Enforcement of the rule is currently scheduled to begin June 1, but several recent events may keep the rule in limbo.

FTC: A Wide View of “Creditors”

An amendment to the Fair and Accurate Credit Transaction Act of 2003 created the Red Flags Rule, which requires financial institutions and any institutions considered “creditors” to develop, implement, and monitor identity theft prevention programs.

Congress gave the FTC authority to develop and enforce the rule. After studying the act, the FTC determined that the rule should cover not just financial institutions but any business that acted as a creditor by providing a service and then billing after the fact or in post-service installments.

That included healthcare providers, lawyers, accountants, and others. Healthcare providers are open to identity theft and covered by the rule, FTC officials said, because thieves can obtain treatment using a victim’s identity and then leave the victim with the bill.

FTC published its rule in November 2007 and set the enforcement date as November 2008. Meeting with resistance and continuing requests for clarification, it began announcing a series of delays.

Supporters of the rule say a lack of enforcement is leaving healthcare providers open to medical identity thieves. But opponents say the FTC overstepped its authority and unfairly included healthcare under the rule, and they want the rule amended.

Groups like the American Medical Association and American Dental Association have been lobbying the FTC and Congress to exempt healthcare organizations. The FTC has resisted, saying it does not have the authority to exempt any industry that qualifies as a creditor under the terms of the law. Only Congress or the courts can create an exemption, it says.

And, indeed, Congress and the courts have gotten involved.

House of Representatives: A Burden on Small Business

In October 2009 a bill sped through the House of Representatives that would exempt healthcare, legal, and accounting practices of 20 or fewer employees from the Red Flags Rule. The bill passed unanimously and now is awaiting a hearing with the Senate Committee on Banking, Housing and Urban Affairs.

Supporters of the bill claim that Congress only intended the rule to cover larger financial institutions and other traditional lenders and that the FTC has created an undue burden on small practices.

The rule “would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program,” said Rep. John Adler (D-NJ), one of the bill’s sponsors, in introducing the bill to the House.

However, groups including AHIMA oppose the exemption, noting that nearly half of healthcare providers operate in practices of six employees or fewer, and exempting them would leave a large share of providers without any requirement to implement medical identity theft prevention plans.

It is unlikely that the Senate committee will get to the House bill before the FTC’s June 1 enforcement deadline, according to Don Asmonga, director of government relations at AHIMA. He expects the committee to work on a long list of other issues.

If the Senate does not act on the bill before Congress adjourns in October, the current bill will die and would need to be reintroduced in the House next year.

The FTC issued its most recent postponement to allow the Senate time to consider the House bill. With the enforcement deadline fast approaching, the FTC has not yet decided what to do if the Senate does not act before June 1, says Naomi Lefkovitz, an attorney with the FTC.

US District Court: “Plainly Erroneous”

The rule has landed the FTC in court, also. Trade associations have launched lawsuits against the FTC to exempt their industry professionals from the rule, most notably the American Bar Association.

In October 2009 the US District Court for the District of Columbia ruled that attorneys should be exempted from the rule because the FTC’s inclusion of attorneys as creditors was “both plainly erroneous and inconsistent with the purpose underlying the enactment of the FACT Act,” court documents state.

Soon after the court’s ruling, the American Institute of Certified Public Accountants filed a similar lawsuit asking that accountants also be exempted from the rule.

If healthcare providers want an exemption, experts following these cases expect they will need to file a lawsuit, also.

No lawsuit had been filed by March; however, the American Medical Association has opposed the inclusion of physicians in several letters to the FTC.

“This regulation adds additional financial and administrative burdens upon physician practices given that it duplicates existing Health Insurance Portability and Accountability Act privacy and security requirements,” AMA executive vice president Michael Maves wrote in one letter.

The AMA also argues that practice physicians are not creditors because most do not “regularly extend, renew or continue credit.”

Compliance Date Long Past

Healthcare providers should not wait to see if the June 1 deadline holds firm, says Chris Apgar, CISSP, president of healthcare consulting company Apgar and Associates. He reminds healthcare professionals that only the rule’s enforcement deadline has been delayed—the compliance deadline passed more than two years ago when the FTC published its final rule.

Under the ARRA breach notification provisions, HIPAA covered entities and their business associates must notify HHS of any breaches affecting the unsecured protected health information of 500 or more people. The notification must be made without unreasonable delay and no later than 60 days from the discovery of the breach.

The rule went into effect September 22, 2009. Enforcement began this past Monday, February 22.

The majority of breaches resulted from lost or stolen hardware. The number of individuals affected ranged from a low of 501 (Alaska Department of Health and Social Services) to a high of 500,000 (Blue Cross Blue Shield of Tennessee). Providers, payers, and business associates appear on the list.

Covered entities and business associates must also report smaller breaches to HHS, but they may do so in a single report filed at the end of the year. Reports for 2009 are due by March 1, 2010. Organizations must notify breach victims directly for breaches of any size that they judge could result in harm.

Do three dozen large-scale breaches represent a lot or a little? Collectively they involved more than 1 million individuals in the first months of the reporting program. As HHS continues to compile and report incidents, a clearer picture of the prevalence of privacy breaches will emerge. Already the reports make clear that breaches are occurring across the industry, in both private and public entities, large and small.

The state government was flooded with breach notifications, receiving 2,490 reports of breach incidents through December 31, 2009, according to the California Department of Public Health, Center for Health Care Quality (CDPH), which is responsible for collecting the notices and investigating cases.

Of the cases reported, CDPH has completed 1,291 investigations, with all but 120 confirmed as privacy breaches. At year’s end, 484 cases were still under investigation, and the balance were pending investigation.

The vast majority of all reported breaches – 2,290 – were unintentional, typically involving business mistakes, says Kathleen Billingsley, CDPH deputy director. The most common incident reported involved patient health information accidentally sent to the wrong destination; for example, a patient’s chart faxed to the wrong Dr. Smith.

However, of the confirmed breaches, 96 occurred due to malicious, intentional acts by healthcare workers, an average of 8 per month.

“Higher Standard,” Better Safeguards Needed

The number of reported malicious breaches came as a personal surprise to Billingsley, who has a nursing background. “I’m surprised at the lengths people will go to try to access information that they are not authorized to access,” she says. “Some individuals will actually go and get a new password and use a separate computer in order to view information.”

Other malicious cases involved healthcare employees looking at unattended records, searching patient’s billing information, and reviewing their lab results. In addition to an educational reminder that “we need to hold ourselves to a higher standard as healthcare workers,” Billingsley says these breaches show changes to EHR systems are needed to better prevent unauthorized access to patient records.

A Year of Interpretation and Clarification

CDPH spent part of the last year interpreting state law and educating providers on exactly what type of breach incidents should be reported. This was the department’s biggest challenge in implementing the landmark breach notification law, Billingsley says.

In July CDPH sent a letter to all healthcare providers clarifying parts of the breach notification law. In that letter, Billingsley stated that healthcare organizations do not need to submit a notification if the incident involved a misdirected internal paper record, e-mail, or fax that was sent to another healthcare worker within the same facility.

For example, “If I wanted to fax something to the lab, but inadvertently I push a button and it goes to radiology instead,” Billingsley says. “We received a multitude of those.”

Billingsley’s letter was in response to the “overwhelming” number of these types of incidents being reported to CDPH, who felt these cases presented a low risk to the patient and did not warrant a state investigation under current law, Billingsley says.

However, she was surprised by the high number of these incidents, and she wrote in the letter that facilities should review their internal policies and procedures to prevent similar occurrences in the future.

Cautious with Fines

Depending on the severity of the breach, providers can be fined up to $25,000 per patient for the initial breach, and $17,500 for each subsequent breach. Penalties can reach up to $250,000 per incident. Further, CDPH can refer cases to the California Office of Health Information Integrity (CalOHII), which can conduct its own investigation and both fine specific individuals as well as refer them to their professional licensing boards for additional sanctions.

CDPH was cautious in issuing fines during the first year, because the department was fine-tuning its process, Billingsley says.

The department issued $437,500 in fines to healthcare providers in 2009. All of those fines were assessed in two cases against Los Angeles-based Kaiser Permanente Bellflower Hospital, which was involved in a breach of “Octomom” Nadya Suleman’s medical records.

The pace of fines will pick up in 2010, Billingsley says, with new penalty announcements pending.

The original regulations have been in effect for nearly seven years now. How often have patients availed themselves of the right? What do consumers want or expect from a disclosure? And what challenges do accountings pose for covered entities?

In December 2009 the Journal surveyed AHIMA members on the accountings their organizations have provided to date. Their answers offer a snapshot of the accounting of disclosure experience so far.

In total, 157 HIM professionals responded to the survey. Nearly 60 percent reported that their organization had never received a request for an accounting. Only 14 percent had averaged one or more requests each year since 2003.

The Struggle to Account

When the accounting of disclosure rule was published, HIM professionals foresaw a great administrative challenge, and most expected the resulting value would be small. The following years have borne that out.

Maintaining manual logs is time-consuming, yet the introduction of health IT systems is making the situation worse before it makes it better. As organizations transition to electronic systems incrementally throughout their facilities and departments, record keeping is splitting into paper and electronic systems, adding to the challenge of tracking disclosures. Several respondents whose organizations are farther ahead on the IT curve report that new systems are beginning to ease the workload.

However, for nearly all respondents, tracking disclosures is a frustrating challenge and a near impossibility. Most report that the way their organizations disclose information—from multiple departments through disparate IT systems—makes it difficult to compile a complete and accurate accounting.

Within this decentralized and hybrid environment, it is a challenge to educate and manage the many staff who disclose information, such as those in lab, radiology, and physical therapy. Accordingly, survey respondents report that they cannot vouch for the completeness of the organization’s disclosure record.

Is There a Better Way?

Asked if there were a way to measure the value of the current accounting function, respondents replied universally that there was not. 

However, some respondents noted the rule offers benefits that may not be quantifiable. The very process of compliance raises staff awareness of privacy, benefits service to patients, and can improve internal processes.

Few respondents could suggest an alternate method or tool that would better meet patient expectations. The biggest challenges relate to logging disclosures, so presumably better tracking and centralized reporting across an organization’s IT systems would improve accuracy and reduce the burden.

However, some respondents did recommend that a low-tech, high-touch effort to communicate with and educate patients on disclosure would improve the situation. Explaining which disclosures are mandatory and what information is tracked under the current law could meet many consumer needs. Some respondents believe this would be more helpful than providing a log of every disclosure for administrative or clinical use, a requirement of the new ARRA provisions.

It may be difficult to envision a better system in part because the industry may not truly understand what consumers want. Survey respondents whose facilities have fulfilled requests estimated that consumers are roughly split between seeking improper disclosures only, seeking out disclosures to a specific person, and just generally reviewing the record. Approximately a third did not know why accountings were requested.

Several respondents pointed out that ARRA’s new breach notification requirements may meet the needs of those patients who are interested in improper disclosures only. However, as one respondent pointed out, a patient who is informed that his or her information was subject to improper disclosure may well ask to see a record of all disclosures.

ARRA Ups the Ante

In many ways, the new accounting of disclosure requirements in ARRA set forth what EHR systems should be able to do, not what they can do.

ARRA modifies HIPAA to require that covered entities using EHR systems provide an accounting of all record disclosures. This represents a major change from the current rule, which exempt disclosures for treatment, payment, and healthcare operations. However, ARRA shortens the accounting period to three years from the date of the request.

ARRA also requires that covered entities account for the disclosures of their business associates or require the associates to make their own accounting.

Covered entities using EHR systems purchased before January 1, 2009, have until January 1, 2014, to comply. Entities that purchased systems after that date must be compliant by January 1, 2011.

How well do you know the ins and outs of the rule? It’s complicated, and there are many moving parts. Test your knowledge on the four following breach scenarios. Select the one best answer for each scenario. Each correct answer is based directly on a given section of the rule.

Download a PDF of the scenarios here, which includes commentary from the IFR and results of a poll of 500 AHIMA members who were quizzed on the scenarios already.

Scenario 1

Inadvertent disclosure of deceased patient information

General Hospital recently provided Mr. J. Smith with a copy of his complete medical record from his last visit. Accidently contained within the copies was the history and physical report of Mr. Robert Lewis. Mr. Smith, who is dissatisfied with General Hospital, called the HIM department to report the misdirected history and physical, complaining that the mistake was just another example of the substandard practices at General Hospital.

Mr. Smith refused to return the history and physical. He insisted he would call Mr. Lewis personally to inform him of the hospital’s incompetence. Further investigation revealed that Mr. Lewis is deceased. The hospital’s records do indicate the name and address of Mr. Lewis’s next of kin. In response to this breach the hospital should:

1. Do nothing, because Mr. Lewis is deceased.
2. Notify the hospital attorney. Secure a court order and seize the records from Mr. Smith.
3. Notify Mr. Lewis’s next of kin. Notify the security incident response team. Contact Mr. Smith and formally ask that he return the history and physical to the hospital.
4. Arrange for a face-to-face meeting with Mr. Smith to seek return of the history and physical.

Answer:
Show ▼

.

Scenario 2

Missing back-up tape

A hospital back-up tape containing unencrypted health information, names, and Social Security numbers of thousands of patients is lost or possibly stolen in delivery to off-site storage.  The healthcare organization serves patients across a five-state area, with thousands of victims located in each of the states. In response to this security breach the organization should:

1. Comply with the breach notification regulations of all five states. File a year-end report with the secretary of Health and Human Services.
2. Comply with the breach notification regulations of the state in which healthcare organization is incorporated. Follow federal breach notification regulations by notifying victims and the secretary of Health and Human Services. Do not notify the media.
3. Comply with all applicable federal breach notification requirements only.
4. Comply with the breach notification regulations of all five states. Comply with federal breach notification regulations by notifying the victims, the secretary of Health and Human Services, and major media in each state without unreasonable delay.

Answer:
Show ▼

.

Scenario 3

Misdirected e-mail within network

A clinical laboratory staff member accidently e-mails patient biopsy reports to the office of an urgent care center. The urgent care center is affiliated with the same healthcare network as the clinical laboratory.

The employee of the urgent care center notifies the clinical laboratory supervisor of the misdirected e-mail. The supervisor instructs the employee to delete the e-mail, and the clinical laboratory receives a confirmation that the e-mail was deleted. In response to this misdirected e-mail, the organization should:

1. Do nothing, because the e-mail has been deleted.
2. Send a breach notification to every patients whose biopsy report was in the e-mail.
3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
4. Inform both employees that they are under investigation. Suspend the employee responsible for sending the misdirected e-mail pending a further forensic investigation. Seize the computer of the employee receiving the misdirected e-mail and perform an audit for inappropriate activity.

Answer:
Show ▼

.

Scenario 4

Patient names disclosed outside the network

A list of clinic patient names is accidentally sent to a physician’s office that is not affiliated with the clinic. The list does not include the name of the clinic or any other identifying information about the patients.

The doctor receiving the misdirected list mails it back to the clinic. No other use or disclosure was made of the list. In response to this incident the clinic should:

1. Do nothing, because the list was returned.
2. Send a breach notification to every patient on the list.
3. Document the determination that the incident does not represent a significant risk of harm. Do not send a breach notification.
4. Because the physician’s office viewed the list of patient names, it would be required to issue breach notification letters to all individuals on the list.

Answer:
Show ▼

In November 2008, nurses at the Fargo, ND–based healthcare system began using Facebook to provide unauthorized shift change updates to their co-workers. What once would have been a conversation became an update on their personal Facebook pages.

It was a convenient tool, because the nurses had “friended” each other through Facebook and thus could quickly read what each other wrote on their pages. They did not use patient names, but they did post enough specifics about patients so that the incoming nurses could prepare for their shift.

The problem was that everyone else “friended” to their Facebook pages could also read the information.

“I was shocked, after everything—all the reinforcing of HIPAA and privacy—and then for that to happen. It really took me by surprise,” says Becky Kirsch, RHIT, CCS, the director of health information management and privacy officer at Innovis Health.

“We needed to remind staff that that was certainly a HIPAA violation. Even if you don’t use patient names, [someone else] can still put two and two together.

“Think if the employee has 300 friends, then 300 people could see that.”

When Kirsch and other Innovis management learned of the practice, they quickly implemented stricter policies and prohibitions regarding staff use of social media.

Social media platforms like Facebook, MySpace, and Twitter enable people to easily and instantly share information with friends, family, and the world, even. Its use has become mainstream. Facebook alone reported 350 million active users as of December 2009. [Read more about Facebook below.]

But if staff use social media to talk about work—sharing sensitive patient or proprietary business information—that same easy use and powerful reach broadcasts guarded information to large numbers of people. The release of sensitive information over social media can harm an organization’s reputation, violate HIPAA, and lead to breach notifications and hefty fines.

Inadvertent Disclosures Most Common

Privacy breaches via social media can be malicious or inadvertent.

Disgruntled employees can use social media sites to broadcast confidential information about the organization. Staff can also release personal health information about patients via social media, disclosing a celebrity’s treatment details or leaking the CEO’s medical visit to the facility.

But in most cases, such as the nurses at Innovis, employees do not disclose protected information intentionally. Typically they do so when discussing their days or unusual healthcare cases they witnessed—acts they mistakenly feel do not violate patient privacy. 

In late 2009, Innovis Health had another social media incident when an Innovis clinic first responder wrote on Facebook about a strange medical situation they had witnessed that day. No patient names were used, the first responder was simply intrigued by the incident and wanted to share the experience with friends after returning home from work, Kirsch says.

Privacy and security expert Chris Apgar, CISSP, is president of Apgar and Associates, based in Portland, OR. He believes that social networking tools and related communication technologies such as texting now represent significant risks to the privacy and security of health information.

Apgar echoes Kirsch’s warning that omitting a patient’s name does not guarantee that the person cannot be identified. The uniqueness of a situation alone could allow people to reasonability identify a patient. If healthcare employees post any information that can be used to re-identify an individual, they have inappropriately disclosed protected health information, he notes.

“That is a breach, it puts everybody at risk,” he says. “And the problem with Facebook and Twitter is once it is out there on the Internet, it is out there, it is not something that [someone] can easily get back.”

In addition, information sent via social media technologies is usually unencrypted and therefore unsecured. That represents a risk even in direct communication between two people.

Policies Necessary

The widespread popularity of social media is fairly recent, and many healthcare organizations have yet to address it directly in written policies. For those that have not, now is the time to start, Apgar says.

Although the technologies are new, addressing their use may not require new or unique policies. Organizations typically can extend existing policies to include social media. Many organizations already have an Internet and e-mail usage policy in place, and social media specifics can simply be added to this policy, he suggests.

In April 2009, Kaiser Permanente published an organization-wide social media policy that explains appropriate staff use of social media—both on Kaiser’s own social media sites as well as non-Kaiser sites.

The policy, posted publicly on Kaiser’s Web site, specifies that Kaiser employees may not post any proprietary information about the organization on social media or “do anything that might reasonably create the impression that they are communicating on behalf of or as a representative of Kaiser Permanente.” The policy prohibits employees from discussing any patient information via social media, even if a patient is not identified by name.

“If there is a reasonable basis to believe that the person could still be identified from that information, then its use or disclosure could constitute a violation of HIPAA and Kaiser Permanente policy,” the policy states. It applies to staff using social media both at work and during their own personal time.

Marketing and human resource departments typically develop and implement social media policies, and IT departments provide technical assistance in enforcing them, such as blocking banned Web sites from computers. Privacy officers should be involved to ensure policies fully address all privacy concerns.

Beginning with a risk analysis is a good first step, Apgar recommends. Once the risks are evaluated, the organization can begin writing the policies and procedures to address them.

Bad headlines are the least of a facility’s worries. Lawsuits for the disclosure of a patient’s protected health information can reach the millions of dollars, Apgar says. New changes to the HIPAA privacy and security rule allow the government to issue greater fines and even prosecute individuals for malicious breaches. “There are people sitting in jail right now for criminal violations of HIPAA,” Apgar says.

A Complete Ban at Work?

Some organizations choose to completely ban the use of social media on work computers. 

St. Vincent’s Medical Center’s Behavioral Health Services blocks employee access to social media sites, and its Internet policies state that use of such sites is banned, says Elisa Gorton, RHIA, MAHSM, the director of revenue cycle and privacy officer at the Westport, CT–based organization.

Gorton does not feel the ban is extreme, because use of social media is not a requirement of anyone’s job description. “Employees should be working at work, they shouldn’t be on Facebook,” she says.

Apgar recommends that healthcare organizations block staff access to all social media sites including MySpace, Twitter, and Facebook. This is the best way to mitigate the risk involved with the sites, he says.

Banning use of social media at work also sends a clear message that staff should refrain from discussing work on the sites, according to Bonnie Anderson, MBA, CCISM, RHIA, director of information security and network at HealthEast Care System in Saint Paul, MN.

“We know this could be done in off hours at one’s home, but if we allow it from HealthEast’s network, we are enabling it,” Anderson says. “It almost seems like if we are allowing them to do it here it is like unwritten approval or implied consent.”

But not all organizations agree. Some do not block access from work computers, and others allow staff to use social networking sites during breaks or in lounges placed away from the hospital floor. Although Innovis Health has now blocked access to social media sites at work stations, staff can still access the sites on computers in the employee break room lounge.

“We consider it their own time,” Kirsch says. “It is their break to do as they choose.” However, she notes that access could be revoked once Innovis’s new social media policy is finalized.

Organizations that allow access to social media sites still should conduct a privacy and security risk analysis and document their assessment, Apgar says. This shows an organization has evaluated and accepted any risk associated with social media use.

Secondly, facilities must put in an enforceable policy that states the terms of appropriate use. Policies should spell out that staff can not disclose protected health information through social media sites. “Say ‘it is okay to use it, but here are the prohibitions,’” Apgar recommends.

Taking these steps shows the organization did not “willfully neglect” the risk of a breach associated with social media. New provisions in the HITECH Act state that if an organization willfully neglects a privacy risk, it can be investigated and fined by the federal government, Apgar says. If a privacy incident does occur through social media, an organization can point to its assessment and policies and show it evaluated the risk and demonstrated due diligence.

Addressing All Use, Anywhere

Organizations that ban use of social media at work are under no illusion that their risks are eliminated. That is why policies also must include language that addresses employee use of social media during personal time. Staff can just as easily post information about patients or their organizations from their home computers or mobile phones.

Mobility and social media go hand-in-hand. An estimated 65 million people access Facebook via their phones, and they represent the most active users, according to the company. Twitter thrives on “tweets” sent from mobile phones, and even blogs can be run from a phone. A photo snapped on a phone in a hospital lobby could be on the Internet within seconds.

Social media policies should prohibit employees from discussing work-related information on blogs, social media, and other Internet platforms. Like the Kaiser policy, all social media policies should state that employees must not declare themselves as representatives or spokespeople for their organizations.

HealthEast Care System began developing a policy on social media after an employee reported to management that a Facebook friend and coworker was using Facebook to vent about work and inappropriately discuss patient cases, says LaVonne Wieland, RHIA, CHP, the information privacy director.

The HealthEast policy covers Facebook, Twitter, MySpace, LinkedIn, comments posted to a blog, YouTube, wikis, chat rooms, and any other social networking sites. Those who violate the social media policy can be terminated from employment, Wieland says.

It is impossible for an organization to monitor the social media activities of its employees, making it difficult to enforce social media policies. Instead, organizations must focus on education and awareness and encourage staff to report any breach of policy they may witness on other sites.

“We tell employees that it is their obligation to notify their supervisor or the privacy officer if they come across anything [on social media sites] that is a suspected breach of confidentiality,” Kirsch says.

When alerted to inappropriate posts, St. Vincent’s Behavioral Health Services staff has contacted current and former staff members and requested they erase the proprietary information or face corrective action.

Education and Awareness Critical

The biggest risk with social media is that many healthcare employees do not realize that posting stories about nameless patients is still a HIPAA violation, Kirsch says. When questioned about their use of Facebook, for example, the Innovis nurses involved in the 2008 incident stated they thought they were doing a good thing—preparing the next shift to provide great care.

As Kirsch began talking with other staff in the organization, she found more who assumed that their posts were harmless because they did not mention patients by name and only their Facebook friends could read what they write.

As Innovis’s IT department blocked access to social media sites and the marketing department developed specific social media policies, Kirsch began providing the entire organization with refresher courses on HIPAA, specifically discussing the use of social media.

At HealthEast Care System, Wieland now includes social media when reviewing privacy policies with new employees. “If we are talking about a patient, we are breaching their privacy,” Wieland says, “whether we have used their name or not.

“I tell them that it is not appropriate to talk about patients or things at work on social networking or any open, public spot,” Wieland says. “What you see and hear at work stays at work.”

That core privacy principle is unchanged, regardless of technologies or trends.

“Facebook is very popular right now, so we need to remind each other that we should not be discussing any information about our patients, in any form, outside of work,” Kirsch says. “The ‘need to know’ aspect is huge. Do you truly need to post that information on social media? And the answer is no.” ♦

 ————————————–

What Is Facebook?

“Social media” describes accessible and inexpensive (often free) Web-based tools used to communicate widely, quickly, and easily. Popular examples include Facebook, MySpace, and Twitter. Blogs are a form of social media that contrast with traditional media such as newspapers and radio. Social media users can post personal information, search for and communicate with other users, send direct or broadcast messages, and e-mail.

Facebook is the fastest-growing social media utility. Created in 2004 by four Harvard college students, the site boasted 350 million active users by December 2009. Half of those users are on the site on any given day, according to the company. The average user spends more than 55 minutes on the site per day.

Facebook is free to use. Members create profiles featuring pictures and personal information. They then “friend” other members, which allows them to view and post comments on their friends’ sites and introduces them to their friends’ friends.

That online networking is creating what the company calls “the social graph, the digital mapping of people’s real-world social connections.”

Users choose among three levels of privacy settings, which generally limit who has access to which information on their pages. Users can also form more private “groups.” The service also allows for direct e-mail and instant messaging between friends. [back]

The delay, announced October 30, comes at the request of Congressional members, the FTC said. The rule was scheduled to go into effect November 1.

The announcement comes a week after the House of Representatives passed an amendment to the rule that would exclude certain businesses, including small healthcare, accounting, and legal practices. The House bill is currently in the Senate.

On the day FTC announced the delay, the US District Court for the District of Columbia ruled that the FTC may not apply the Red Flags Rule to attorneys.

This is the fourth delay for the rule, which was originally scheduled to take effect November 1, 2008. Industry groups, including healthcare providers and lawyers, have pushed for an exclusion, while others have complained that the rule lacked sufficient detail and guidance. The FTC has since been adding information and guidance online.

The amendment is intended to relieve the administrative burden on small businesses.

The Red Flags Rule, part of the Fair and Accurate Credit Transaction Act of 2003, requires “creditors” and financial institutions to develop and implement written identity theft prevention programs. As described in the rule, creditors are organizations that maintain consumer accounts that receive multiple payments or payments made in installments.

In full, HR 3763 amends the Fair Credit Reporting Act to exclude “any health care practice, accounting practice, or legal practice with 20 or fewer employees.” It also excludes any other business that the Federal Trade Commission, which oversees the rule, determines:

• knows all its customers or clients individually;
• only performs services in or around the residences of its customers; or 
• has not experienced incidents of identity theft, and identity theft is rare for businesses of that type.

The proposed amendment moved easily through the House. It was introduced October 8 and was voted on without debate on October 20. There were 400 votes to approve and no votes in opposition.

The House bill was received and read in the Senate and referred to the Committee on Banking, Housing, and Urban Affairs.

The Red Flags Rule was first scheduled to take effect November 2008. The Federal Trade Commission offered several delays to provide more guidance and give businesses more time to prepare.

Provider Burden or Consumer Protection?

Rep. John Adler (D-NJ) sponsored the bill. “The Federal Trade Commission went too far and went beyond the intent of Congress by considering non-financial, service-related industries to be ‘creditors’…,” he said in a floor speech before the vote.

“Its ruling would force thousands of small businesses to comply with burdensome, expensive regulations by forcing them to develop and implement an identity theft program.”

The American Medical Association also is opposed to inclusion of medical practices and has lobbied against it.

However, in a letter to the Senate committee chair, AHIMA argues that medical practices are already a target of identity thieves and that exempting them from the rule would motivate thieves to focus on them more.

AHIMA also noted that the bill has a much farther reach than might appear. Nearly half of physicians work in practices of six physicians or fewer, according to a 2008 report from the Centers for Medicare and Medicaid Services. At a time when medical identity theft and healthcare fraud are on the rise, the bill would exempt a large share of providers from having identity theft prevention programs.

In addition, the exemption would undermine efforts to raise awareness of identity theft and subsequent fraud within the healthcare industry, AHIMA wrote.

The Senate Committee on Banking, Housing, and Urban Affairs has yet to schedule discussion of the bill. With a full plate and the winter recess approaching, it is unclear if the committee will consider the House bill this year.

Updated Oct. 28

California law requires businesses and state agencies that have unencrypted personal information lost, stolen, or improperly accessed from their databases to notify affected consumers. However, the law does not specify what information the notification letters must contain.

Senate bill 20 would have ensured businesses include key information in their notices, such as the type of personal information breached, a description of the incident, the date it took place, and who to contact for more information.

The bill was vetoed, Schwarzenegger wrote in his explanation, because there is no evidence of a problem with the information businesses are currently providing consumers.

The veto does not dramatically affect state healthcare organizations, which beginning September 23 must meet similar requirements under federal breach notification laws. The federal laws require companies that handle personal health information to include specific information in breach notification letters, including date of the incident and the personal information breached.

However, the federal provisions—part of the American Recovery and Reinvestment Act’s HITECH section—only cover healthcare businesses, leaving California organizations such as banks and educational institutions open to include as much or as little information in their breach notifications as they deem appropriate.

Veto “Surprising”

Senate bill 20 was proposed by state senator Joe Simitian, who said it was necessary to ensure that victims receive the information they need to understand the problem and protect themselves from harm.

“This is one of the most surprising vetoes I’ve gotten while I’ve been here, over nine years,” Simitian said.

The bill had moved through the state legislature with strong support.

Simitian acknowledged that the majority of the notices that go out to consumers do contain adequate, helpful information. However, he said there have been instances of vague and meaningless breach notifications.

A survey of data breach victims included in a 2007 University of California-Berkeley School of Law paper found that 28 percent of those receiving a breach notification did not understand the “potential consequences of the breach after reading the letter.” Simitian cited this study as well as personal conversations with confused breach notification recipients to explain why legislation is needed.

The proposed additions to California’s privacy law would not break new ground. Several states have added similar breach notice requirements to their privacy laws, Simitian said. Setting notification requirements could also benefit businesses by spelling out their responsibilities. Having clear-cut requirements saves businesses from guessing at what they should do to be compliant.

While he feels the breach notification content requirements were not necessarily a bad idea, California-based healthcare attorney Reece Hirsch said he can understand why the bill was vetoed. Hirsch, a partner with Morgan Lewis’s FDA/Healthcare regulation practice, has helped clients draft many breach notifications. The breach notification requirements proposed in the bill are considered best practices in the field and already followed, he noted.

“Most companies responding to a security breach under the existing law would typically include the elements that are stated in senate bill 20,” Hirsch said. “Certainly there are consumer groups who have felt that these notices are maybe confusing, not as forthcoming as they should be.

“But by and large I am not sure that the elements that were specified in senate bill 20 would really affect a real change in the sorts of notices that consumers are seeing under the current California law.”

No Copy for the Attorney General

Senate bill 20 also called on businesses to send a copy of their breach notifications to the California attorney general if the breach affected more than 500 people. The provision was included to give law enforcement and the legislature a way to track privacy breaches across industries and identify trends, Simitian said.

In his veto message, Schwarzenegger wrote there was “no additional consumer benefit” to the provision because the bill does not require the attorney general to do anything with the notices.

“I thought there was a little irony in the veto message suggesting that we didn’t have evidence of the nature of the problem, and then going on to say ‘and by the way, why on earth would you want to have a place where there is a repository of this information,’” Simitian said.

Under state law that took effect January 1 of this year, healthcare organizations are already required to report breaches of any size to the California Department of Public Health, Center for Health Care Quality, which has power to investigate and fine organizations.

However, sending a breach notice directly to the attorney general could have increased an organization’s chance of being prosecuted, Hirsch noted. The federal breach notification provisions give attorneys general the power to enforce privacy protections and take enforcement action against healthcare organizations that have experienced a breach of protected health information.

Though the bill was vetoed, Simitian said he will have conversations with the California governor’s office on how to get the bill passed. He plans to reintroduce the legislation next year.

The Federal Content Requirements

Two federal laws govern breach notification. A rule promulgated by the Department of Health and Human Services governs HIPAA covered entities; a rule published by the Federal Trade Commission applies to noncovered entities such as personal health record vendors.

The rule governing covered entities spells out that breach notifications must:

• Be written in plain language
• Describe what happened, including the date of breach and discovery (if known)
• Describe the types of unsecured personal information involved in the breach
• Provide steps individuals should take to protect themselves
• Give a brief description of what the healthcare organization is doing to investigate, mitigate harm, and protect against further breaches
• Describe contact procedures for patient questions, including a toll-free telephone number

The rule currently exists as an interim final rule, meaning that it could be modified based on public comments. The comment period ends this Friday, October 23. The FTC law governing noncovered entities has similar content requirements, though it provides less detail.

The California bill would have required businesses to include two items in addition to what the federal laws specify:

• Contact information for credit reporting agencies
• A statement describing whether there was a delay in notification because of law enforcement investigations

The rule also proposes to:

• prohibit health plans from using or disclosing protected health information that is genetic information for underwriting purposes;
• revise the provisions relating to the notice of privacy practices for health plans that perform underwriting;
• make conforming modifications to definitions and other provisions of the privacy rule; and
• make technical corrections to update the definition of “health plan.”

The interim final rule applies GINA’s prohibitions on using and disclosing protected genetic health information for underwriting to all health plans subject to the privacy rule, rather than solely to the plans GINA explicitly requires be subject to the prohibition. It also proposes applying the prohibition on using or disclosing is genetic information for underwriting purposes to all health plans that are covered entities as defined by the HIPAA privacy rule.

CMS will accept public comments for 60 days.

Signed in 2008, GINA protects individuals against discrimination in health coverage or employment based on their genetic information.