HIPAA Blog

[ Friday, May 28, 2010 ]

 

Shocked, shocked: The FTC has again delayed the Red Flags Rule enforcement date. What was scheduled to be effective Tuesday is now re-delayed through the end of the year.

As noted below, this comes on the heels of the AMA taking the litigation tactic that the ABA used so well for the attorney's organization. While there are different arguments as to why lawyers or doctors should or should not be subject to the Red Flags Rule, and litigation might not be the right first response for the AMA (it pretty much should be expected for the ABA), it is the failure of the FTC to reasonably address the AMA's concerns (and the concerns of Congress for small businesses) that has brought us all to this point.

Hat tip: Alan Goldberg.
Jeff [12:21 PM]

[ Tuesday, May 25, 2010 ]

 

OCR Seeks Outside Help for its Audit Responsibilities: HITECH requires OCR to periodically audit covered entities for HIPAA compliance. Apparently, OCR has hired a consultant to help it plan its audit activities. Don't know who it is, though.

UPDATE: according to Dom Nicastro, the outside contractor is Booz Allen Hamilton, the consulting firm.
Jeff [8:55 AM]

[ Monday, May 24, 2010 ]

 

Fundraising: HIPAA does allow hospitals to use patient demographic data for fundraising.
Jeff [11:02 AM]

 

Did someone say Red Flags? Just as I was noticing the impending deadline, the AMA, AOA and Medical Society of DC have filed suit against the FTC to prevent the imposition of the Red Flags Rule against physician practices. They follow, albeit somewhat more slowly, the litigation strategy of the ABA, which has already sued and won to prevent the application of the Red Flags Rule against lawyers (the ABA case has been appealed by the FTC, so that could still change, but for the time being, lawyers aren't "creditors").

The entire issue is whether doctors should be considered "creditors" under the Red Flags Rule, since they don't always take full payment up front from patients. Obviously, they aren't like car dealers or cell phone companies, where there's an explicit lending of credit to the customer to buy the goods or services, a monthly payment plan, etc. The only reason physicians don't bill in full at the time services are delivered is that the physicians don't know at that point how much is owed or what portion of the total bill is owed by the patient, as opposed to the insurance carrier. It's really more like the difference between a restaurant that makes you pay up front before you get your food (McDonalds) and a restaurant where you eat first then get your bill (Chili's).

However, there is clearly a risk of identity theft in connection with the provision of physician services -- medical identity theft is a growing problem. Is there a link between the fact that physicians don't bill in full and the ID theft risk? I don't think so.

That said, though, I'd say it's good HIPAA hygiene for a physician practice to have an ID Theft Prevention Policy in place (which is pretty much fulfillment of the Red Flags Rule requirements) anyway. It's not that hard to do, the analysis can be done with you do your risk analysis, and the plan is easy to draft. Maybe physicians shouldn't be required to comply, but they ought to at least consider doing so anyway.
Jeff [10:46 AM]

[ Tuesday, May 18, 2010 ]

 

What's that ticking sound? Oh yeah. June 1 is two weeks from today. Just as you're rolling back in from your Memorial Day weekend, you'll have Red Flags waiting for you.

Unless they're delayed again, of course.
Jeff [11:04 AM]

[ Monday, May 17, 2010 ]

 

Good Advice: encrypt the PHI on your laptops.
Jeff [10:26 AM]

[ Friday, May 14, 2010 ]

 

EMR penetration: Chris at Software Advice blogs about who the big dogs are in the EMR game. If you use an EMR, let Chris know who you use. He's trying to compile comparative information.
Jeff [12:07 PM]

[ Wednesday, May 12, 2010 ]

 

Miami Record Theft Case: Wow. The Federal judge hearing the plea bargain of a couple accused of stealing medical records and selling them to plaintiff's lawyers, who then contacted the individuals about becoming clients and collected big contingency fees, has declined initially to accept their plea bargains, because the jail time isn't long enough. The 62-year-old husband got 12 years, and his 52-year-old wife got 5 years. The judge needs to hear more information on the husband's case to decide whether to accept his plea; but she simply rejected the plea from the wife, saying she must now go to trial in the case.

So, just so you know, 12 years in jail for a 62-year-old man isn't enough if it's a HIPAA violation. Something to keep in mind. . . .
Jeff [12:25 PM]

[ Tuesday, May 04, 2010 ]

 

Bowling Green, Kentucky: A computer hard drive was stolen from the mammography unit. Again, if it were encrypted, there'd be no notification requirement.
Jeff [9:14 AM]

[ Monday, May 03, 2010 ]

 

• Guest Blogger: Recently, I received an offer from Kitty Holman, who writes on the topics of Nursing Schools, to write a post for the HIPAA Blog. Below is her article, addressed specifically to nurses who are presented with HIPAA quandries. She welcomes your comments at her email, kitty.holman20@gmail.com.
  
  
  Interpreting and Following HIPAA for Nurses
  
  As a nurse, you will have constant access to your patients’ files and records, often even more so than doctors do, meaning it is absolutely necessary to be vigilant about potential HIPAA violations.
  
  Some of the HIPAA breaches involving nurses have been committed through obvious carelessness, and these are the cases that are most easily avoidable. For example, who can forget the February 2009 case in which two Wisconsin nurses were fired after snapping photographs of a patient’s X-rays and allegedly posting them on Facebook? Even though the reasons behind the nurses’ picture-taking were innocuous (they were supposedly highly amused by the patient having an object lodged in his rectum), the nurses were clearly crossing the line.
  
  There are other HIPAA breaches that are a little more difficult to pin down. Take the case very recently reported by AIS Health involving the medical records of a minor. A mom was so determined to view her child’s PHI involving substance abuse that she hired a lawyer to obtain a court order. The lawyer claimed that since the child was a college student, he was not yet “emancipated,” meaning that the mother had the right to look at the records. In this case, the lawyer was wrong.
  
  As a nurse, you should be advised that just because concerned parents demand information, doesn’t mean that they have lawful access to it. If the child is a minor, but is being treated for STDs, pregnancy, substance abuse, etc., then in many states, the child must grant authorization to their parents to view their records. Different states have different laws, however, and you should be aware of your state’s specific regulations.
  
  The AIS Health article cited above gives some great basic tips when it comes to dealing with the HIPAA and minors. If your state allows minors to control access to certain of their medical records, be aware that your employer may have special rules affecting that access. For example, an employer may have rules for employees who are also parents of patients. Since electronic records do not differentiate between a child’s treatment for the flu or for an STD, some employers require employees to follow the same formal access request requirements that would be applicable for parents who aren't employees. In other words, even though it's your child, follow the same path to access as you would if you weren't an employee. While the ultimate purpose of HIPAA is to protect patient privacy, sometimes the implementation of HIPAA by nurses can go too far, simply because they are not aware of the rules and they would rather deny PHI access to relatives than go through the trouble of determining whether or not the access constitutes an actual breach. The New York Times wrote an interesting article a few years back specifically about these cases in which medical practitioners used the HIPAA “excuse” to deny access to medical records.
  
  At the end of the day, it’s important to be as educated on the specifics of HIPAA as possible so you won’t unintentionally breach the law, but also so you won’t misuse HIPAA, either. Balance is important, and discretion is imperative. For more information about HIPAA as it pertains to nursing, read this article published in the American Nurses Association’s Online Journal of Issues in Nursing.
  

Jeff [12:31 PM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template

A discussion of medical privacy issues buried in political arcana

E-mail me at jdrummond-at-jw.com

- Archives - March 2002 April 2002 May 2002 June 2002 July 2002 August 2002 September 2002 October 2002 November 2002 December 2002 January 2003 February 2003 March 2003 April 2003 May 2003 June 2003 July 2003 August 2003 September 2003 October 2003 November 2003 December 2003 January 2004 February 2004 March 2004 April 2004 May 2004 June 2004 July 2004 August 2004 September 2004 October 2004 November 2004 December 2004 January 2005 February 2005 March 2005 April 2005 May 2005 June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 June 2006 July 2006 August 2006 September 2006 October 2006 November 2006 December 2006 January 2007 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 August 2007 September 2007 October 2007 November 2007 December 2007 January 2008 February 2008 March 2008 April 2008 May 2008 June 2008 July 2008 August 2008 September 2008 October 2008 November 2008 December 2008 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December 2009 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2010 January 2011 February 2011 March 2011 April 2011 May 2011 June 2011 July 2011 August 2011 September 2011 October 2011 November 2011 December 2011 January 2012

[ Advertisers ]
Electronic Medical Records

Health Insurance from Chartis Direct

Presciption Drug Information

Foot Problems

[ Links ]
Jackson Walker home page
My (official Jackson Walker) Bio
HHS' Administrative Simplification page
OCR's HIPAA Privacy page
ICD-10 Codes
NIST's HIPAA Security Implementation page
HIPAA.org page
TCS standard-setting
HIPAA Summit's page
Harvard's HIPAA colloquium
Workgroup for EDI
Siemen's HIPAA page
Phoenix Health System's HIPAAdvisory
Beacon Partner's HIPAAcomply
FindLaw's HIPAA law page
HIPAAComplete
HIPAADocs
AMA's HIPAA page
AHA's semi-HIPAA page
American Health Lawyers Assn
SHARP (the Southern SNIP)
Boundary Information Group's HIPAAinfo.net
HIPAA academy
MedAbiliti's Health Innovation Daily News
Thompson-West's Privacy Litigation Reporter
HIPAAnswers (HIPAA compliance solutions)
Healthcare Intelligence Network Blog
Prescription Drug Encyclopedia
Compliance Home Portal
HIPAA Training (Supremus Group)
MPMsoft (HIPAA-compliant billing software)
DMEPOS Surety Bonds
Hospital.com
Human Resources Daily Advisor

[ WebRings ]
< ? law blogs # >

[ Syndicated RSS Feed ]
Click Here