Medical associations sue FTC over Red Flags Rule

Posted on May 24, 2010 by Steve Fox and Vadim Schick

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations.  FTC is to begin enforcement of the Rule on June 1, 2010.  Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA.  According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA's motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

"Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship," Health Data Management (May 21, 2010).
Tags: , , , , , , , , , ,

In the news: Privacy breaches and de-identification

Posted on January 11, 2010 by Steve Fox and Vadim Schick
  • According to LA Weekly, Huping Zhou, a former employee at the UCLA Healthcare System, pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.  This case follows a similar breach at UCLA Medical Center, when Lawanda Jackson, a former nurse at the Center, plead guilty to wrongfully accessing information of Britney Spears and Farrah Fawcett.
  • Delaware Online reports about a new unfortunate trend in medical identity theft -- searching for copies of discarded prescriptions:  "In the latest crime trend to hit Delaware, police are reporting that people looking for drugs such as Oxycontin and Vicodin are stalking customers who throw away prescription bags containing paperwork with details about their pills and themselves. They use the personal information to call in prescriptions and charge them to the victims' insurance. Then they turn around and sell the drugs."  According to Bruce DiVincenzo, chief agent of Delaware's Office of Narcotics and Dangerous Drugs:

They're making their own scripts by ordering paper from the Internet," he said. "It's the patient's name that they want, because that person is actively listed as a customer of the pharmacy and will not raise suspicion."

Pharmacies like CVS and Happy Harry's (a subsidiary of Walgreens) take certain precautions to prevent such identity theft, including checking ID's before filling prescriptions and reminding customers to be careful with their receipts and copies of prescriptions.

  • According to Washington Technology, HHS is looking for a contractor to research the effectiveness of "de-identifying" PHI:

Under this new contract, HHS will research re-identifying the data and matching it to a specific individual.

'The contractor shall take one or more HIPAA Privacy Rule de-identified data sets and, using methods and technologies that exclude 'brute force' matching, demonstrate the ability or inability to re-identify the data,' the notice states.

The re-identification must be an accurate and unambiguous match to an individual.

"Former UCLA Health Worker Pleads Guilty To Accessing Celebrities' Medical Records," LA Weekly (January 8, 2010).

"Delaware crime: Trash-picking identity theft targets pharmacy customers," Delaware Online (January 6, 2009).

"HHS wants contractor to test privacy of 'anonymous' data," Washington Technology (January 5, 2010).
Tags: , , , , , , , , , , ,