Continuing our Health Information Privacy and Security Week series, today Chris Apgar, CISSP, president of Apgar & Associates LLC, takes a look at medical identity theft within the context of the Red Flags Rule.

Much is reported in the news about identity theft including new catchy commercials that are intended to prompt consumers to pay attention to their credit record. What isn’t mentioned is the threat of medical identity theft. Identity theft is primarily a financial crime while medical identity theft can directly impact an individual’s ability to seek healthcare and health insurance coverage. (more…)

A 19-year-old college student uses her university clinic for gynecological visits. Her parents contact the clinic and ask to see her health record in order to find out if she is using birth control. The clinic shares the record with the parents. Did the clinic staff do wrong?

Maybe not.

The behavior would seem to fly in the face of the HIPAA privacy rule, but virtually all public schools and most private and public postsecondary institutions are covered by a different federal law.

The Family Educational Rights and Privacy Act, or FERPA, regulates the privacy of students’ education records. These can include student health records if the institution chooses to classify them as such. The HIPAA privacy rule does not apply to records covered by FERPA.

It’s a complicated intersection of federal law, and the Department of Health and Human Services and the Department of Education have issued guidance to help schools navigate it. See “When FERPA and HIPAA Collide” in the Winter 2009 issue of AHIMA’s Academic Advisor e-newsletter.

Last week, the Centers for Medicare and Medicaid Services (CMS) announced that the parties involved in the protest over the award of Recovery Audit Contractor (RAC) contracts had come to a settlement. This means that the stop work order has been lifted, and CMS will continue with the implementation of the RAC program.

PRG-Shultz will serve as a subcontractor to HealthDataInsights, Diversified Collection Services, and CGI Technologies and Solutions. Viant Payment Systems will serve as a subcontractor to Connolly Consulting. According to CMS, “the four RACs will contract with subcontractors to supplement their efforts.”

The program had been suspended last November when PRG-Shulz and Viant protested the contracts that had been awarded to four others. CMS plans to have four RACs in place by 2010. Each RAC will be responsible for identifying overpayment and underpayments in approximately a quarter of the country.

Last week the Department of Veterans Affairs announced it would pay $20 million to settle a class action lawsuit resulting from a stolen laptop. The case resonated with a data breach story Journal writer Chris Dimick had just written for the current print issue, and he circled back with two law experts featured in the story to get their comments.

First a little background. In 2006 a VA employee took home a laptop that included unencrypted personal information for approximately 26.5 million vets. Several teenagers broke into the employee’s house and made off with the laptop.

The employee notified his superiors immediately, but the VA took nearly three weeks to warn vets that their information was at risk. (more…)

“Redisclosure of Patient Health Information (Updated),” the practice brief in this month’s print issue, offers guidance on one of HIM’s trickier issues. Redisclosure is the sharing or release of patient health information that the organization received from another source (such as a facility or provider) and subsequently made part of the patient’s health record or the organization’s designated record set. A glance at the sample situations in the brief shows just how complicated this issue can become.

AHIMA’s library contains additional related guidance on redisclosure. Look for these practice briefs:

• “Defining and Disclosing the Designated Record Set and the Legal Health Record”
• “Notice of Privacy Practices”
• “Patient Access and Amendment to Health Records (Updated)”
• “Understanding the Minimum Necessary Standard (Updated)”

For organizations that allow clinicians to carry forward clinical documentation in electronic records, auditing its proper use is key to ensuring document integrity. Copying clinical documentation poses both clinical and compliance risk. The feature “Auditing Copy and Paste” offers guidance in creating a solid audit plan.

The story is adapted from the broader AHIMA resource “Copy Functionality Tool Kit.” It offers sample policies, testing activities, case scenarios, and questions organizations can ask when considering the use of copy and paste.

You’ll find a lot of other good practice resources on that page.

The January practice brief recommends resources for regulations and standards that apply to HIM practice in a range of settings. See the online version for links directly to the sources.

Get hip with HIPAA.

That’s just one of the taglines attached to Sharp Healthcare’s HIPAA education modules. Photos from the age of hip—the late 1960s and early 1970s—permeate the online HIPAA training modules. Musicians Jimi Hendrix and Bob Dylan and era-TV icons like the Get Smart cast mingle with privacy requirements and confidentiality factoids.

The hip-themed training is just one theme in a series of HIPAA privacy, security, and confidentiality training modules at the San Diego-based facility.

The incorporation of a new theme each year assures that Sharp’s staff of 12,000 employees learn more than how to fall asleep during training, says Paul Belton, RHIA, Sharp’s vice president of corporate compliance and creator of the unique training programs.

“All this is to just try and keep this fresh,” Belton says. “You come up with something that would be tasteful and flavorful to them to [avoid] the dry and boring education modules that are so typical.”

Keeping a facility’s HIPAA education program interesting year after year can be a challenge for privacy officers. They must develop interesting, comprehensive programs that stick for new employees as well as fresh refresher programs for current staff. (more…)

An Arkansas woman who was the first in her state to be prosecuted under the Health Insurance Portability and Accountability Act (HIPAA) was sentenced to probation and community service.

Andrea Smith, a 25-year-old woman from Trumann, AR, was sentenced on December 3, 2008, to two years probation and 100 hours of community service for accessing and disclosing a patient’s health information for personal gain, according to Cherith Beck, public information officer with the United States Attorney for the Eastern District of Arkansas. (more…)

Chris Apgar, CISSP, consults on information security to the healthcare and financial services industries. He offers this overview of the Federal Trade Commission’s red flag rules regarding identity theft protection programs.

* * *

Healthcare organizations must be in compliance with the FTC’s red flag rules by May 1, 2009. The rules, which require financial institutions and creditors to establish identity theft protection programs, were included in the Fair and Accurate Credit Transactions Act passed by Congress in 2003.

The final rules were published in the Federal Register November 9, 2007, with an original compliance date of November 1, 2008. In October the compliance date was extended to May 1, 2009. The good news for most healthcare organizations is that the requirements represent only a modest expansion of the security incident response teams they have already formed to meet the HIPAA security rule.  (more…)