Archive for May, 2010
The Federal Trade Commission delayed enforcement of the Red Flags Rule for a fifth time, this time extending the date seven months.
Enforcement was scheduled for June 1, 2010. It is now changed to December 31, 2010.
The FTC says on its Web site the delay comes at the request of Congress as it “considers legislation that would affect the scope of entities covered by the rule.”
Healthcare entities defined as “creditors” by the FTC must still comply with the rule by implementing a program to prevent and detect cases of identity theft. Compliance date was November 1, 2008.
“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly,” FTC Chairman Jon Leibowitz said on the FTC Web site. “We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”
The Senate filed a bill Tuesday, May 25, an awfully similar bill from the House’s in October that essentially exempts providers with fewer than 20 employees from complying with the FTC’s Red Flags Rule. The House bill passed 400-0.
The FTC says it will make enforcement effective earlier than December 31, 2010, provided Congress passes legislation before that date.
Medical and osteopathic associations Friday, May 21, sued the FTC for covering them under the Red Flags Rule, which requires them to start verifying their patients’ true identities before they agree to treat them.
The lawsuit seeks to prevent the FTC from defining physicians as “creditors” whenever they do not require payment in full at the time they provide care, and later bill them, according to the brief filed by the American Medical Association and the American Osteopathic Association and the Medical Society of the District of Columbia, the District Court where the case was filed.
“We do already have a number of rules and regulations to follow to protect patient privacy and information security, and these have recently been strengthened with ARRA and HITECH,” says Chris Simons, RHIA, director of UM & HIMS and the privacy officer
at Spring Harbor Hospital in Westbrook, Maine. “Requiring healthcare providers to follow the Red Flags Rule is just another regulatory hoop for us to jump through.”
Simons, who will speak on HCPro, Inc.’s June 9 audio conference, “Prevent Medical Identity Theft and Comply with FTC Requirements Now,” says there is never enough training and monitoring regarding best security and privacy practices.
However, she says, “I don’t think this adds significantly to what we already do.”
Bonnie McLaughlin, a development analyst for Medical Information Technology, Inc. in Westwood, MA, says she is “horrified” by the attempt to exempt physician practices from the Red Flags Rule.
“It is just as possible that someone can use my identity/insurance/financial information when presenting at a physician’s office as it would be in a larger healthcare setting,” McLaughlin says.
McLaughlin says devising a Red Flags Rule policy “can be relatively simple.”
“If these providers would simply read through the ruling and understand exactly what is involved in meeting this requirement, they would have already been able to meet the criteria in the amount of time they have taken resisting being held accountable,” she says.
Q: Does the Health Information Technology for Economic and Clinical Health (HITECH) Act supersede our contracts with third-party health insurance policies if the patient pays for the office visit in cash?
A: HITECH gives patients the right to restrict disclosure of their health information for billing purposes for any services for which they have paid in full. In these situations, you may not bill insurance companies or even disclose that you provided services.
Mary D. Brandt, MBA, RHIA, CHE, CHPS answered this question in the June 2010 issue of the HCPro newsletter Health Information Compliance Insider. For more information about this newsletter visit the HCMarketplace.
The HIPAA Security Rule requires a covered entity to conduct a risk assessment.
To save money, try to do your risk assessment yourself first, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal of HIPAA Boot Camp in Casa Grande, AZ. If you’re uncomfortable conducting the first risk assessment alone, hire someone with well-established credentials.
Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, president of Margret\A Consulting, LLC, in Schaumburg, IL, says an outside set of eyes helps determine where an organization’s vulnerabilities lie.
Someone from outside the organization can bring people together and complete a comprehensive assessment, looking at both privacy and security needs, she says.
Organizations should consider their choices carefully, Amatayakul says. It’s possible to spend thousands of dollars purchasing unnecessary items. For example, one hospital wanted a vulnerability scan that ultimately would not do what the hospital wanted, she says.
Editor’s note: The preceding is an excerpt of an article in the April 2010 issue of the HCPro, Inc. newsletter, Briefings on HIPAA. See next week's HIPAA Weekly Advisor for more tips.
HIPAA’s privacy and security enforcer has hired an outside firm to help build its HITECH-required HIPAA auditing plan, the government agency tells HIPAA Update.
The Office for Civil Rights (OCR), which carries out for the Department of Health & Human Services (HHS) enforcement of the HIPAA privacy and security rules, says it does not have a timetable for when the audit plan begins.
However, in an e-mail to HIPAA Update Thursday, May 20, OCR says it is “presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement.”
The firm is Booz Allen Hamilton.
HITECH, signed into law by Congress February 17, 2009, requires OCR to conduct “periodic audits” of covered entities regarding HIPAA privacy and security compliance. The contractor will help OCR with the “how” and “when” of the audit program.
Sue McAndrew, the deputy director for Health Information Privacy for OCR, told HealthLeaders Media at the 18th Annual National HIPAA Summit in February that “there are 1,000 ways to do this.”
Talk of enforcement heated up this month at a national security conference, according to Mac McMillan, CEO of CynergisTek™ and one of the speakers at the Washington, DC, conference–”Safeguarding Health Information: Building Assurance through HIPAA Security.” The conference was hosted by HHS, OCR and National Institute of Standards and Technology (NIST).
MacMillan praised OCR for what he called a “proactive” approach to carrying out the provisions in the HITECH and maintaining transparency in the process. He said the longtime privacy enforcer, which this year took over enforcement of the security rule from CMS, is “doing a much better job than its predecessor.”
“OCR is much more organized and is quietly getting its stuff together,” says MacMillan, who has had conversations with top OCR officials. “With CMS, enforcement just didn’t really fit. OCR on the other hand has been in the business of investigating privacy issues since Day 1.”
When asked if it will audit entities who report breaches of unsecured protected health information (PHI) affecting 500 or more individuals, OCR tells HealthLeaders Media it has not “determined how the HITECH audit requirement will be implemented.”
HITECH requires OCR to post on its website those entities who report the 500-or-more patient information breaches.
As for breaches below the 500 mark, OCR says it does not intend to publish breach information on those report.
“However,” OCR says, “summary data will be included in OCR’s annual report to Congress about breaches.”
Though no enforcement plans have been announced regarding HITECH provisions, OCR says it is serious about it. OCR gained 36 FTEs dedicated to HIPAA privacy and security rule compliance and enforcement this fiscal year and is now up to 132.
OCR has obtained corrective action—meaning entities taking significant and important actions to change practices to come into compliance with the privacy rule—in more than 14,900 cases since 2003.
“They’re focused clearly on compliance,” McMillan says. The CEO praised OCR for reaching out to the industry–and general public–regarding its “Request for Information for Accounting of Disclosures Rulemaking.”
In that May 3 Federal Register posting, OCR asks providers and the public several questions to help it produced a proposed rule on accounting of disclosures on EHRs; that HITECH provision is due out in June and gives patients greater rights to disclosures on their EHRs.
“They’re engaged,” McMillan says. “They’re not afraid to talk about this. I think they’re doing a lot more that most folks aren’t seeing yet.”