The names of "private practices" reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals have been revealed.
The Office for Civil Rights (OCR), the enforcer of the HIPAA privacy and security rules, lifted the label of anonymity on those entities as it revealed its updated breach notification website last Thursday.
The new website went live Thursday, July 8, the same day the Department of Health and Human Services (HHS), which oversees OCR, released a proposed rule they say "significantly" modifies the HIPAA privacy, security and enforcement rules.
When the original HITECH-required website went live in February, industry insiders questioned OCR listing some, but not all, entities as "private practice."
"This certainly received some attention on several listservs where participants were scratching their heads asking why these covered entities were not identified beyond being listed as 'private practice,' says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
OCR, when questioned by HealthLeaders Media then, said those private practitioners who report these major breaches are considered "individuals" as defined by the Privacy Act of 1974.
Therefore, those "individuals" can stop OCR from posting its name on its breach notification website if the "individual" does not provide written consent. In those cases, OCR would list the entities as "private practice."
However, OCR soon set out to lift that "private practice" tag and post the names of all entities reporting the egregious breaches regardless of whether or not they gave consent.
OCR's April 13 Federal Register notice said it wants to expand the way OCR uses and stores information per HITECH requirements. One of the modifications was to make posting of entities who report breaches of 500 or more as a "routine use."
The language in the Privacy Act of 1974 says, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected."
As long as information qualifies as a "routine use," then that information can be made public without an individual's consent. As soon as the 40-day comment period on the April 13 Federal Register notice was up, OCR had the carte blanche to post names of "private practices."
As of July 6, the OCR website listed 107 entities, including 11 as "private practice." Today, the number is still 107, but none have the "private practice" mask.
Ruelas, the Maryvale director of compliance and risk management in Arizona, sent HealthLeaders Media a report listing the former "private practices" who reported breaches to OCR:
Daniel J. Sigmund, MD PC, Stoughton, MA: Dec. 11, 2009; 1,860 affected individuals; theft; portable electronic device; medical record
David I. Cohen, MD, Torrance, CA: Sept. 27, 2009; 857 affected individuals; theft, unauthorized access; desktop computer
Ernest T Bice Jr., DDS PA, San Antonio, Texas: Feb. 20, 2010; 21,000 affected individuals; theft, portable electronic device, other
According to the original OCR breach notification website, which is still live, the source of the breaches in Torrance, CA, was a desktop computer where information was accessed without authorization. They are each listed on the same date but with different practitioners and varying numbers of affected individuals.
"If one goal is for those leading the HITECH Act enforcement efforts at the federal level is to be more transparent to the public with respect to information related to reported breaches," Ruelas says, "this new website with its identification of previously masked covered entities is a tangible step in this direction."
The Department of Health and Human Services (HHS) Thursday released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates (BA) and strengthening patient rights to health information privacy.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed 'significant' modifications include:
A requirement that BAs of HIPAA-covered entities be under most of the same rules as the covered entities
New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
Prohibition of the sale of PHI without an authorization
Expansion of individuals' rights to access their information and to restrict certain types of disclosures of PHI to health plans
Provisions that strengthen and expand HIPAA's enforcement rule
The proposed rule is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law by President Barack Obama, February 17, 2009. The Act was part of the $787 billion economic American Recovery and Reinvestment Act of 2009, which includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.
HHS will receive comments for up to 60 days after the proposal's July 14 publication in the Federal Register, after which it will release an interim final rule. HHS says it will give covered entities and BAs 180 days after the final rule is in effect to comply with most of the provisions.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of the HIPAA Boot Camp in Casa Grande, AZ, says some of the major points in the proposed rule include:
Privacy protection now only extends 50 years after the death of the patient
Covered entities can charge costs associated with providing an individual ePHI on electronic media — the cost of a flash drive or CD, for example
Strong case examples on breaches
BAs' subcontractors must comply
HITECH made BAs liable for compliance with the security rule and the use and disclosure provisions of the privacy rule. Now, HHS proposes extending those compliance requirements to BA subcontractors by including them in the definition of a BA.
A BA contract with subcontractors has to contain all the provisions, current and new, required to be in BA contracts. Also, subcontractors of BAs must implement the same "reasonable and appropriate" safeguards required by HIPAA to ensure they prevent breaches of unsecured PHI.
Furthermore, BAs who hire subcontractors must supply information to HHS regarding their subcontractors' compliance, notes Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
Subcontractors complying with HIPAA "would greatly expand the number of organizations subject to the privacy and security regulations and penalties," says Kate Borten, CISSP, CISM, president of The Marblehead Group. "From the perspective of consumers, such change would be a significant benefit and would certainly strengthen the actual privacy and security controls over their protected health information."
HHS also announced that BAs can be directly liable for breaches of unsecured PHI and may be subject to fines. Susan McAndrew, deputy director for health information privacy for OCR, had previously confirmed this to HCPro at the 18th Annual National HIPAA Summit in early February.
The proposed rule makes explicit that certain entities providing services to covered entities — e.g., vendors of personal health records — are BAs.
"This was sorely needed with all the emerging 'Health Vault' types of services out there," Herold says.
Herold also points out that the proposed rule's Notice of Privacy Practices (NPP) components "will require all current ones to be updated."
Experts: Changes not huge
Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, called today's HHS press conference announcing the proposed rule "good press for HHS/OCR."
"Proposed rules are generally far from final, and there is no guarantee that they will be finalized soon," Apgar says. "A good example is a rule that was published as draft in January and still has not been passed along to OMB (Office of Management and Budget) and is sorely needed — the meaningful use rule."
Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP, said that a quick glance of the proposed rule doesn't reveal many significant changes from requirements already in place under HITECH.
"I don't see any blockbuster new rules here," Drummond said.
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, agrees there were no "real surprises."
"But it was definitely a move in the right direction of clarifying and reiterating this administration's seriousness about enforcing stricter privacy and security standards in a push toward a more patient-centric, health information technology driven environment," Parmigiani says. "I was encouraged by some positive, albeit later than promised or expected, movement on the part of HHS and [Office for National Coordinator]."
HHS missed the February 18 deadline for delivering this proposed rule per HITECH.
By June 18, OCR was to release regulations to modify the HIPAA Privacy Rule's accounting of disclosures provisions. However, OCR published a notice in the May 3 Federal Register requesting information to assist its crafting of a proposed rule on accounting of disclosures from electronic health records, pursuant to HITECH.
HHS in the proposed rule released Thursday says the "minimum use" principles still apply but will be given greater clarification in upcoming guidance as opposed to a formal rule.
The Department of Health and Human Services Thursday released a proposal to modify the HIPAA privacy, security, and enforcement rules. It also calls for greater HIPAA compliance for business associates (BAs) of covered entities and for strengthening the HIPAA enforcement rule.
According to the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, the proposed modifications include:
Provisions that extend the applicability of certain privacy and security rules requirements to Bas
New limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes
Prohibition of the sale of PHI
Expansion of individuals' rights to access their information and to obtain restrictions on certain disclosures PHI
Provisions that strengthen and expand HIPAA's enforcement rule
The proposed rule is required by the HITECH Act, signed into law by President Barack Obama, February 17, 2009 and part of the $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.
HHS was late delivering this proposed rule. Per the HITECH, OCR was supposed to deliver the following by February 18:
Guidance on BA contracts
Modifications of the privacy rule provisions regarding right to request restrictions, minimum necessary, patient access to electronically held PHI and marketing and fundraising
Clarifying that certain entities are Bas
Issuing guidance on the privacy rule requirements for de-identification
Report to Congress on HIPAA Privacy and Security Compliance
Study and report to Congress on privacy and security requirements for entities that are not HIPAA covered entities or business associates
Study the HIPAA Privacy Rule's definition of "psychotherapy notes" with regard to including certain test data and mental health evaluations
Also, by June 18, OCR was to deliver regulations to modify the HIPAA Privacy Rule's accounting of disclosures provisions.
On May 3rd, however, OCR published a notice in the Federal Register asking for help crafting a proposed rule on accounting of disclosures on electronic health records (EHRs) per HITECH.
HITECH expands an individual's right to request accounts on disclosures of his/her health record. In the Federal Register, OCR writes that the comments from providers and patients will "help us better understand the interests of individuals with respect to learning of such disclosures, the administrative burden on covered entities and business associates of accounting for such disclosures, and other information that may inform [our] rulemaking in this area."
The Office of Management and Budget (OMB) has finished its review of proposed rules related to changes to HIPAA privacy and security rules, meaning the rules could hit the streets this week.
The OMB reports that it has concluded its regulatory review of the rules HHS sent in April.
Jana Aagaard, Of Counsel, Catholic Healthcare West in the Sacramento Legal Department and of the Law Office of Jana Aagaard in Carmichael, CA, told HealthLeaders Media that regulations could be released as soon as Wednesday. If that's the case, they would be posted in the Federal Register formally a few days later, Aagaard said.
It is unclear exactly which proposed rules will be released. According to the OMB website, HHS "will issue rules to modify the HIPAA Privacy, Security, and Enforcement Rules as necessary to implement the privacy, security, and certain enforcement provisions of subtitle D of the [HITECH]."
In March, the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules under HHS, said forthcoming regulations would include:
Business associate (BA) liability
New limitations on the sale of personal health information, marketing, and fundraising communications
Stronger individual rights to access electronic medical records and restricting the disclosure of certain information
The industry has been waiting on rules from OCR concerning HITECH provisions effective February 17.
The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit the 100 mark and then some.
As of Friday, July 2, the number of entities reporting the egregious breaches to the government’s HIPAA privacy and security enforcer hit 107. The number of entities—listed on the Office for Civil Rights (OCR) breach notification website—has more than tripled since the enforcer first began posting them in February. The list has grown about 15 per month, or an entity every other day.
The list is required by HITECH, the American Recovery and Reinvestment Act of 2009 privacy subpart that includes greater breach notification requirements and more public scrutiny and increased fines for HIPAA violations.
The reporting requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Of the 107 breaches of unsecured PHI, 20 involve business associates (BAs), or nearly one out of every five. HITECH requires BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule.
For each entity, OCR lists the location of the breached information, and laptops took the top spot with an appearance in 34 of the 107 breaches (32%). “Paper records” is listed in 22 breaches, and “portable device” in 11 breaches.
Eleven of the entities on the website are listed as “private practice.” OCR has told HealthLeaders Media it will begin posting the names of entities they consider “individuals” regardless of whether or not those entities give consent; the Privacy Act of 1974 offers that “consent” protection. But OCR requested that not be applied here.
The breach affecting the most individuals is AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.
Filling out the top five breaches with the largest number of affected individuals are:
AvMed, Inc.
State: Florida
Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 998,442
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives
WellPoint, Inc.
State: Indiana
Approximate number of individuals affected: 480,000
Date of breach: (OCR says Nov. 3, 2010)
Type of Breach: Hacking/IT Incident
Location of Breached Information: Network Server
Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other
Emergency Healthcare Physicians, Ltd.
State: Illinois
Business associate involved: Millennium Medical Management Resources, Inc.
Approximate number of individuals affected: 180,111
Date of breach: Feb. 27, 2010
Type of breach: Theft
Location of breached information: Portable electronic device, other
A healthcare lawyer brought forth the latest prediction on when HIPAA-related HITECH regulations will hit the streets—no later than July 8.
Gerald DeLoss, of counsel with Krieg DeVault LLP and a member of the firm's Health Care Practice Group, wrote in an American Health Lawyers Association listserv e-mail this week that an OCR official at a conference made that estimate on the release of the proposed rules.
He wrote that David Mayer, senior advisor for HIPAA Compliance and Enforcement at OCR, who presented at a conference this month, said the industry should expect the proposed rules on HIPAA regulations by July 8.
"As a bonus," DeLoss writes in the e-mail, "[Mayer] also stated that the regs will not require an amendment to existing [Business Associate] Agreements (to incorporate the new requirements) but that there may be very good business reasons for a new or revised BA Agreement."
OCR, in an e-mail to HealthLeaders Media today, did not verify that July 8 prediction.
"Mr. Mayer's comments may have been taken out of context," OCR wrote in the e-mail. "The department cannot predict [Office of Management and Budget's] timeframe for publication. Further, the Office for Civil Rights at HHS cannot comment on the content of the [proposed rule] before it is published."
On April 12, OCR sent proposed regulations amending the HIPAA Privacy Rule in accordance with the HITECH Act requirements to the Office of Information and Regulatory Affairs for review (OIRA). That office is under the Office of Management and Budget (OMB).
Earlier this month, a consultant who attended the North Carolina Healthcare Information and Communications Alliance (NCHICA) annual conference this month, said OCR will release proposed rules around June 26.
After its sixth annual Academic Medical Center Conference in Chapel Hill, NC, Phyllis A. Patrick, MBA, FACHE, CHC, co-founder & managing director of AP Health Care Compliance Group, sent an e-mail obtained by HIPAA Weekly Advisor that reported the HITECH regulations would be released in "about two weeks or around June 26th."
OCR will release proposed rules later this month on most of the HIPAA privacy and security-related provisions in HITECH, according to a consultant who attended the North Carolina Healthcare Information and Communications Alliance (NCHICA) annual conference this month.
After its sixth annual Academic Medical Center Conference in Chapel Hill, NC, Phyllis A. Patrick, MBA, FACHE, CHC, co-founder & managing director of AP Health Care Compliance Group, sent an e-mail obtained by HealthLeaders Media that reported the HITECH regulations would be released in "about two weeks or around June 26th."
The information reportedly came from the session, "Meaningful Privacy and Security." In the e-mail, Patrick says the proposed rules will not include accounting for disclosures, which will be the subject of a separate proposed rule.
The NPRM will also include clarification regarding “willful neglect” (penalty tiers). Currently, that represents the most egregious breach of unsecured PHI and can include a penalty of at least $1.5 million under new HITECH tiers in the enforcement final rule.
Patrick also reports state attorneys general (SAG) are "developing training programs, including information for SAG staff, covered entities and business associates regarding HIPAA requirements and processes for filings with HHS, based on lessons learned from the first AG filing in Connecticut." Under HITECH, state AGs can pursue lawsuits for HIPAA violations, and Connecticut's AG was the first to do so.
OCR is expected to begin its HITECH-required compliance audits next year, Patrick reports. OCR's audits will be outsourced because its resources are limited, according to the e-mail.
“Much remains to be decided," Susan McAndrew, JD, deputy director for Health Information Privacy, for OCR, said in the “Quiz the Regulator” session on June 7.
The Office for Civil Rights' (OCR) list of entities reporting major patient information breaches began at 32 about four months ago.
It is now near 100.
The number of entities reporting breaches of unsecured PHI affecting 500 or more individuals has nearly tripled since the agency that enforces the HIPAA privacy and security rules first posted them on its website in February.
OCR posted a list of 32 entities that, since September 22, 2009, had reported the egregious breaches to OCR. On Friday, that number climbed to 93.
"I'm interested to see how long before we see over 100 entities listed," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ. "The way things are looking, I expect the list to hit 100 by the end of June."
Ruelas says he's received many questions over the last couple of weeks about who bears the cost of notifications.
"My response is that before investing time (and money) in going down this very busy and curvy road, look at options to encrypt," he says. "It seems more and more that this is the best and probably easiest way to avoid breach notification-induced chest pain."
HITECH requires OCR to make public any breaches of 500 or more. OCR said on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
The requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
Those regulations require:
Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Of the 93 breaches of unsecured PHI, 17 involve business associates (BAs), or nearly one out of every five.
Ten of the entities on the website are listed as "private practice." OCR has told HealthLeaders Media it will begin posting the names of entities they consider "individuals" regardless of whether or not those entities give consent.
Currently, OCR does not post the names of such entities (namely sole practitioners) if they do not give OCR consent; OCR treats them as protected "individuals" per the Privacy Act of 1974. Instead, OCR lists them as "private practice."
However, those entities will be unmasked because listing them falls under the "routine use" provision of the privacy act, which allows OCR to post their names without getting consent.
The breach affecting the most individuals is now AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.
Filling out the top five breaches with the largest number of affected individuals are:
AvMed, Inc. State: Florida Approximate number of individuals affected: 1,220,000 Date of breach: Dec. 10, 2009 Type of breach: Theft Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee Approximate number of individuals affected: 998,442 Date of breach: Oct. 2, 2009 Type of breach: Theft Location of breached information: Hard drives
Affinity Health Plan, Inc. State: New York Approximate number of individuals affected: 344,579 Date of breach: Nov. 24, 2009 Type of breach: Other Location of breached information: Other
Emergency Healthcare Physicians, Ltd.
State: Illinois Business associate involved: Millennium Medical Management Resources, Inc. Approximate number of individuals affected: 180,111 Date of breach: Feb. 27, 2010 Type of breach: Theft Location of breached information: Portable electronic device, other
Providence Hospital State: Michigan Approximate number of individuals affected: 83,945 Date of breach: Feb. 4, 2010 Type of breach: Other Location of breached information: Hard drive
HIPAA compliance experts call the recommendation to mandate encryption on exchanges of electronic protected health information (ePHI) "overdue," "inevitable," and a necessary step toward ensuring a successful transition to electronic health records (EHR).
A privacy/security workgroup for the Office of the National Coordinator for Health Information Technology (ONC) reported last month that encryption should be mandatory for one-on-one exchanges between providers regarding treatments.
The workgroup of the monthly HIT Policy Committee in its May 19 meeting suggested that those exchanges should include:
Encryption (no ability for facilitator to access content)
Encryption ideally should be required when potential for transmitted data to be exposed (mandate through meaningful use/certification criteria or HIPAA Security Rule modification)
Limits on identifiable (or potentially identifiable) information in the message
Identification and authentication
"I'd say it's long overdue," says Kate Borten, CISSP, CISM, president of The Marblehead Group. "Recall that the proposed security rule in 1998--that's 12 years ago--required that PHI be encrypted over the Internet. While there may have been a legitimate argument then that solutions weren't readily available and cost effective, there are solutions today."
John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and former chairperson of the team that created the HIPAA Security Rule, says the recommendation was inevitable.
"It is merely recognition of what has become an industry best practice," Parmigiani says.
Encryption is not mandatory.
It is "addressable" under the HIPAA Security Rule. And the Department of Health and Human Services' interim final rule on breach notification creates a "safe harbor" for unsecured protected health information (PHI) that is encrypted by certain standards; in other words, covered entities and business associates (BAs) do not need to notify individuals on breaches involving such encrypted PHI.
If the workgroup's recommendation comes to fruition, it would "uncomplicate the situation that many healthcare organizations have been confronted with when trying to decide on encryption," Parmigiani says.
Back when the security rule was proposed in 1998, then finalized in 2003, encryption technology was immature, Parmigiani says.
Now, however, there have been "inroads in the understanding of encryption," he says, and widespread use of software and hardware encryption.
"Therefore, I believe that the formal recommendation is both timely and an essential component of successful HIT and is critical to the attainment of consumer confidence in a fully robust EHR and smoothly functioning HIE environment," Parmigiani says.
The privacy/security workgroup provides input to the Health IT Committee as it sets the ground rules for the criteria of "meaningful use" of EHRs.
Currently, the ONC interim final rule, "Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology," requires that EHR systems be capable of encryption.
Final rules on the ONC interim final rule and CMS proposed rules are expected this spring. However, the interim final rule is in effect.
Enforcement was scheduled for June 1, 2010. It is now changed to December 31, 2010.
The FTC says on its Web site the delay comes at the request of Congress as it "considers legislation that would affect the scope of entities covered by the rule."
Healthcare entities defined as "creditors" by the FTC must still comply with the rule by implementing a program to prevent and detect cases of identity theft. Compliance date was November 1, 2008.
"Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule–and to fix this problem quickly," FTC Chairman Jon Leibowitz said on the FTC Web site. "We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we're charged with enforcing the law, and endless extensions delay enforcement."
The Senate filed a bill Tuesday, May 25, an awfully similar bill from the House's in October that essentially exempts providers with fewer than 20 employees from complying with the FTC's Red Flags Rule. The House bill passed 400-0.
The FTC says it will make enforcement effective earlier than December 31, 2010, provided Congress passes legislation before that date.
Medical and osteopathic associations Friday, May 21, sued the FTC for covering them under the Red Flags Rule, which requires them to start verifying their patients' true identities before they agree to treat them.
The lawsuit seeks to prevent the FTC from defining physicians as "creditors" whenever they do not require payment in full at the time they provide care, and later bill them, according to the brief filed by the American Medical Association and the American Osteopathic Association and the Medical Society of the District of Columbia, the District Court where the case was filed.
"We do already have a number of rules and regulations to follow to protect patient privacy and information security, and these have recently been strengthened with ARRA and HITECH," says Chris Simons, RHIA, director of UM & HIMS and the privacy officer at Spring Harbor Hospital in Westbrook, Maine. "Requiring healthcare providers to follow the Red Flags Rule is just another regulatory hoop for us to jump through."
However, she says, "I don't think this adds significantly to what we already do."
Bonnie McLaughlin, a development analyst for Medical Information Technology, Inc. in Westwood, MA, says she is "horrified" by the attempt to exempt physician practices from the Red Flags Rule.
"It is just as possible that someone can use my identity/insurance/financial information when presenting at a physician's office as it would be in a larger healthcare setting," McLaughlin says.
McLaughlin says devising a Red Flags Rule policy "can be relatively simple."
"If these providers would simply read through the ruling and understand exactly what is involved in meeting this requirement, they would have already been able to meet the criteria in the amount of time they have taken resisting being held accountable," she says.