Health Care Matters

A Complimentary Newsletter From:

Law Offices Of David S. Barmak, LLC

Partners to Skilled Nursing Facilities

Volume 10, Issue 2                               ADVERTISEMENT                                 MAY 2009

In This Issue
Red Flag Rule Requires Compliance by Skilled Nursing Facilities
Violence Prevention in Health Care Facilities Act Becomes Operative This June
The American Recovery & Reinvestment Act ("ARRA") Expands and Extends HIPAA Provisions
Announcements - Changes At Our Office
David S. Barmak, Esq. 
David Photo
Licensed to practice law in the States of New Jersey, New York, Connecticut and Pennsylvania 
 
Red Flag Rule Requires Compliance by Skilled Nursing Facilities
You may have heard, read, or seen discussions recently regarding the implementation of some new Federal regulations that health care providers may soon have to follow. This article is intended to introduce and explain these rules to you, so that you may be better prepared for their enforcement.
 
True story - A man needing cardiac surgery was able to get healthcare services totaling $350,000 from a local hospital using a friend's identity. (Chicago Tribune)
 
True story - A woman's medical identity was stolen by a thief who used the information to obtain surgery. Unfortunately, her troubles were more than just financial. When she was hospitalized a year later for a hysterectomy, she realized the identity thief's medical information was now mixed in with her own after a nurse reviewed her chart and said, "I see you have diabetes." (She didn't.) With medical data expected to begin flowing more freely among healthcare providers, she now frets that if she is ever rushed to a hospital, she could receive improper care - a transfusion with the wrong type of blood, for instance, or a medicine to which she is allergic. (Business Week)
 
In addition to the obvious problems for patients, as outlined in the examples above, medical identity theft may result in significant losses for healthcare providers as well. If the healthcare provider renders services to an identity thief, and the provider receives payment from the insurance carrier based upon the submission of a claim utilizing stolen medical identity information, the insurance carrier will likely attempt to recover the improper payment from the provider. Suffice it to say for purposes of this article that sorting out the legal issues in determining the rights of the provider vis a vis the insurance carrier are complex and messy, to say the least.
 
The federal government has attempted to address the identity theft scenario outlined above with various statutes and regulations. As far as healthcare providers are concerned, the primary law with which most are familiar is the Health Insurance Portability and Accountability Act (HIPAA). As every healthcare provider likely knows, HIPAA focuses on maintaining the confidentiality of "protected health information."  What some may not know is that HIPAA also focuses on preventing the theft of identity information. In addition to the federal requirement that healthcare providers holding confidential information keep the information secure, the government has also attempted to fight identity theft by making it easier for consumers to detect identity theft when it occurs. 

To this end the Fair and Accurate Credit Transactions Act of 2003 (FACTA) imposes obligations on credit card issuers, financial institutions, consumer reporting agencies and creditors directed both at prevention and detection of identity theft. FACTA amended another Federal law, the Fair Credit Reporting Act (FCRA), and mandated the development of identity theft regulations. As a result, the Federal Trade Commission (FTC), along with other federal agencies issued what are known as the Red Flag Rules, which govern the detection, prevention and mitigation of identity theft by financial institutions and creditors. In short, the Red Flag Rules require most healthcare providers to develop an Identify Theft Prevention Program.
 
Healthcare providers, including skilled nursing facilities, are required to make reasonable attempts to prevent and detect identity theft through an Identity Theft Prevention Program, as well as to respond and mitigate identity theft. These providers may need to include in their program periodic reviews of the medical record - both of the thief and the victim if the victim is also a patient - to ensure that false information is removed. Policies and procedures must be developed to assist the healthcare provider detect potential identity theft that may be encountered while providing services for its patients.
 
An Identity Theft Prevention Program should be approved by the healthcare provider's board of directors and contain reasonable policies and procedures to:
  • Identify relevant red flags for covered accounts and incorporate those red flags into the Identity Theft Prevention Program;
  • Detect red flags that have been incorporated into the Identity Theft Prevention Program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure the Identity Theft Prevention Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the healthcare provider from identity theft.

An Identity Theft Protection Program is most easily incorporated into a healthcare provider's existing HIPAA compliance program. Healthcare providers may want to augment the identifying information that they currently request from patients as part of their Identity Theft Protection Program; however, the more identifying information obtained from patients, the more important it is to have an effective and comprehensive HIPAA compliance program. A HIPAA compliance program is essential to prevent or promptly detect improper access to a patient's protected health information that might be used elsewhere, and by someone other than the patient. Such policies are an essential piece of an effective and complete compliance program for skilled nursing facilities.

Violence Prevention in Health Care Facilities Act Becomes Operative This June
The Violence Prevention in Health Care Facilities Act ("ACT") signed into law on January 3, 2008 mandated that every nursing home, within (6) six months, must establish a violence prevention committee with at least 50% of the members direct patient care workers.
 
The Act also stipulated that within eighteen (18) months, each nursing home must have developed and maintained a written violence prevention plan. Workplace risks must be identified and addressed. In addition, the violence prevention plan must specifically identify methods to reduce the risks of violence against employees.
 
If you need assistance in complying with this new law, please contact me at david@barmak.com.
The American Recovery & Reinvestment Act ("ARRA") Expands and Extends HIPAA Provisions
ARRA, better known as the federal economic stimulus act signed into law by the President on February 17th this year, includes language that substantially strengthens the Health Insurance Portability and Accountability Act ("HIPAA").
 
In the past, business associates, firms that perform function for or furnish services to a long term care provider that transmits individually identifiable health information in electronic form, were covered by the HIPAA Privacy and Security Rules but in a less stringent way than the health care provider itself was covered.
 
The extended clout of ARRA'S HIPAA amendments now impose on business associates many of the basic requirements of HIPAA such as the need to appoint security officials, develop written policies and procedures and train their workforce in the correct manner to handle protected individual health information.
 
Under the new more rigorous provisions, business associates now have to conform to many of the core requirements of HIPAA, not just agree by contract to impose safeguards on its use of individually identified health information.
 
The new act (ARRA) also expands and significantly increases the civil monetary penalties available to the government for HIPAA violations. For instance, previously the penalty was typically $100 for each violation, now the penalty has been increased up to $1000 per violation due to "reasonable cause and not willful neglect" with a maximum of $100,000 and even higher penalties for violations due to willful neglect.
 
An additional extended provision of ARRA requires HHS to conduct periodic audits to ensure that both long term care providers and business associates are in compliance. In addition state attorney generals may now bring enforcement action against a covered entity or business associate that violate HIPAA Privacy & Security Rules and attorneys' fees may be assessed against the violators.
 
For additional information on how ARRA impacts HIPAA Privacy and Security Regulations contact us at david@barmak.com.
Announcements - Changes At Our Office
Now Licensed in Pennsylvania
 
David S. Barmak, already licensed in New Jersey, New York and Connecticut, now holds a license in Pennsylvania.  This is significant for corporate compliance clients in Pennsylvania since the attorney client privilege will now be recognized for providing maximum protection during audits and communications.
 
Rhonda L. Duer Joins Staff
 
David Barmak and all the staff at the Law Offices of David S. Barmak would like to welcome Rhonda Duer to our "family".
 
Rhonda is an experienced paralegal and has worked for over 15 years with New Jersey law firms.  Working as a paralegal professional she has had constant contact with clients, adversaries, courts, government agencies and regulators.
 
Rhonda will assist the staff and clients with a variety of legal matters that are handled by the office.  She holds a BA degree from Rider University and a paralegal certificate from the National Academy of Paralegal Studies.
 
Rhonda lives in Hopewell, NJ with her husband and son.
Law Offices Of David S. Barmak, LLC
David Barmak established his health care law firm in 1984 to deliver legal services, both in transactions and litigation, to organizations and professional practitioners in the health care field.  We call this approach "Enterprise-Wide Risk Management" because it includes three important facets:
  1. Counsel and advisement on all aspects of legal risk, from setting up the entity to corporate governance;
  2. Protection of your practice or business through litigation prosecution or defense in the Courts; as well as regulatory compliance and licensure issues before government agencies; and
  3. Operations improvement through the implementation of enterprise-wise onsite audits, programs and training seminars in the areas of, but not limited to, Fraud and Abuse, HIPAA Privacy and Data Security, Employment, A/R Management, Emergency Preparedness, and Workplace Violence.

David S. Barmak, Esq. received his JD from Cornell University and BA from Duke University.  He is licensed to practice and serves clients in the States of New Jersey, New York, Connecticut and Pennsylvania.  Before making your choice of attorney, you should give this matter careful thought.  The selection of an attorney is an important decision.  The recipient may, if the newsletter is inaccurate or misleading, report the same to the Committee on Attorney Advertising. 

For more information, please contact us:
Telephone (609) 688-0055
Fax (609) 688-1199
Disclaimer:  The contents of this newsletter are presented as general information.  Legal advice and opinion can only be provided upon individual consultation.
         2009.  All Rights Reserved.