The Federal Trade Commission has announced a new delay for the Red Flags Rule. Enforcement will now begin June 1, 2010.

The delay, announced October 30, comes at the request of Congressional members, the FTC said. The rule was scheduled to go into effect November 1.

The announcement comes a week after the House of Representatives passed an amendment to the rule that would exclude certain businesses, including small healthcare, accounting, and legal practices. The House bill is currently in the Senate.

On the day FTC announced the delay, the US District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.

This is the fourth delay for the rule, which was originally scheduled to take effect November 1, 2008. Industry groups, including healthcare providers and lawyers, have pushed for an exclusion, while others have complained that the rule lacked sufficient detail and guidance. The FTC has since been adding information and guidance online.

The oft-delayed Red Flags Rule, scheduled to take effect November 1, may be in for a major change. A bill that passed the US House October 20 and arrived in the Senate the next day would exempt, among others, healthcare practices with 20 or fewer employees from meeting the law’s requirements.

The amendment is intended to relieve the administrative burden on small businesses.

The Red Flags Rule, part of the Fair and Accurate Credit Transaction Act of 2003, requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. As described in the rule, creditors are organizations that maintain consumer accounts that receive multiple payments or payments made in installments.

In full, HR 3763 amends the Fair Credit Reporting Act to exclude “any health care practice, accounting practice, or legal practice with 20 or fewer employees.” It also excludes any other business that the Federal Trade Commission, which oversees the rule, determines:

• knows all its customers or clients individually;
• only performs services in or around the residences of its customers; or 
• has not experienced incidents of identity theft, and identity theft is rare for businesses of that type. (more…)

California Governor Arnold Schwarzenegger vetoed a state legislature bill on October 11 that would have specified content requirements for privacy breach notifications.

California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers. (more…)

On Wednesday the Centers for Medicare and Medicaid Services (CMS) published the interim final rule for the Genetic Information Nondiscrimination Act (GINA). In it, CMS modifies the HIPAA privacy rule to explicitly include genetic information within the definition of health information. 

The rule also proposes to:

• prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;
• revise the provisions relating to the notice of privacy practices for health plans that perform underwriting;
• make conforming modifications to definitions and other provisions of the privacy rule; and
• make technical corrections to update the definition of “health plan.”

The interim final rule applies GINA’s prohibitions on using and disclosing protected genetic health information for underwriting to all health plans subject to the privacy rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. It also proposes applying the prohibition on using or disclosing is genetic information for underwriting purposes to all health plans that are covered entities as defined by the HIPAA privacy rule.

CMS will accept public comments for 60 days.

Signed in 2008, GINA protects individuals against discrimination in health coverage or employment based on their genetic information.

A Wisconsin woman who was fired in September 2008 for accessing her estranged son’s medical records was reinstated last month after an arbitrator deemed the punishment excessive.

After learning her son sought care at the hospital, the woman, a health unit coordinator at St. Francis Hospital for 30 years, accessed his records eight times in one year in hopes of learning his current address or when he was next scheduled for an appointment. The mother acknowledged that her actions were inappropriate, but said she accessed her son’s records to find out whether he was okay after one of his friends was murdered in 2007.

The woman was unable to contact her son because his medical records listed her residence as his home address and listed no appointments. However, after someone saw her son enter a residence, the woman sent him a birthday card to that address. The son, who is in his mid-20s, then filed a complaint with the hospital alleging she must have gotten the address through his confidential medical records, which prompted the investigation and her firing. (more…)

Yesterday HHS published its breach notification rule for HIPAA covered entities. Today the Federal Trade Commission’s rule appeared in print, making it official also. The FTC rule applies to entities not covered by HIPAA, primarily vendors of personal health records. The rule is effective September 24, 2009. Full compliance is required by February 22, 2010.

FTC’s rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached. Both the FTC and the HHS rules were required by provisions in the American Recovery and Reinvestment Act, signed into law this past February.

As with the HHS rule, entities must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach. Neither HHS nor FTC amended the timeline specified in the ARRA provision.

The rule specifies that notifications should be written in plain language and include, to the extent possible, a brief description of what happened, the types of information involved, steps individuals should take to protect themselves, and a brief description of what the entity is doing to investigate and mitigate the breach. The notification must provide consumers with contact information that includes a tollfree number, e-mail address, and Web site or postal address. (more…)

Last week the industry got an early look at the Department of Health and Human Service’s much-anticipated data breach notification rule. Today the rule was published in the Federal Register, making it official. The rule takes effect September 23, 2009.

“Breach Notification for Unsecured Protected Health Information” applies to all HIPAA-covered entities and HIPAA-related business associates. A separate rule is expected any day from the Federal Trade Commission, which will cover non-HIPAA related entities such as vendors of personal health records. Both rules stem from the American Recovery and Reinvestment Act. FTC released a preliminary version of its rule last week, also.

The rule defines a breach; suggests how an entity might investigate a potential breach; and establishes the steps the entity must follow should it determine that a breach has occurred.

A verified breach requires notification of the affected individuals without unreasonable delay and within 60 days of the breach’s discovery, the time frame originally specified in ARRA. Few of the 44 state breach notification laws specify a time period. California requires notification within 5 days; Florida within 45 days.

HHS, and possibly the media, will also require notification. Entities must notify HHS immediately of any breach involving 500 or more individuals; they may log smaller breaches and report them annually. Breaches of more than 500 individuals must also be reported to “prominent” media outlets in the state or jurisdiction within the same time frame as the notification to individuals.

HHS declined to further define a “prominent” media outlet, despite requests received in comments. It notes that the term is relative to the market.
(more…)

A son calls the HIM department and requests his deceased father’s medical records. Shortly afterward, the man’s wife requests the records, also. Then a man calls identifying himself as the executor of the estate. Who is authorized to access the records?

Determining appropriate release of a deceased patient’s medical records can be complex. HIPAA, sometimes blamed for denied requests, is rarely cause for a roadblock, however. The federal law does extend a person’s privacy rights into death, but it also explicitly requires facilities to release records to authorized individuals.

The complications typically come when a patient dies without having named a personal representative. In those instances, HIPAA defers to state law to determine access rights.

Though most state laws are sufficiently clear, the hierarchy may be complex, and some situations will still require judgment calls. Facility staff who are unclear on the law may err on the side of caution and refuse access rather than risk violating privacy laws. On the other extreme, they may release records without requesting proper verification or release them rather than upset or anger the requestor.

The best practice, experts say, is to gain knowledge of the law, share it, and request that patients identify their personal representatives during the admission process. (more…)

In the August print issue, Journal writer Chris Dimick describes the challenges California healthcare organizations face in determining their responsibilities under tough new state law on health data breach notification and even newer federal law created by ARRA.

The breach notification requirement is not the only ARRA privacy provision shaking up healthcare organizations in California and across the country. It is just the most pressing—final rules appear this month, and organizations must be compliant within 30 days.

Three additional ARRA provisions around privacy and transparency have providers and vendors buzzing, because current electronic record systems cannot meet the requirements.

In many ways, the three provisions describe what EHR systems should be able to do, not what they can do. In the coming months it is up to the federal government to fill in the details. In the coming months and years, it will be up to providers and vendors to adapt and create systems that meet them.

Dimick’s conversations with privacy experts in California continue below, expanding to new provisions on accounting for disclosure, suppressing disclosure of treatment for services paid out-of-pocket, and providing electronic copies of electronic records.

* * *

Accounting for Disclosure

HIM professionals and others are concerned with ARRA’s new accounting for disclosures provision, which requires healthcare facilities using EHRs to provide an accounting or audit trail of all record disclosures. This represents a major change from the current HIPAA laws, which exempt disclosures for treatment purposes and routine healthcare operations. Most state laws do not address accounting for disclosures, and they rely on HIPAA to set the rules.
(more…)

Reports of health record breach violations have been pouring into the California Department of Public Health since the state began requiring healthcare entities to report all incidents of unauthorized record access.

More than 800 reports have been filed since the law took effect January 1, according to Kathleen Billingsley, RN, deputy director of the California Department of Public Health, Center for Health Care Quality (CDPH). The agency has conducted dozens of investigations to date, she says. 

The new laws have raised eyebrows across the country, and have positioned California as a “leader in medical privacy,” Billingsley says. Meanwhile healthcare providers have been scrambling to institute policies that adhere to the new—some say overly strict— requirements. (more…)