Privacy for Health Information Executives

Lowering the Red Flags

Andrew Serwin — Tue, 03 Nov 2009 18:41:00 GMT

The Red Flags Rule hit two more hurdles recently. On Oct. 29, 2009, the U.S. District Court for the District of Columbia granted summary judgment to the American Bar Association (ABA) to set aside an extended enforcement policy of the controversial Red...(read more)

Privacy and Social Networking

Andrew Serwin — Tue, 13 Oct 2009 14:39:00 GMT

In Beye v. Horizon Blue Cross Blue Shield of New Jersey , a court addressed an issue that will likely recur -- the impact on a person's privacy of their voluntary disclosure of sensitive information on a social networking site. In this case the court...(read more)

Two-party Consent Laws

Andrew Serwin — Tue, 06 Oct 2009 20:59:00 GMT

A group recently secretly videotaped interactions with employees of the poverty-rights organization ACORN, and those tapes have been played widely in the media. The ACORN situation illustrates the issue that two-party consent laws can create, irrespective...(read more)

Credit Card Receipt Laws Present Challenges

Andrew Serwin — Tue, 22 Sep 2009 19:49:00 GMT

A number of laws restrict the dissemination of credit card numbers on receipts. California's law has provisions that became effective this year that differ from other laws. California prohibits any person, firm, partnership, association, corporation or...(read more)

New Class-action Case Offers New Theories

Andrew Serwin — Tue, 08 Sep 2009 15:31:00 GMT

Hannaford Bros. Co., a grocer, faced a number of class-action lawsuits from its customers as a result of a third party stealing electronic payment data from credit cards and debit cards used by its customers to purchase groceries. The alleged data breach...(read more)

New Data-security Laws

Andrew Serwin — Wed, 12 Aug 2009 15:10:00 GMT

Every company and organization must grapple with data security. In the health field, HIPAA has specific data-security requirements, but general data-security restrictions can also be implicated. Over 30 states have data-security or data-destruction laws....(read more)

Red Flags: Keep Holding Your Breath

Andrew Serwin — Fri, 07 Aug 2009 19:17:00 GMT

The Federal Trade Commission recently announced that it has once again extended the compliance deadline for Red Flags, in part based upon efforts by the American Bar Association and the American Medical Association to clarify the definition of "creditor"...(read more)

Genetic Testing, Part 2

Andrew Serwin — Wed, 15 Jul 2009 15:25:00 GMT

This is the second post in a series on genetic testing laws. Click here to access the first blog post. Like California, New York has a number of restrictions on the use of genetic testing, including under its Civil Rights law. Unless it can be clearly...(read more)

FTC Brings Case in Conjunction with Office of Civil Rights

Andrew Serwin — Thu, 18 Jun 2009 16:44:00 GMT

The FTC has clearly indicated its focus on preventing medical identity theft and a case involving CVS shows that focus. Brought earlier this year, CVS was alleged to have failed to implement reasonable and appropriate security to protect the information...(read more)

Restrictions on Genetic Testing in California

Andrew Serwin — Tue, 19 May 2009 22:37:00 GMT

A number of states have enacted restrictions on genetic testing that go beyond the federal genetic privacy law, GINA. California has restricted the disclosure of test results for genetic characteristics in a limited way, as the law only applies to requests...(read more)

The Issue of Standing in Privacy Litigation

Andrew Serwin — Wed, 08 Apr 2009 16:14:00 GMT

Standing is an issue that is frequently raised in privacy litigation. Standing is a constitutional issue under Article III of the United States Constitution, and the party invoking federal jurisdiction bears the burden of establishing the following three...(read more)

E-mail Case Ruling Allows Punitive Damages and Attorneys’ Fees

Andrew Serwin — Wed, 25 Mar 2009 01:42:00 GMT

Most privacy litigation faces serious challenge due to the lack of actual damages. (A full discussion of that issue can be found in Section 26:18 of my book.) However, claims that involve statutory penalties, such as the Electronic Communications Privacy...(read more)

HIT Funding Under ARRA

Andrew Serwin — Mon, 02 Mar 2009 15:01:00 GMT

On Feb. 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA). I will be focusing on the health care aspects of ARRA in my next several blogs.

ARRA provides additional support for the development and adoption of health care information technology (HIT). The largest allocation of HIT funding -- approximately $17 billion -- is for incentive payments through the Medicare and Medicaid reimbursement systems to encourage providers and hospitals to implement electronic health record (EHR) systems -- specifically for the "meaningful use of certified EHR technology" by eligible professionals and hospitals.

An eligible professional (professionals eligible for the incentive payments are those who participate in Medicare and who are defined under Sec. 1861[r] of the Social Security Act) will receive incentive payments for the first five years (2011 through 2015) for demonstrating a meaningful use of EHR technology and demonstrated performance during the reporting period for each payment year.

In order to maximize payments under ARRA, eligible professionals must adopt a meaningful use of EHR technology in 2011 or 2012, thereby qualifying for five annual payments ending in 2015 or 2016, respectively (an aggregate maximum payment of $44,000). If an eligible professional does not demonstrate a meaningful use of EHR technology by 2015, he or she will not receive incentive payments and his or her reimbursement payments under Medicare will be reduced as specified in the legislation. Thus, there is strong incentive to move quickly on these matters.

Health Care Providers not Exempt from 'Creditor' Rules

Andrew Serwin — Tue, 03 Feb 2009 18:22:00 GMT

Under the Red Flag rules, a "creditor" is "any person or business who arranges for the extension, renewal or continuation of credit" with a "covered account." An "account" means a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property. A "covered account" is: (1) an account primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk to customers, or the safety and soundness of the creditor, from identity theft, including financial, operational, compliance, reputation or litigation risks.

Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts:

The methods it provides to open its accounts;
The methods it provides to access its accounts; and
Its previous experiences with identity theft.

There are a number of other requirements and health care providers are not exempt from these requirements, so an examination of whether the regulations are applicable is important and timely given the pending deadline.

Implementing Interoperability

Andrew Serwin — Wed, 17 Dec 2008 16:26:00 GMT

Health care record interoperability is one of the least recognized health and privacy issues at this time. While this issue had not received significant support before Hurricane Katrina, that disaster made government realize the value of easily accessible medical records for patients in crisis and that patient care will improve if health care professionals are given more access to portions of medical records. Another reason frequently cited in support of interoperability is the cost savings that states and insurers will receive from increased efficiencies. Ironically, the current focus on interoperability will likely bring HIPAA's goals to completion.

In theory, interoperability should be simple, but it will likely be somewhat difficult to implement. Interoperability would permit health care providers to review and place a patient's medical information into an electronic chart for the patient. This is a concept that will rely upon -- but be much broader than electronic health records (known as EHRs) -- because all providers will need to communicate and keep one accurate record for the patient and the required technology presumably will be based upon an EHR system. Patients will have to be permitted to restrict certain portions of their medical records, but there will be scenarios (emergent health issues) where physicians and other health care professionals will be permitted to access information without patient consent, which could be impossible to obtain.

California has recognized the importance of interoperability and has a goal to achieve 100 percent compliance between payers and providers in less than 10 years. The state has allocated money to assist the implementation of interoperability, with the goal being to have the Secretaries of the Health and Human Services Agency and the Business, Transportation and Housing Agency, the Director of the Department of Managed Care and the State Chief Information Officer work with public and private sector stakeholders to develop a sustainable business model for an e-health network connecting rural health clinics to medical centers throughout the state using telemedicine and other technology.

An eHealth Action Forum was created to develop a comprehensive state policy agenda for health information technology by:

defining the goals and values of health information technology for the purposes of state policy and planning; creating an inventory of the various initiatives underway in the state related to health information technology and assess opportunities for building on those efforts, and replicate those projects that prove the feasibility and business case for health information technology and health information exchange;

identifying the appropriate role of state government in the development of health information technology and health information exchange versus those activities more appropriately coordinated through other entities;

facilitating statewide adoption of standards and interoperability requirements for e-health to enable the secure exchange of health information across the state and nation;

identifying areas where state laws and regulations hinder, rather than facilitate, adoption of health information technology, and recommend strategies to remove such barriers;

identifying and developing strategies for the continued protection of confidentiality and privacy of health information in an electronic environment;

identifying opportunities and strategies for a public/private partnership approach to create financially viable and sustainable business models for health information technology projects in the state;

developing options for advancing the implementation of health information technology through the state's role as a major purchaser, provider and regulator of health care services; and

developing with stakeholders performance metrics to measure the success of the implementation of health information technology throughout California.

In large part, these goals are being achieved through the Privacy and Security Advisory Board (PSAB) of the California Office of HIPAA Implementation. While there is a clear mandate from the state to facilitate and encourage interoperability, the implementation steps of this concept are not clear-cut. There are many models that might work; one option that seems to accomplish many of the goals is based upon the consumer reporting model. A select group of entities could manage your health records in one location, giving providers and others the right to input data, as well as view data, depending on the circumstances. One of the advantages of such a system is that it reduces the chances of having multiple, different records in different providers' hands, all with potentially inconsistent data. It also would seem to reduce the time needed to obtain data in truly emergent situations. While there is agreement on the end goal of interoperability, no model has yet been agreed upon, so there is much work for groups like California's PSAB to do in the years to come.