Health Law Pointers - Volume XI, No. 2
Identity Theft (Red Flags Rule)
The Red Flags Rule (Rule) has been in effect since January 1, 2008 and is designed to prevent “identity theft” by making businesses more aware of the problem, and having them take preventive action. Nonetheless, the Rule seems to have escaped public notice. Many professionals and professional practices will be surprised to learn that they are subject to the Rule simply because they regularly defer payment from patients after completion of medical services. Objections to the broad scope of the Rule, raised to date by the American Medical Association and other professional societies, have been unsuccessful.
To comply with the Rule, your practice must develop and implement a written identity theft program to identify, detect and respond to possible risks of identity theft that are relevant to the medical, dental and other professions.
There is still time to develop an identity theft program as the Federal Trade Commission (FTC) has postponed (again) enforcement of the Rule until November 1, 2010.
The FTC has prepared a “do it yourself” program that is available on its website. See www.ftc.gov/redflagsrule under the tab “Create Your Program.” This program allows certain businesses at low risk for identity theft to adopt a simplified form of template that will only need certain blanks to be completed for it to become effective. However, identity theft policies must be approved by your governing body.
It is prudent to consider adoption of an identity theft prevention program no later than the November 1, 2010 effective date for enforcement of the Rule. Please do not hesitate to contact Lawrence M. Ross ([email protected]) with any questions.
New York State Notification Law on Security Breaches
Should protected health information be accessed by or disclosed to an unauthorized person, most professional practices recognize immediately that the HIPAA Privacy Rule may be implicated. As covered entities, these practices must then work to mitigate any harmful effect resulting from the privacy breach. Beginning on or before September 15, 2009, under legislation enacted this past winter, professional practices also will be required to notify affected individuals of the security breach.
New York State law has imposed a similar consumer notification requirement on businesses since 2005. Under Section 899-aa of the General Business Law, businesses must promptly notify State residents of any breach in the business’ security system if it results in the acquisition of “personal” or “private” information not otherwise available to the general public by an unauthorized person. In general, notification can be in writing (by letter, fax or e-mail) or by telephone, provided a log is maintained evidencing the contact.
In addition, businesses must complete and file a security breach reporting form with 3 separate state agencies: (1) the State Attorney General’s Office; (2) the State Office of Cyber Security and Critical Infrastructure Coordination; and (3) the State Consumer Protection Board.
A copy of the form required to be filed may be found at the Attorney General’s official website: www.oag.state.ny.us under the tab “Forms”.
Abuse of prescription drugs is widespread. Many of these drugs are so highly valued that a “gray market” has developed for them on the “street.” State health law regulations require practitioners to adopt adequate safeguards and security measures to assure against the loss, destruction, theft or unauthorized use of prescription forms, and to immediately notify the State of any such theft or unauthorized use.
What can your practice do to prevent the abuse of your prescription forms?
We recommend that you consider taking 3 simple steps:
1. Do not keep script pads unsupervised in the office.
2. Lock up all script pads after hours in a secure location.
3. Consider having your practitioners fill and send prescriptions electronically.
In the event you become aware that unauthorized or forged prescriptions are being presented to area pharmacies under the name(s) of your practice physicians, consider asking pharmacies to contact your office for verification of the bonafides of a prescription for the controlled substance prior to filling the prescription, in addition to working with local law enforcement agencies and the State Narcotics Bureau.