, drug or alcohol abuse, or sexual abuse.

Since the physical record is considered the property of the practice and the information in the record is considered the property of the patient, a practitioner who is leaving one practice to go to another should not simply take the records with him of those patients who will continue in his or her care.

For instance, if a practice is dissolved, a custodian of patient records may have to be located and a business associate agreement obtained requiring that custodian or receiving physician to respect the confidentiality of the records in accordance with HIPAA. The state medical board or department of health should also be notified where the records are being stored in case patients, at some point in the future, need to access their records if the former physician or custodian cannot be located.

In addition, the Code of Ethics of the American Medical Association at E-7.03 provides similarly. Patients should initially be notified and informed that upon authorization, their records will be sent to their choice of physician. Any records not forwarded to a new physician should be retained, either by the treating physician, another physician, or such other person lawfully permitted to act as a custodian of the records. If the physician is leaving a group practice, after notification, the patients should also be informed of the physician’s new address and offered the opportunity to have their medical records forwarded to the departing physician at his or her new practice location. The Code warns that it is unethical to withhold such information upon request of a patient.

In the case of a retiring physician, it may be most practical to transfer the records to a hospital. The hospital should agree to treat the records as if they were their own for HIPAA purposes and only transfer the records to another physician upon the patient’s written authorization. Essentially, the hospital becomes a business associate of the retiring physician and is subject to the business associate requirements of HIPAA.

As you can see, many issues and precautions must be taken into account when a physician retires, moves from an existing practice, or sells a practice with regard to patient records.

View PDF

For the small employer, however, these kinds of decisions must be addressed by management, who may not always be experienced in the nuances of human resource law. In essence, three files should be maintained for each employee:

1. The personnel file contains new hire and termination information, change forms, performance documentation and miscellaneous information such as requests to inspect employee files, underemployment claims, training courses, and achievements.

2. The confidential file contains information such as references, background investigations, financial obligations, settlement agreements, and EEO data. Information not specifically related to employee wage and hour status or job performance should be scrutinized to determine whether it reveals any private facts about an individual. If it does, it should be placed in this file rather than the Personnel File. This could include:

• health-related documentation (not related to the health plan), e.g., injury reports, requests for reasonable accommodation, FMLA forms, fitness for duty, post-offer medical information, workers’ compensation injury forms and reports, disability leave documentation, and self-identification of disability;
• financial information, including W-4’s (federal and state), direct deposit authorization, payroll corrections, requests for verification of employment, wage attachments, credit reports, and retiree insurance premium agreements; and
• miscellaneous information, including settlement, arbitration and dispute agreements and decisions; EEO complaints or other information; investigation interview notes; grievances; affirmative action; reference and background check forms; interview evaluation, skills or personality tests, funeral and jury duty notices.

3. The Confidential Protected Health Information (“PHI”) file, includes all the information pertaining to the health plan(s) offered by the employer, including, self-insured health plans, flexible spending accounts (for medical and prescription) and cafeteria plans:

• benefits enrollment forms;
• benefits change forms;
• benefits claim forms;
• dependent and beneficiary designations;
• insurance waivers;
• open enrollment forms;
• COBRA documentation;
• health care provider certification;
• voluntary medical information; and
• authorization to release information (preemployment).

Drug and alcohol tests should be filed in a separate binder, not with any other information, segregated by current and separated status. Form I-9′s should also be filed in a separate binder, segregated by current and separated status.

View PDF

Physician practices typically understand they are “Covered Entities” under HIPAA due to their status as medical providers but many are unaware they may carry the title of Covered Entity” by way of their employer status.

Though employers are not Covered Entities under HIPAA, many employers offer fully or partially self-funded health plans to their employees and those health plans are Covered Entities under HIPAA. Indeed, even flexible spending accounts or 125 plans are considered health plans and thereby must comply with HIPAA.

Last April, the final installment in the series of three HIPAA regulations went into effect. The first installment was the Electronic Health Care Transaction and Code Sets (October 2002). The second installment was the Privacy Rule (April 2003 or April 2004 for small group health plans). Finally, as of April 20, 2005, all covered entities (as defined by HIPAA) were required to implement the Security Rule. Small health plans, defined as those that spend $5 million or less in claims, were given until April 20, 2006, to comply.

The Security Rule, a series of standards, provides administrative, physical and technical safeguards to protect the security of electronic health information. It may be found at Title 45, Code of Federal Regulations, Part 164, Sections 302-318 (45 CFR 164.302).

While the Privacy Rule includes a mini-security rule, the regulations of the Security Rule are far more detailed and include comprehensive ways in which a covered entity may perform a risk analysis to determine the measures required to comply with the Rule. The Security Rule applies to the same covered entities as the Privacy Rule and similarly applies to the covered entities’ business associates. If you offer a health plan to your employees, that plan must meet both the Privacy Rule and Security Rule requirements. By extension, the employer must ensure that the plan has met those requirements.

For small plans, compliance may be simple, especially when most employers outsource their health care operations to third party administrators and have very little interaction with electronic protected health information, or PHI.

Like the Privacy Rule, the Security Rule requires health plans to limit disclosures of PHI to the plan sponsor employers unless certain conditions are met. Consequently, non-covered entity employers who are health plan sponsors are affected by HIPAA’s Security Rule including having to amend employer health plan documents to incorporate provisions requiring such employers who receive PHI from the health plan to implement security safeguards.

These safeguards include three standards which fall under the categories of administrative, physical and technical, and numerous implementation specifications.

The good news is that the Security Rule permits flexibility in your entity’s approach based upon organizational size, complexity, staff capabilities, the likelihood of potential risks, costs, and your computer hardware and software capability.

It’s also a good time to be reminded that every three years, covered entities should revisit their adherence to the Privacy Rule requirements by evaluating actions taken and determining whether it is appropriate to modify compliance processes and procedures. HIPAA compliance does not have a completion date, rather it is an ongoing process.

View PDF