Posted on October 31, 2009 by Helen Oscislawski

Oh Where, Oh Where Will the Red Flag End Up (or Down)?

I had an inkling this was going to happen – and, as suspected, the FTC has (yet again) delayed the enforcement deadline date for the health care industry, with the latest deadline date being pushed all the way to June 1, 2010Without a doubt, recent developments over the last several weeks have helped spur this latest bump.

For instance, on August 27, 2009 the American Bar Association (ABA) filed a lawsuit against the FTC to bar the FTC’s enforcement of the Red Flags Rule against lawyers on November 1, 2009. That challenge proved successful when Judge Walton for the U.S. District Court for the District of Columbia granted the 400,000 member ABA Summary Judgment on October 29, 2009

On October 8, 2009, Rep. John Adler (D-New Jersey) introduced H.R. 3763 specifically to exclude health care providers, accountants, and legal practices with 20 or fewer employees from having to comply with the Red Flags Rule.  On October 20, 2009, that legislation passed in the House, and is referred to and being considered by the Senate. 

What does all the foregoing mean for the health care industry?  For one, doctors, hospitals, and other health care providers that qualify as “creditors” under the Red Flags Rule have more time to get their Identity Theft Prevention Program developed and adopted. Second, health care providers with 20 or fewer employees, such as smaller physician practices, will want to keep their eye on H.R. 3763 to see if its enactment will exempt them from having to comply with the Red Flags Rule all together. Finally, watch out for other industry groups that may now, in light of the ABA’s successful action, potentially consider filing similar actions to set aside the FTC’s regulation of their members; however, it is not clear whether such similar actions would be as successful as the ABA in light of the fact that Medical Identity Theft is a documented and real issue in the healthcare industry.  

Tags:
Posted on October 23, 2009 by Elizabeth Litten

Covered Entity Liability for Business Associate Ignorance of Breach under HITECH -- Really?

For covered entities (CEs) who have tight privacy and security measures in place, the breach notification requirements under HITECH (amending HIPAA) might not seem especially onerous.  But what about breaches the CE doesn't know about?  What if the CE's business associate (BA) fails to report a breach of unsecured health information?  What if the BA doesn't even know about the breach? 
 
The Interim Final Rule published by the Office of Civil Rights (OCR), Department of Health and Human Services (HHS) on August 24, 2009 confirms what others doubted when I raised the paranoid-sounding possibility:  "yes, a CE must meet the breach notification requirements and timeline, even when the CE is not responsible for, and does not even know about, a breach." The Interim Final Rule explains that the Secretary of HHS will "attribute knowledge of a breach by a workforce member or other agent (other than the person committing the breach), which may include certain business associates, to the covered entity itself." 
 
The date a breach is discovered is extremely important (triggering the 60-day notice requirement).  The fact that a CE has no actual knowledge of a BA's breach, and might not even know whether the BA is exercising diligence in detecting possible breaches, will not protect the CE from liability for failing to find out about and provide required notice of the breach.  The clock starts running when the BA knew, or should have known, about the breach.  According to OCR, "covered entities should ensure their workforce members and other agents [such as BAs, depending on whether they count as "agents" under federal common laws of agency] are adequately trained and aware of the importance of timely reporting of privacy and security incidents and the consequences of failing to do so." 
 
Tags: ,
Posted on October 22, 2009 by Michael Kline

Governance Considerations from HIT for the Board and Other Hospital Stakeholders - The Need for an IT Champion to Serve as a Link between IT Personnel and Other Stakeholders - Installment 7

This is the seventh installment in a series of blog posts that relate to the governance concerns surrounding developments in HIPAA, HITECH and HIT.

For a number of months this series has been emphasizing the importance of establishing a credible and knowledgeable liaison at the governing body and/or senior administrative level to articulate and educate the diverse stakeholders about the new challenges and initiatives in HIPAA and HIT. The liaison should be a champion and advocate for a rational and comprehensive approach for HIT.

The increasing complexities and costs of new IT systems and the need to demonstrate their “meaningful use” has greatly raised the stakes in this area for hospitals. Errors or false starts in HIT and the financial consequences of HIPAA violations under HITECH can be materially injurious to the organization’s finances, public image, internal stability and quality of patient care. It can also cause the loss of potential subsidies from HITECH.

Often the IT leader at a hospital does not have sufficient standing or skills set to serve as the champion. It was not the principal reason that he or she was hired. In such a case the governing boards should recruit either a knowledgeable board member or a senior staff person to serve this function.

The article on October 20, 2009 by Molly Merrill, Associate Editor of Healthcare IT News, adds further confirmation of the need for a qualified IT champion.

Ms. Merrill wrote that a new survey, conducted by Ponemon Institute and sponsored by San Jose, California-based LogLogic, shows that IT practitioners believe their organizations are lacking when it comes to protecting patient information. Moreover, Ms. Merrill continues, “[a]ccording to the study, 61 percent of [IT] practitioners believe their organizations don't have enough resources to meet privacy and data security requirements – and 70 percent think senior management doesn't consider it a priority.”

Ms. Merrill quotes the survey as concluding the following:

Without resources and support from senior management, preventing the loss of data may be very difficult. We recommend that organizations pursue a strategy of assigning accountability for the protection of electronic health information, appropriate technology to prevent the insider threat (such as DLP [data loss protection] solutions) and senior management buy-in for the necessary resources to get the job done right. [Emphasis supplied]

This survey underscores the frustrations and challenges that are present for the majority of IT leaders at hospitals. They may lack the standing within the organization to make a meaningful impact on senior management and the governing boards. Even if they hold a high level position within the organizations and are highly proficient in their jobs, they may lack be sufficient champions to interpret their complex world to their senior management and governing boards. It is incumbent on these organizations to identify a champion who possesses the skills to absorb and interpret the complex IT world for stakeholders who have limited knowledge of the subject.

[To be continued in Installment 8]

Tags: ,