Fitzpatrick Lentz & Bubba, P.C.—Attorneys at Law Latest News
     
7/27/10 | Client's Reorganization Plan Approved
7/13/10 | Joe Fitzpatrick and Tom Schlegel Publish Article
6/29/10 | Fitzpatrick Lentz & Bubba Support The Miracle League of the Lehigh Valley
Firm Profile | Practice Areas | Attorney Directory | Clients | Community Relations | Firm News | Employment | Contact Us
 
Firm Profile
Health Care E-Newsletter—Volume 1

Recent Changes to HIPAA Under the HITECH Act and the Red Flag Rules

Fitzpatrick Lentz & Bubba Expands Health Care Group

Two new attorneys recently joined the Firm's Health Care Group. Deirdre J. Kamber joined the Firm as an associate attorney in October. Ms. Kamber earned her Bachelor's degree from Brandeis University, a distinguished Master's degree in International Relations from the University of Limerick, Ireland, and her Juris Doctorate from Hofstra University School of Law. Her practice focuses on the fields of employment, labor and health care privacy including federal and state anti-discrimination laws, wages and statutory benefits, military reemployment, labor relations, school law, HIPAA, unemployment compensation and contracts. She is a certified HIPAA professional. In addition to her law practice, Ms. Kamber serves as Diversity Chair for the Society for Human Resource Management Lehigh Valley (SHRM) and frequently speaks about employment and health care issues.

John P. Rice joined the Firm in November of 2009. Mr. Rice earned his Bachelor's degree from Johns Hopkins University, and his Juris Doctorate from the University of Pittsburgh School of Law. Prior to law school, Mr. Rice participated in the JET Program teaching English as a foreign language at a junior high school in Kyoto, Japan. Most recently Mr. Rice worked in Pittsburgh at the Jewish Healthcare Foundation and interned at Horty, Springer & Mattern, P.C., a national law firm devoted exclusively to health law and health care organizations. Mr. Rice's practice focuses primarily on physician-hospital relations and medical staff matters.

I. Changes Generally

In the face of complicated and inconsistent application of the Health Insurance Portability and Accountability Act (HIPAA), and in light of significant concerns about identity theft of both medical and non-medical individual information, two major pieces of legislation are destined to have a significant impact on the health care industry.

The first piece of legislation was brought about as part of the federal stimulus package. The Health Information Technology for Economic and Clinical Health Act ("HITECH Act") was created to retool and rework HIPAA, through the auspices of the U.S. Department of Health and Human Services ("DHHS"). Many of these changes are required by February 17, 2010, and compliance has already been brought into the public eye. The second piece of legislation, the Red Flag Rules ("RFR"), was created in response to growing concerns regarding identity theft and fraud. The majority of the RFR obligations start in June 2010.

Both laws deal with the protection and theft of personal information. Because of the overlap in the laws, there was an expectation in the health care community that the HITECH Act would control healthcare entities, and the Red Flags Rules would not apply. The AMA drafted an opinion letter to the Fair Trade Commission ("FTC") confirming that position. The FTC disagreed and stated that both laws may apply to health care entities. Therefore, both laws are required for compliance, and it is critical that the obligations among Covered Entities ("CEs"), Business Associates ("BAs"), governmental agencies, and the public be delineated, practiced, and enforced.

II. HITECH Act

The original HIPAA Privacy Rule generally prohibited the disclosure of individually identifiable protected health information ("PHI") by CEs, including health plans, providers, and clearinghouses, unless authorized by an individual or, to the minimum extent, necessary for treatment, payment or health care operations. The HIPAA Security Rule stated that CEs who retained, stored, or used electronic health records ("EHRs"), had to use security mechanisms to ensure the protection of the information. The HITECH Act has effectively rewritten HIPAA. Some of the major changes are discussed below:

A. Business Associate ("BA") Liability
BAs will now be bound to full legal compliance with HIPAA, including: (1) maintaining privacy, security and technical safeguards for protected health information ("PHI") and electronic PHI ("ePHI"); (2) appointing a privacy and security officer; (3) maintaining appropriate Business Associate contracts; and (4) taking reasonable steps to cure a breach or terminate the relationship.

B. Expanded Privacy Rights for Individuals
The HITECH Act expanded the privacy rights of individuals with respect to their own PHI, including the following: (1) restrictions on disclosure access to EHRs; (2) accountings of EHRs; and (3) access to EHRs.

C. Sale or Remuneration from PHI
The HITECH Act prohibits CEs and BAs from receiving remuneration for disclosing PHI for marketing purposes that previously qualified as "health care operations," unless certain requirements have been met. Otherwise, patient consent is required, and accounting of disclosures must be updated. With respect to the sale of records as part of a sale, merger or transfer, such transfer is clearly still permitted; however, because of the new restrictions, organizations need to layout and track any such transfers, so as to be able to show the correlation between the remuneration and sale as part of the sale or transfer itself. Otherwise, a CE or BA must obtain consumer authorization for the sale of the information, an awkward process to add unnecessarily to a major transaction.

D. DHH'S Breach Notification Rule
Under the HITECH Act, CEs and BAs are required to notify affected individuals if there is a breach of unsecured PHI. PHI is considered "unsecured" unless it is encrypted or destroyed through methodologies specifically approved by DHHS. If there is a breach of PHI, the CE must inform the patient; it also must maintain a log of the disclosures which is submitted annually to DHHS. If the disclosure involves five hundred (500) or more individuals, and/or if the CE does not have current contact information for ten (10) or more individuals affected by the disclosure, DHHS must be notified immediately, and notice must be provided to prominent media outlets in the area, in the form of a press release. Therefore, it is imperative that client data be updated on every visit.

E. Definitions and Requirements
The HITECH Act is also rewriting the definitions that we knew under HIPAA - for example: (1) penalties for violations, civil and criminal; (2) who are Business Associates; (3) "minimum necessary"; (4) what constitutes payment; and (5) what is considered a healthcare operation.

III. The Red Flag Rules

Despite the efforts of the medical community, the Red Flag Rules (RFRs) presently apply to healthcare providers, in addition to other "creditors" or to those who perform "covered transactions" for "covered accounts." Because of the AMA's efforts and the lack of clarity between the two laws, the new compliance date is June 1, 2010, following three earlier extensions. Patient medical and billing records which contain the patient's name, address, and other personal identifying and financial information (such as credit card information, which may not be covered by HIPAA), are generally "covered accounts."

IV. Best Practices

In order to maintain compliance, CEs (like health care providers) will need to:
  1. change policies and signs in offices to require patient identification;
  2. create policies to establish a privacy official, Board or Managerial Oversight, and an internal complaint process;
  3. train staff on identity theft and security;
  4. audit workplace for potential areas of theft;
  5. add language to contracts, including BA Agreements, to include or incorporate RFR requirements;
  6. set out timeframes for reporting breaches and identify types of information that may constitute HIPAA and/or RFR sensitive information;
  7. review contracts to see who else might create an issue of breach and/or who may be a Personal Health Record ("PHR") Vendor;
  8. set out an Identity Theft Program, which should contain policies and procedures to identify, detect, address, and respond to relevant red flags;
  9. establish approval and maintain oversight by the entity's board of directors (or an appropriate committee of the board), and update periodically;
  10. review BA and vendor contracts for both HIPAA and RFR compliance; and
  11. rewrite and disseminate policies and practices for both employees and patients.
CEs also:
  1. should be aware that documentation without patient access to complaint systems may create greater problems in the long-run;
  2. should ensure that there are postings in any patient office locations with respect to identification;
  3. should notify patients that they may be required to provide additional documentation as to their addresses, if their official identification does not reflect their current address;
  4. should keep RFR policies separate such that, if additional legislation is passed, HIPAA/RFR policies cannot be segregated;
  5. should monitor compliance, their BAs and visit each contract with a clear idea as to what type of information each will have, and what due diligence is required; and
  6. establish and maintain a hierarchy – liability is going to attach to those who are in charge, one way or the other.
If you have questions or comments, please feel to contact us at 610-797-9000 or www.flblaw.com.

<< return to e-newsletters
Firm News
 
Stabler Corporate Center • 4001 Schoolhouse Lane • P.O. Box 219 • Center Valley, PA 18034-0219
Phone: 610-797-9000 • Fax: 610-797-6663
HomeContact Us • Site Design by Klunk & Millan