January 12, 2009
PATIENT INFORMATION SECURITY
By: Meghan Reilly, Legislative Analyst
You asked for information regarding federal and state safeguards preventing the medical industry from using patients' social security numbers (SSNs) inappropriately, particularly the security standards, the penalties for security breaches, and efforts to curb the use of SSNs.
Medical identity theft currently accounts for just 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities lifted in 2005, according to the Federal Trade Commission (FTC).
On the federal level, the medical industry protects SSNs from misuse through the Health Insurance Portability and Accountability Act (HIPAA). HIPAA controls the release of protected health information (PHI), including SSNs, through patient authorization forms, setting physical, electronic, and administrative security measures, and creating penalties for inappropriate use of PHI. HIPAA does not cover personal health records maintained by third-party vendors nor does it specifically limit the collection or use of SSNs.
The FTC recently promulgated regulations requiring certain health care providers to develop and implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts.
Connecticut law prohibits individuals and businesses from publicly disclosing SSNs and requires anyone in possession of personal information about another person to safeguard the data from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. It also sets penalties for violations of these laws.
Other states have proposed changes to privacy laws for medical information by creating central health information authorities, making HIPAA the state rule, putting restrictions on e-prescriptions, and creating a data breach notification rule.
Passed in 1996, HIPAA established a national floor of protection for all people who are or have been covered by private or self-insured health plans. It created national standards for the availability and portability of group and individual health insurance coverage, set federal standards for the electronic transfer and confidentiality of medical information, and strengthened federal health care fraud and abuse laws.
Who is Covered? If a provider conducts any one of the following business transactions electronically, he is most likely covered by HIPAA:
· Claims or equivalent encounter information
· Payment and remittance advice
· Claim status inquiry or response
· Eligibility inquiry or response
· Referral authorization inquiry or response
The act covers employers, self-insured and group health plans. Certain types of insurance are not within HIPAA's scope: accident or disability-income, liability or liability supplemental, workers' compensation, automobile medical payments, credit-only, or coverage for on-site medical clinics. The following types of coverage are excluded if offered separately on a stand alone basis: limited scope dental and vision; long term care, nursing home, home health care, or community-based care. The following types of coverage are excluded if offered as independent non-coordinated benefits: specific disease or fixed indemnity plans and Medicare supplement insurance offered as a separate policy. HIPAA also does not cover personal health records maintained by third-party vendors.
Protected Health Information. HIPAA regulations apply to “protected health information” (PHI). This includes medical information that contains any of a number of patient identifiers including name, SSN, telephone number, medical record number, or ZIP code. The regulations protect all individually identifiable health information in any form, electronic, paper-based, or oral, that is stored or transmitted by a covered entity.
Privacy. The regulations protect an individual's right to keep medical information private and away from people who would use it for commercial advantage, personal gain or malicious harm. The HIPAA privacy regulations require providers to obtain a signed consent form in order to use PHI for activities related to treatment, payment, and health care operations and to obtain a separate authorization to use or disclose PHI for any other purposes, such as marketing. Providers are prohibited from selling lists of patients and enrollees to third parties or from disclosing protected health information to a third party for its marketing activities, without the individual's authorization.
Although the HIPAA privacy rules provide for the protection of individually identifiable information, many providers believe it does not specifically limit the collection or use of SSNs for several reasons. First, the HIPAA regulations do not specifically prohibit the use or disclosure of an individual's SSN. Secondly, because the individual's SSN falls under the same category as other individually identifiable information, it is equally protected under the HIPAA privacy and security requirements. Lastly, because SSNs fall under the same category as other individually identifiable information, to prohibit the use or disclosure of the individual's SSN would also preclude the use of the individual's other identifiers, such as name and address, which is clearly not HIPAA's intent (http://www.compbenefits.com/hipaa_policy.html).
Security. Security refers to a covered entity's specific efforts to protect the integrity of the health information it holds and prevent unauthorized breaches of privacy such as might occur if data are lost or destroyed by accident, intentionally stolen or sent to the wrong person in error. Security measures can be physical, such as locking rooms and storage facilities; administrative, such as policies and procedures covering access to information, user IDs and passwords, or punishments for violations of these; or technological, like encryption of electronic data and use of digital signatures to authenticate system users.
Penalties. The law calls for civil and criminal penalties for privacy and security breaches. The penalty for wrongful disclosure of individually identifiable health information is a $50,000 penalty, imprisonment of not more than one year, or both. Wrongful disclosure under false pretenses is punishable by a $100,000 penalty, imprisonment of not more than five years, or both. Committing wrongful disclosure with intent to sell the information is punishable by $250,000 penalty, imprisonment of not more than 10 years, or both.
FTC “Red Flag” Regulations
Under recently issued regulations, the FTC requires financial institutions and creditors to develop and implement written identity theft prevention programs. The broad purpose of Red Flag and Address Discrepancy Rules 1 is to require financial institutions and creditors to formally address the risks of identity theft and develop a mitigation plan. A “Red Flag” is defined as a pattern, practice, or specific activity that could indicate identity theft. Health care providers may have obligations under the rules. Medical identity theft is included expressly in the Red Flag Rules Guidelines.
The Red Flag Rule applies broadly to financial institutions, credit grantors, and some others, including some health care providers. A health care provider comes under the Red Flag rule if the provider meets the definition of creditor under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A creditor is a person who regularly extends, renews, or continues credit, regularly arranges for the extension, renewal, or continuation of credit, or is an assignee of an original creditor who participates in the decision to extend, renew, or continue credit (15 U.S.C. §§ 1691a(e), 1681a(r)(5), 16 C.F.R. § 681.2(b)(4)).
Creditors that offer or maintain covered accounts have obligations under the Red Flag regulations. A covered account is:
1. an account offered or maintained by a financial institution or creditor, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
2. any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks (16 C.F.R. § 681.2(b)(3)).
Health care providers extending credit to a consumer by establishing an account permitting multiple payments are creditors offering a covered accounts and are subject to the Red Flag rules.
Credit Report Users. Health care providers may also be subject to the address discrepancy rules that apply to users of consumer reports or credit reports. A notice of address discrepancy will sent to a user by a consumer reporting agency or credit bureau informing the user of a substantial difference between the address for the consumer provided to request the consumer report and the address in the agency's file for the consumer (16 C.F.R. § 681.1(b)).
The Notice of Address Discrepancy is required by the Fair Credit Reporting Act. Under 15 U.S.C. § 1681c(h), when a person requests a nationwide credit report for a consumer, the request includes the address that the consumer provided. If the address differs substantially from the address in the credit bureau files, the bureau must notify the requester of the existence of the discrepancy. Any health care provider that orders a credit report on a consumer must comply with those obligations.
Obligations. If a health care provider falls under the Red Flag Rule as a creditor, the provider must develop and implement a written identity theft prevention program. The purpose of the program is to detect, prevent, and mitigate identity theft in connection with new or existing covered accounts. It must be appropriate to the size and complexity of the creditor and the nature and scope of its activities. A large hospital will need a more robust program than a small office.
Creditors required to have an identity theft prevention program must show reasonable policies and procedures to:
1. identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program,
2. detect Red Flags that have been incorporated into its program,
3. respond appropriately to any Red Flags that are detected, and
4. update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.
There are also four elements to the administration of the program. Each creditor required to have a program must:
1. obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors;
2. involve the board of directors, appropriate committee, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the program;
3. train staff, as necessary, to implement the program; and
4. exercise oversight of service provider arrangements (http://www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf).
Connecticut has several laws aimed at preventing the release of SSNs. With certain exceptions, the law prohibits individuals and businesses from publicly disclosing SSNs. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes (CGS § 42-470).
Safeguarding SSNs: PA 08-167
In 2008, Connecticut passed PA 08-167, An Act Concerning the Confidentiality of Social Security Numbers, effective October 1, 2008. The act requires anyone in possession of personal information about another person to safeguard the data as well as computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. For this purpose, “personal information” means information capable of being associated with a particular individual through one or more identifiers, such as a SSN, driver's license number, state identification card number, account number, credit or debit card number, passport number, alien registration number, or health insurance identification number. It does not include publicly available information lawfully made available from federal, state, or local government records or widely distributed media.
The law also requires a business that collects SSNs to create a privacy protection policy that must ensure confidentiality of SSNs. The privacy protection policy must be published or publicly displayed; this includes posting it on an Internet web page. The policy must ensure confidentiality of SSNs, prohibit their unlawful disclosure, and limit access to them. This act exempts state agencies and political subdivisions from the duty to safeguard personal information.
For persons and entities that hold a state license, registration, or certificate issued by a state agency other than the Department of Consumer Protection, the act provides that its provisions restricting the dissemination of SSNs and on safeguarding personal information are enforceable by the agency that issued the credential using its existing statutory and regulatory authority.
Violators face a civil penalty of $500 for each intentional violation, up to a maximum of $500,000 per event. Civil penalties must be deposited into the Privacy Protection Guaranty and Enforcement Account, although legislation establishing the account was not enacted and so penalties will presumably be deposited into the General Fund.
Penalizing Identity Theft: PA 03-156
Connecticut passed An Act Concerning Identitfy Theft, PA 03-156, in 2003. This act imposes graduated penalties for identity theft violations, establishes procedures to assist victims of the crimes, and requires businesses to revise certain practices to prevent the crimes. Specifically, the act's relevant sections:
1. broaden the acts that constitute identity theft (CGS § 53a-129a);
2. establish three different classifications of the crime (CGS § 36a-699);
3. create the crime of trafficking in personal identification information (CGS § 36a-699f);
4. establish a procedure for reporting and processing identity theft crimes (CGS §§ 52-571(h), 54-1d); and
5. with certain exceptions, prohibit individuals, firms, and corporations from publicly disclosing SSNs (CGS § 42-470).
It establishes penalties for violating several of the act's provisions, specifies the unlawful purposes that would make someone guilty of identity theft, exempts the state and its political subdivisions from the prohibition against individuals and businesses (a) placing Social Security or full credit card account numbers on customers' receipts and (b) publicly disclosing the numbers. It also exempts certain health insurers from the prohibition against publicly disclosing SSNs.
Crimes. By law, a person commits identity theft when he intentionally obtains, without permission, another person's personal identifying information and uses it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. The act makes this offense third-degree identity theft, but leaves it classified as a class D felony, punishable by one to five years in prison, up to a $2,000 fine, or both.
The act makes it a class D felony for anyone to sell, give, or otherwise transfer another person's personal identifying information to a third person knowing that the (1) information was obtained without the owner's authorization and (2) third person intends to use it for an unlawful purpose. The penalty for trafficking in personal identifying information is one to five years in prison, up to a $2,000 fine, or both.
The act makes it second-degree identity theft, a class C felony, to commit identity theft involving money, credit, goods, property, or services valued at over $ 5,000. The penalty is up to 10 years in prison, a $10,000 fine, or both. It makes it first-degree identity theft, a class B felony, if the money credit, goods, property, or service involved is valued at over $10,000. The penalty is up to 20 years in prison, a $15,000 fine, or both (CGS § 36a-699).
Reporting. The act allows people who believe that they are identity theft victims to file a complaint of the suspected violation with the law enforcement agency in the town where they live. The agency must accept the complaint, prepare a police report, give the complainant a copy of the report, and investigate the allegation and any other related violations. Where necessary, the agency must coordinate investigations with other law enforcement agencies.
The act also allows identity theft offenders to be arraigned in the superior court for the geographical area where the victim lives rather than in the court where either the crime was allegedly committed or the arrest was made. By law, victims of identity theft (third-degree identity theft under this act) can bring a civil action for damages against their offender in Superior Court. The law requires courts to award prevailing plaintiffs the greater of $1,000 or treble damages, costs, and reasonable attorney's fees.
The act extends the authority to sue to victims of first- and second-degree identity theft. It establishes a two-year statute of limitation for bringing the action. The limitation period starts from the date the violation is discovered or reasonably should have been discovered (CGS §§ 52-571(h), 54-1d).
Prohibition Against Publicly Disclosing SSNs. With certain exceptions, the act prohibits the public disclosure of SSNs. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes.
The act prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:
1. intentionally communicating or otherwise making available to the general public an individual's SSN;
2. printing anyone's SSN on any card that the person must use to access the person or entity's products or services;
3. requiring anyone to transmit his SSN over the Internet, unless the connection is secure or the number is encrypted; or
4. requiring anyone to use his SSN to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.
The prohibition against publicly disclosing SSNs does not apply to certain individual and group health insurance policies delivered, issued for delivery, renewed, or continued on and after July 1, 2005. The affected policies cover (1) basic hospital, (2) basic medical-surgical, (3) major medical expenses, (4) accident only, (5) limited benefit, and (6) hospital and medical expenses paid by HMOs.
The penalty for willful violations is up to a $100 fine for the first offense, up to a $500 fine for a second offense, and up to a $1,000 fine or six months in prison for each subsequent offense (CGS § 42-470).
EXAMPLES FROM OTHER STATES
Minnesota and Rhode Island have passed comprehensive legislation protecting medical information through two different means. Table 1 compares the privacy portion of the two laws.
Table 1: Comparison of Privacy Provisions from Minnesota and Rhode Island
Minnesota Health Records Act
Rhode Island Health Information Exchange Act of 2008
2007 HB 1078
2008 HB 7409
Allows creation of record locator services (RLS). An RLS is an electronic index of patient identifying information that directs providers to the location of patient health records held by providers and group purchasers.
Establishes a statewide health information exchange (HIE) under state authority. Designates the Rhode Island Quality Institute as the governance body or regional health information organization (RHIO) for the HIE.
Inputting Patient Data in the System
An RLS can be created without patient consent. Patients have the right to opt-out of the RLS in total or can exclude specific provider contacts from the system.
Patients must opt in for their data to be included in the HIE.
Consent for Access
Consent is required to search an RLS for the location of a patient's records except in an emergency. To facilitate the real-time exchange of data, one provider can electronically represent patient consent to another. To do so, a provider must have a signed and dated patient consent form authorizing the release. In addition, the provider releasing the record shall document:
1) the provider requesting the health records;
2) the identity of the patient;
3) the health records requested; and
4) the date the health records were requested.
Patients who opt in can choose which providers have access to their data. If a patient opts in their authorization is not required for release to:
● public health authorities for specified functions;
● health care providers for diagnosis or treatment in an emergency; and
● the RHIO for operation and administrative oversight of the HIE.
Table 1: -Continued-
RLS must maintain an audit log of providers who access a patient's information. The log must contain at least the following: 1) the identity of the provider accessing the information; 2) the identity of the patient whose information was accessed by the provider; and 3) the date the information was accessed.
Patients have the following rights: (a) to obtain a copy of their health care information from the HIE; (b) to obtain a copy of the disclosure report pertaining to their health care information; (c) to be notified of a breach of the HIE security system; (d) to terminate participation in the HIE; and (e) to request to amend their information through the provider participant.
(b) When requesting health records using consent, or a representation of holding a consent, a provider warrants that the request: 1) contains no information known to the provider to be false; 2) accurately states the patient's desire to have health records disclosed or that there is specific authorization in law; and 3) does not exceed any limits imposed by the patient in the consent.
Provides immunity to health care providers who rely in good faith upon information provided through the HIE in the treatment of a patient.
An RLS is liable for inappropriate disclosures of information. Anyone who inappropriately discloses a patient's data is liable for compensatory damages caused by an unauthorized release, plus costs and reasonable attorneys' fees. Providers who violate the statute can face disciplinary action by the appropriate licensing board or agency.
The bill establishes civil and criminal penalties for violations of the statute. Attorneys' fees may be awarded by the court to the successful party in any action under this chapter.
Source: National Conference of State Legislatures, 2008.
Make HIPAA the Rule
A Nevada bill would make HIPAA the state rule, specifying HIPAA preempts any more stringent state laws related to the electronic exchange of health information by covered entities. The bill allows patients to not participate in electronic transmission of individually identifiable health information, with an exception for Medicaid and SCHIP patients and when required by HIPAA or state law (Nevada SB 536 § 1).
Create Standard Authorization
To address differing interpretations and application of federal and state privacy laws, the Oklahoma Legislature ordered the State Board of Health to create a standard authorization form for exchange of health information. Providers using the form and following the board's instructions are immunized from liability under state privacy laws that may arise from the exchange of health information, but use of the form is not required (Oklahoma SB 1420, 2008 O.S.L. 305, __ __).
Data Breach Notification
California's AB 1298, Chapter 699, Statutes of 2007 expands the state's data breach notification law to include unencrypted medical information and health insurance information. The law also expands the definition of provider of health care under the state's Confidentiality of Medical Information Act to cover third-party vendors of personal health records like Google and Microsoft. HIPAA and most state health privacy laws do not cover personal health records maintained by third-party vendors.
A few states prohibit e-prescribing systems from influencing provider prescribing practices. New Hampshire passed the most comprehensive of these bills, which prohibited any individual with access to e-prescriptions due to transmission or facilitation of transmission from retaining the prescription any longer than is mandated by law. Sale or use of that information for any purpose other than transmission of prescriptions, refills, or clinical information for prescriber or pharmacist is also prohibited (N.H. HB 134(e), Chapter 328 of the 2006 New Hampshire Laws, 2008-R-0680).