Primary Areas of Practice
Attorney Profiles
Location
Contact Us
Home

Privacy Police: Self-Reporting and Penalties
East Tennessee Medical News – May 2009
By Diana L. Gustin and Connie S. Ditto

New federal laws require more oversight to protect patient records and various regulatory requirements make health care entities responsible for policing the privacy of their patients.  Electronic medical records are expected to be cost efficient.  However, diligence will be required to safeguard this data.  In August 2009, the Secretary of Health and Human Services will appoint Regional Office Privacy Advisors to offer guidance and education related to Federal privacy and security requirements.  This article will alert the health care community to some new requirements for compliance in the privacy area.

How does HIPAA protect patient’s privacy?

The Health Insurance Portability and Accountability Act (“HIPAA”) was enacted by the U.S. Congress in 1996.  Title I protects health insurance coverage for workers and their families when job situations change.  This section of the Act refers to the “Portability” of health insurance.  Title II, the Administrative Simplification provisions, establish national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers.  The standards regarding health care transactions recognize and protect patients’ privacy.  The Office of Civil Rights enforces the HIPAA Privacy Rule.  (Federal Regulations Title 45 Part 160 – General Administrative Requirements; Part 162 – Administrative Requirements; Part 164 – Security and Privacy.) 

What changes have been made to HIPAA?

The American Recovery and Reinvestment Act of 2009 (enacted on February 17, 2009) expands the scope of HIPAA Privacy and Security requirements.  (ARRA, Subtitle D – Privacy.)  Although some provisions became immediately effective, final rules and regulations are forthcoming.  ARRA builds upon the requirements of HIPAA and compels health care providers and practitioners to increase their efforts to protect patients’ privacy.  The Act also permits a private right of action for aggrieved patients in certain circumstances. 

ARRA requires health care providers to report breaches of patient privacy.  If a patient’s medical privacy is breached, the provider is not only required to mitigate potential effects of the breach (see HIPAA regulation 45 CFR 164.30), but is further required to report the breach to the patient.  This reporting requirement will apply to breaches that are discovered 30 days after the publication of interim final regulations.  The term “breach” is defined as unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information. (Section 13400)  As of February 17, 2010, Business Associates will also be statutorily liable for the use or disclosure of protected health information (PHI) that does not conform to the HIPAA standards. (Section 13401)  

How can patient records be protected from identity theft?

The Fair and Accurate Credit Transactions Act of 2003 (“FACT”) was enacted to address identity theft.  Under FACT, financial institutions and “creditors” who maintain “covered accounts” must implement identity theft prevention programs to recognize and respond to identity theft “red flags.” The Red Flag Rules (Federal Regulations Title 16, Part 681, et seq.) require creditors that maintain covered accounts to develop and administer a written identity theft prevention program.

The FTC has taken the position that the Red Flag Rules apply to health care providers because a “creditor” includes those who regularly extend credit.  A “covered account” is an account that a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments.  Consequently, any entity that does not demand payment concurrent with the service rendered must comply with the new rules by developing policies and procedures to mitigate identity theft.  The Red Flags were set to become effective on May 1, 2009.  The FTC has postponed the effective date to August 1, 2009 to allow health care providers with covered accounts additional time to implement policies and procedures to comply with the Rules.

The policies and procedures developed by the providers/creditors must address, at a minimum: (1) implementation of an identity theft prevention program; (2) oversight of the Program; (3) identification of covered accounts; (4) staff education regarding the entity’s identity theft prevention program; (5) oversight of service providers; (6) annual risk assessment of identity theft red flags; and (7) detection, response, and mitigation of identity theft red flags. 

In summary, health care entities have a legal responsibility to police patients’ medical records and keep them confidential, safe and secure. 

Disclaimer: The information contained herein is strictly informational; it is not to be construed as legal advice.
 
   

Untitled Document

Home | Primary Areas of Practice | Attorney Profiles | News | Articles | Location | Contact
All Rights Reserved. Copyright © 2008 London & Amburn, P.C. - Images Copyright Jon Gustin