The rule also proposes to:

• prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;
• revise the provisions relating to the notice of privacy practices for health plans that perform underwriting;
• make conforming modifications to definitions and other provisions of the privacy rule; and
• make technical corrections to update the definition of “health plan.”

The interim final rule applies GINA’s prohibitions on using and disclosing protected genetic health information for underwriting to all health plans subject to the privacy rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. It also proposes applying the prohibition on using or disclosing is genetic information for underwriting purposes to all health plans that are covered entities as defined by the HIPAA privacy rule.

CMS will accept public comments for 60 days.

Signed in 2008, GINA protects individuals against discrimination in health coverage or employment based on their genetic information.

FTC says the delay will allow organizations covered by the rule to further review its educational materials and prepare their compliance plans.

The anti-fraud regulation requires organizations that act as creditors to implement programs to identify, detect, and respond to “red flags” that could indicate identity theft. The final rule was published November 9, 2007, with an original compliance date of November 1, 2008. It has been delayed several times due to a lack of industry readiness and calls for more clarification and assistance in designing compliance plans.

 The “Recovery Audit Contractor (RAC) Toolkit” includes background on the program and an overview of the process, including what entities are eligible to be audited, the basis for the audits, and the type of audits. It also includes appendixes providing:

• A preparation checklist
• The hierarchy of authority samples
• A sample of the RAC coordinator job description
• A sample of a RAC policy and procedure
• A RAC record extension request sample
• How to develop a RAC education program
• A presentation sample
• RAC acronyms
• A RAC determination response
• The appeal process workflow
• The Medicare appeals process
• Sample appeal letters
• An appeals submission checklist

The kit was developed by AHIMA’s Recovery Audit Contractors (RACs) Workgroup, a subgroup of the Clinical Terminology and Classification Practice Council. It is available free of charge.

AHIMA offers additional toolkits online, including “Copy Functionality Toolkit,” which can help HIM professionals and their organizations develop policies and procedures to allow for the review, audit, and testing surrounding this functionality. The “Health Information Exchange (HIE) Resource Toolkit” outlines the HIM issues in health information exchange, as well as useful Web sites that HIM professionals can reference in preparing for HIE.

Look for two more toolkits on amendments to transcribed reports and amendments for EHRs, which will be released in August.

“The automated reviews are less burdensome on the provider, because there’s no request for medical records,” said Marie Casey, deputy director of the Division of Recovery Audit Operations at CMS, in the news item. “They’re also easier for the RACs to manage.”

The delay for medical necessity auditing is due to the complexity of the reviews. “We’re delaying because it’s more difficult,” Casey said. “We are really trying to ensure that when there is a difference of opinion [on the medical necessity determination of the case], the RAC clearly documents their rationale.”

The delay will also help CMS roll out an issue review team, a group comprised of members from various agency divisions that will look at policy questions, such as whether the RACs have been correct in the interpretation of coding guidelines. These teams will look comprehensively at the questions before approving new issues for RAC review, according to Kathleen Wallace, a CMS representative who spoke at a May 28 Region D RAC training session held in Helena, MT.

When record requests do come, they will start sporadically but eventually fall into a pattern, at least in Region D, said HealthDataInsights president and CEO Andrea Denko, during the Helena training session.

Jane Cook, Cheryl D’Amato, Gail Garrett, Becky Ruhnau-Gee, Linda Hyde, and Natalie Novak sort out the relationship of POA, HACs, SREs, and “wrong” surgical site policies in “Understanding National Coverage Policies.”

The penalty is the first under California’s strict new privacy laws, which went into effect January 1. The $250,000 fine was the maximum allowed.

Kaiser first reported the breach back in April, when it disciplined and fired employees for accessing Suleman’s records. The CDPH investigation announced Friday involved the facility only. Under a separate law, the state may seek prosecution against the individuals themselves.

OCR has logged approximately 43,700 complaints since the privacy rule went into effect April 14, 2003. It has resolved 86 percent of them, and as of April 30 it had nearly 6,000 cases still on its to-do list.

OCR enforces the HIPAA privacy rule only. Enforcement of the security rule falls to the Centers for Medicare and Medicaid Services. Violations of either rule that involve possible criminal violations are referred to the Department of Justice. Through April 30 of this year, OCR had referred 456 cases to the DOJ and 306 cases to CMS.

Individuals filed 8,526 privacy complaints with OCR in 2008. This is up 4 percent from the previous year, and up 23 percent since 2004, the first full year of the rule.

OCR reviews all complaints, but not all require investigation. In 2008 the office resolved 9,280 complaints, of which 36 percent warranted an investigation. Of those, 2,210 resulted in corrective action. No violation was found in the remaining 1,163 cases.

This breakdown largely reflects past history. Since 2005 approximately one-third of complaints have required investigation. Approximately two-thirds of investigations have resulted in corrective action.

Common Complaint

Improper use and disclosure of protected health information has been the leading compliance violation since 2004. The following three issues have not changed, either. They are, in order: lack of safeguards for protected health information, lack of patient access, and use or disclosure of more than the minimum necessary information. The fifth spot has alternated among issues related to amendments, notices, mitigation, and authorization.

Private practices lead the list of covered entity types that have been required to take corrective action. General hospitals follow.

The rule requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. (For more on the rule, see articles in “Privacy & Security.”)

The FTC also announced that it would release a compliance template for entities that have a low risk of identity theft, such as businesses that know their customers personally.

Continued confusion over the terms of the provision resulted in the delay. ”Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said in the statement.

This is the second delay for the Red Flags rule. The original deadline was November 2008.

“Guidance on the Genetic Information Nondiscrimination Act: Implications for Investigators and Institutional Review Boards” provides background on protections provided by GINA and discusses GINA’s impact on investigators who conduct genetic research and the institutional review boards that review it, particularly on criteria for IRB approval of research and the requirements for obtaining informed consent under the HHS regulations for the protection of human subjects (45 CFR part 46).

Final GINA regulations are expected in May.

To review GINA’s provisions, see the July 2008 “Word from Washington” column “Getting to Know GINA.”

Millions of Americans each year fall victim to identity theft.  When identity theft involves healthcare, the consequences can be severe. It can result in losses to the healthcare provider from unpaid bills, the exhaustion of the victim’s benefits, or even potentially life-threatening corruption of a patient’s medical records. 

The crime also can play havoc with an innocent consumer’s credit rating.  Medical identity theft may arise when a person seeks healthcare services or prescription pharmaceuticals using someone else’s name or insurance information.  A recent nationwide survey conducted for the FTC found that 4.5 percent of the 8.3 million identity theft victims have experienced some form of medical identity theft.

The Red Flags Rule is designed to help protect patients and providers from suffering the consequences of medical identity theft.  Briefly put, this new law requires “creditors” and “financial institutions” to determine if they have either consumer accounts that permit multiple payments or other accounts for which there is a reasonable risk of identity theft.  If they do, these covered entities must develop and implement a written identity theft prevention program. Each provider has the flexibility to implement a program that best suits its size, complexity, and actual risk of identity theft.   

Although enforcement has been deferred until May 1, 2009, many providers are already putting their programs together. Some, however, question the applicability of the rule to physicians and other providers, because they do not view them as “creditors.” For purposes of the Red Flags Rule, the definition of  “creditor” is very broad, and includes an arrangement for the deferral of payment of debts or payment for the purchase of goods or services. Healthcare providers are creditors if they regularly collect payment after services are rendered. Simply accepting credit cards as a form of payment, however, does not make a provider a creditor under the rule.  

The first step in implementing a program is to identity the warning signs—or “red flags”—of identity theft.  These may include identification, medical history, or information that does not seem to match the patient, or notice from consumers that they are victims of identity theft. Second, the program must include policies and procedures to detect these “red flags.” For example, many providers already check a photo ID or insurance information for new or returning patients. 

Third, the program must include appropriate responses to prevent and mitigate identity theft. These could include not collecting on a debt against the innocent consumer or ensuring that medical records are not corrupted with errors resulting from the identity theft. Finally, providers must update their programs periodically if new risks and trends arise. To ensure that these steps become routine, the rule requires that the Red Flags Program be in writing.

Using this common-sense approach to developing a program can help reduce the incidence of medical identity theft without overburdening health care providers. And because the rule is risk-based, a simple plan should be sufficient for providers that have a low risk of identity theft in their practices. Still have questions? Send a message to redflags@ftc.gov or check www.ftc.gov for more information.