The Push for E-Prescribing: Better for Providers, Or Just a Wolf in Sheep s Clothing?

Transcription

1 A Publication of the American Health Lawyers Association Health Information & Technology Practice Group HIT News Volume 12 Issue 1 January 2009 The Push for E-Prescribing: Better for Providers, Or Just a Wolf in Sheep s Clothing? Tara Kepler, Esquire Haynes & Boone LLP Dallas, TX Overview On June 27, 2008, the U.S. Drug Enforcement Administration (DEA) proposed electronic prescribing (e-prescribing) regulations which, if finalized, would expose DEA-registered physicians, hospitals, and pharmacies to new civil and criminal liability risks when participating in activities related to the e-prescribing or dispensing of controlled substances. 1 The proposed regulations would amend DEA regulations at 21 C.F.R. Parts 1300, 1304, 1306, and 1311, and would create detailed procedures and system requirements for (1) healthcare practitioners who create e-prescriptions for controlled substances, (2) the service providers that provide e-prescribing systems and services, and (3) the pharmacies that dispense controlled substances pursuant to an e-prescription. As the basis for its authority to propose new regulations, the DEA cites the Controlled Substances Act of 1970, 2 and its responsibility to establish a closed system of control for the manufacturing, distribution, and dispensing of controlled substances. Although the DEA press release touts numerous benefits of the proposed e-prescribing rules, it does not address the new risks and burdens the rules would place on healthcare providers. 3 In contrast to the optimistic tone of the press release, the preamble and text of the proposed rules repeatedly employ strong language about the failures of the current system, and place ultimate responsibility for ensuring that the new system for e-prescribing functions properly on DEAregistered physicians and pharmacies. Table of Contents The Push for E-Prescribing: Better for Providers, Or Just a Wolf in Sheep s Clothing? Tara Kepler, Esq...1 Red Flag Rules Add to Healthcare Providers Data Security Obligations Kevin Lyles, Esq...5 Editor s Corner Patricia Markus, Esq...6 Medicare Telemedicine Coverage Is (Slowly) Growing Amy Leopard, Esq...9 Cell Phone Camera Use in Healthcare Facilities: Shutter It Patricia Markus, Esq. Erin Zuiker, Esq...12 Chair s Column Edward Shay, Esq...13 HIT News 2009 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. from a declaration of the American Bar Association

2 HIT News The DEA s proposed e-prescribing rules would present new civil and criminal liability risks for physicians, hospitals, and pharmacies participating in e-prescribing or dispensing activities if they fail to comply with the following onerous requirements: Practitioners must ensure that they only use e-prescribing systems that comply with the rules; Practitioners must ensure the security of their electronic signature tokens; Practitioners must monitor and report breaches in the security of their e-prescribing systems on a monthly basis; Pharmacies must monitor and report breaches in the security of their e-prescription dispensing systems on a daily basis; and All DEA registrants would be required to maintain records related to e-prescribing of controlled substances for five years. The preamble to the proposed rules (Preamble) emphasizes that participation in e-prescribing and adherence to the proposed rules are essentially voluntary. 4 However in light of the e-prescribing provisions in the Medicare Prescription Drug, Improvement, and Modernization Act of and the Medicare Improvements for Patients and Providers Act of 2008, 6 adherence to the proposed DEA provisions would not be as voluntary as the Preamble suggests. Essentially, within the next year, any physician who chooses to treat Medicare patients and to receive full payment for such services would need to develop and implement an e-prescribing system that is compliant with the DEA s proposed rules, or risk multiple civil and criminal violations of the Controlled Substances Act. The Benefits of E-Prescribing The DEA explains in the Preamble that e-prescribing rules are necessary because there are no standards governing the security of e-prescribing systems currently being used, and the existing system relies on the hope that vendors will employ good security practices. The DEA further explains that the regulations are designed to ensure an adequate supply of controlled substances for legitimate medical, scientific, research, and industrial purposes, and to deter the diversion of controlled substances to illegal purposes. The Preamble and the DEA s accompanying press release itemize numerous other benefits of the proposed rules, including that they will: Permit pharmacies to receive, dispense, and archive e-prescriptions; Provide pharmacies, hospitals, and practitioners with the ability to use modern technology for controlled-substance prescriptions; Reduce paperwork for DEA registrants who prescribe or dispense controlled substances; Potentially reduce prescription forgery; Potentially reduce the number of prescription errors caused by illegible handwriting and misunderstood oral prescriptions; Help both pharmacies and hospitals to integrate prescription records into other medical records more directly, which could increase efficiency and reduce the amount of time patients spend waiting to have their prescriptions filled; Ensure that patients, prescribers, and pharmacists know that the person who wrote the prescription is who that person claims to be; and Ensure that the medication being dispensed by the pharmacist and received by the patient is the medication that was prescribed. New Liability Risks Tied to E-Prescribing Practitioners must ensure that they only use e-prescribing systems that comply with the rules. The Preamble states that the individual practitioners will be responsible for ensuring that the e-prescribing system that they use conforms with all legal requirements. Practitioners must determine initially and at least annually thereafter that the third-party audit reports of the e-prescribing service providers they use indicate that the system and service provider meet DEA s e-prescribing requirements. If the third-party audit report indicates that the system or the service provider does not meet the requirements, or if the service provider notifies the practitioner that the system does not meet the requirements, then the practitioner would be required to immediately stop using the system to issue e-prescriptions for controlled substances. Practitioners must ensure the security of their electronic signature token. The security of the proposed new e-prescribing system relies in part on the security of the prescribing practitioner s electronic signature token. The rules would require the practitioner to retain sole possession of the hard token. If a token is lost or compromised, and the practitioner fails to notify the service provider within twelve hours of discovery, the practitioner will be held responsible for any prescriptions written using the token. The practitioner must report the loss or theft of the hard token to the service provider even if the practitioner does not believe 2

3 that someone else will be able to use it to breach the system. The practitioner also must ensure that only he or she uses the hard token and must not share the password with any other person. The practitioner must adopt procedures and controls (1) to secure the hard token and password against loss, theft, or unauthorized use, and (2) to clearly identify any attempt to compromise the private key. Finally, the practitioner must not lend the token whether it is on a PDA, cell phone, smart card, or other device to anyone. The practitioner will be required to certify the following statement when electronically signing each prescription: I, the prescribing practitioner whose name and DEA registration number appear on the controlled substance prescription being transmitted, have reviewed all of the prescription information listed above and have confirmed that the information for each prescription is accurate. I further declare that by transmitting the prescription information, I am indicating my intent to sign and legally authorize the prescription. If the practitioner does not provide this certification, the e-prescription may not be transmitted. As described in the Preamble: The DEA believes that such a statement is necessary to help to positively bind the practitioner to the prescription. This requirement will protect practitioners by eliminating the possibility that a staff member will be able to issue controlled substance prescriptions unless the practitioner grants them access to his authentication methods, which would make the practitioner legally responsible for any prescriptions that staff created. Practitioners must monitor and report security breaches in their e-prescribing system on a monthly basis. The proposed rules require the e-prescribing system to generate a monthly log of controlledsubstance prescriptions and transmit it to the practitioner for his review. The practitioner must indicate that the log was reviewed. Practitioners must notify the DEA and the service provider if they identify problems in those they review that indicate that prescriptions have been altered or created without their knowledge. Pharmacies must monitor and report security breaches in their e-prescription dispensing system on a daily basis. The proposed rules require pharmacies that dispense controlled substances pursuant to an e-prescription to have a monitoring system in place that includes an internal audit trail. The pharmacy would be required to define and implement a list of auditable events, and conduct a daily analysis of the system to determine whether any auditable events have occurred. The list of auditable events would have to include, at a minimum, attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in the e-prescription system. If the daily audit report identifies any events indicating that the prescription system has been or could have been compromised, the pharmacy would be required to report this fact to the DEA within one business day. All DEA registrants would be required to maintain records related to e-prescribing of controlled substances for five years. The proposed rules would require DEA registrants to maintain records related to e-prescribing of controlled substances for five years, in contrast with the current two-year records retention requirement. In the Preamble, the DEA explained that the more lengthy record retention requirement is necessary due to the potential length and complexity of cases relating to the diversion of controlled substances through e-prescriptions. Also, with the new system the DEA will be able to obtain all relevant records directly from the DEA registrants, and will no longer need to obtain subpoenas from third parties to investigate and prosecute possible controlled-substance diversions. Enforcement of the Proposed E-Prescribing Rules Although the proposed regulations primarily set forth standards for the e-prescribing service providers, accountability for the new system rests solely on the DEA-registered healthcare practitioners and pharmacies. As described in the Preamble, it is the DEA-registered practitioner or pharmacy the DEA will look to if the system or service provider that practitioner is using is not in compliance with DEA regulations. 7 The Preamble reminds DEA registrants that violations of the proposed regulations, if adopted in their current form, would be civil or criminal in nature, and could result in administrative, civil, or criminal proceedings with remedies including modification or revocation of DEA registration, civil monetary penalties, or even imprisonment, depending on the nature, scope, and extent of the violation. 3

4 HIT News Related E-Prescribing Laws and Initiatives The DEA rules for e-prescribing were not proposed in a vacuum. The rules are among a series of statutes and implementing regulations tied to the federal government s push for widespread adoption of e-prescribing, with the goal of reaping quality and efficiency benefits for the U.S. healthcare system. Such statutes and regulations include: Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA). 8 The MMA requires drug plans that participate in Medicare Part D to support e-prescribing by 2009 through e-prescribing systems that comply with uniform standards adopted by the Secretary of the Department of Health and Human Services (HHS). The purpose of the HHS rules defining the standards was to ensure that e-prescriptions were created and transmitted in an interoperable format that could be read by the receiving pharmacy. The DEA explained in the Preamble that the rules were written to be consistent with the HHS interoperability standards, but that the purpose of the DEA s rules was to provide safeguards against the diversion of controlled substances. Health Insurance Portability and Accountability Act, Privacy Regulations (HIPAA). 9 In addition to numerous other requirements and protections, HIPAA establishes protections for health information by requiring parties who create, transmit, and store prescriptions to meet standards that the information is protected and not revealed to persons not authorized to see it. The HIPAA definition of a security incident is the basis for the list of auditable events that a pharmacy must define and monitor under the proposed DEA rules for e-prescribing. However, the DEA noted in the Preamble that the HIPAA standards were designed to establish only a minimal threshold for general e-prescribing protections because, unlike the proposed DEA protections, the HIPAA requirements apply to a wide variety of healthcare industry participants and healthcare information. Medicare Improvements for Patients and Providers Act of 2008 (MIPPA). 10 Half a month after the DEA s e-prescribing rules were proposed, Congress passed the MIPPA, which authorizes the Centers for Medicare & Medicaid Services (CMS) to promulgate rules for e-prescribing incentive payments under the Medicare physician fee schedule. Under MIPPA, physicians who adopt e-prescribing will qualify for bonus payments between 2009 and The MIPPA also authorizes a reduction in payments to those physicians who are not successful e-prescribers by Electronic Signatures in Global and National Commerce Act of 2000 (E-Sign). 13 E-Sign establishes the basic rules for using electronic signatures and records in commerce. It permits federal, state, and local agencies to set performance standards to ensure accuracy, record integrity, and accessibility of electronic records where a statute or regulation requires retention of a record. 14 E-Sign also permits such standards to be specified in a manner that requires the implementation of a specific technology, if such a requirement serves an important governmental objective and is substantially related to that objective interest. The DEA relied on these E-Sign provisions as additional authority for the proposed e-prescribing rules. Only Applicable to Those Who Voluntarily Use E-Prescribing? The Preamble emphasizes that participation in e-prescribing and adherence to the DEA s proposed rules are essentially voluntary decisions for healthcare providers. As described by the DEA: DEA emphasizes that the use of electronic prescriptions is voluntary. No registrant would be required by DEA to issue controlled substance prescriptions electronically. Those registrants that wish to do so, however, would have to comply with the rules governing electronic prescribing of controlled substances. 15 However, in light of the Medicare e-prescribing provisions from the MMA and the MIPPA discussed above, this assertion of voluntariness is misleading. Under MMA and MIPPA, any physician who wishes to receive the Medicare physician fee schedule e-prescribing bonus payments from 2009 through 2013 and not suffer the e-prescribing payment reductions beginning in 2012 will, at a minimum, need to use e-prescribing for his or her Medicare patients and comply with the DEA s proposed rules for any e-prescribing of controlled substances. Thus, within the next year, any physician who chooses to treat Medicare patients and to receive full payment for such services would need to develop and implement an e-prescribing system that is compliant with the DEA s proposed rules, or risk multiple civil and criminal violations of the Controlled Substances Act. Realistically, most providers will not have much choice in the matter. 1 See Electronic Prescriptions for Controlled Substances, 73 Fed. Reg (June 27, 2008) U.S.C Drug Enforcement Agency, DEA Issues Proposed Regulations to Allow Electronic Prescriptions for Controlled Substances, Press Release, available at gov/dea/pubs/pressrel/pr html (June 27, 2008) Fed. Reg U.S.C. 1395w 104(e) U.S.C. 1395w-4(a), (m) Fed. Reg U.S.C. 1395w 104(e) C.F.R U.S.C. 1395w Id. at 1395w-4(m)(2)(A). 12 Id. at 1395w-4(a)(5)(A)(i) U.S.C U.S.C. 7004(b)(3)(A) Fed. Reg

5 Red Flag Rules Add to Healthcare Providers Data Security Obligations Kevin D. Lyles, Esquire* Jones Day Columbus, OH The Health Insurance Portability and Accountability Act (HIPAA) is no longer the only source of federal regulations governing the privacy and security of healthcare information. Under new federal regulations that became effective on January 1, 2008, healthcare providers that extend credit e.g., by deferring payment for medical services must implement written identity theft prevention programs that provide for the identification, detection, and response to patterns, practices, or specific activities known as red flags that could indicate identity theft. Background On December 4, 2003, the President signed into law the Fair and Accurate Credit Transactions Act (FACTA). FACTA was enacted by Congress to provide consumers with increased protection from identity theft. FACTA directed six agencies to jointly establish and maintain guidelines... [that] identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. 1 Among these agencies was the Federal Trade Commission (FTC), which has regulatory authority over healthcare providers. The FTC and the other agencies published the final FACTA regulations on November 9, 2007, and those regulations became effective January 1, 2008, 2 with a mandatory compliance date of November 1, On October 22, 2008, the FTC announced that it will suspend enforcement of the Red Flag Rules until May 1, 2009, to give creditors additional time to develop and implement their identity theft prevention programs. The FTC s delay in enforcement was intended to give healthcare providers and other entities that recently became aware of the FACTA regulations sufficient time to comply. Among other things, the final regulations require debit and credit card issuers to assess the validity of address change notifications and, when a user of consumer reports receives a notice of address discrepancy, the user must form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report. This article discusses the part of the regulations that requires covered entities to create a written identity theft program designed to detect, prevent, and mitigate identity theft in connection with certain covered accounts (the Red Flag Rules or the Rules). Covered Entities The Red Flag Rules cover financial institutions and creditors that offer or maintain covered accounts. The breadth of the Rules comes from the broad definition of creditors. The term creditor means any person who regularly extends, renews, 5 or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 4 This definition of creditor will apply to many healthcare providers. For example, hospitals or other healthcare providers extend credit to patients when they allow patients to defer payment for medical goods and services. Likewise, healthcare providers that partner with a bank or finance company to facilitate loans for their patients likely would be considered creditors under the Red Flag Rules. Under the Red Flag Rules, only those creditors and financial institutions that offer or maintain covered accounts are required to develop and implement an identity theft prevention program. An account is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. 5 A covered account is (i) [a]n account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan,

6 HIT News margin account, cell phone account, utility account, checking account, or savings account; and (ii) [a]ny other account... for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. 6 Patient accounts would seem to meet both prongs of this definition. They are maintained for personal purposes (medical care) and are designed to permit multiple payments or transactions. Also, patient accounts clearly present a risk to patients of medical identity theft. Pam Dixon, executive director of the World Privacy Forum, recently estimated that between 250,000 and 500,000 people have their medical identities stolen every year. 7 In a decision tree format, here is what the analysis would look like for a healthcare provider trying to determine whether the Red Flag Rules apply: The Red Flag Rules do not apply. The Red Flag Rules do not apply. Is the healthcare provider a creditor? No No Does the healthcare provider maintain covered accounts? The healthcare provider must implement an identity theft prevention program that covers each covered account. In discussing the application of the Red Flag Rules to healthcare providers, some commentators have questioned whether covered accounts include not only patient financial records, but also separately maintained patient medical records. Note that to reach this question on the decision tree, the provider already must have concluded that it is a creditor. Assuming that, we can then turn to the proposed question. Patient medical records would seem to meet the definition of accounts because they are used for a continuing relationship and to obtain a service (medical care) for personal purposes. To determine whether these accounts (medical records) are also covered accounts, we must look at both prongs of the definition. Although it is not free from doubt, patient medical records do not appear to fit within the first prong because they are not necessarily designed to permit multiple payments or transactions. The second prong of the definition, however, is more troublesome. If there is a reasonably foreseeable risk of identity Yes Yes 6 Editor s Corner Patricia A. Markus, Esquire Smith Moore Leatherwood LLP Raleigh, NC In this first HIT News issue of the year, we have a multifaceted lineup of articles. First, we continue a feature started last year in which we spotlight one of the affinity groups of the Health and Information Technology Practice Group. This edition features the Telemedicine and E-Health Affinity Group, providing a brief description of that group s activities, a list of members, and two articles related to telemedicine and e-health. Our lead article, The Push for E-Prescribing: Better for Providers, Or Just a Wolf in Sheep s Clothing?, by Tara Kepler, takes an in-depth look at the proposed e-prescribing regulations published in June and discusses the significant liability risks that will accompany e-prescribing if the rules are finalized in their current form. This issue also features an update on telemedicine by Amy Leopard, co-leader of the Telemedicine and E-Health Affinity Group. Medicare Telemedicine Coverage is (Slowly) Growing notes the current telemedicine services that are covered and sites from which telemedicine services currently may be provided, and explores the reasons for the slow growth in this type of service. As the concerns about the prevalence of medical identity theft continue to grow, Kevin Lyles article on the FTC s FACTA Red Flag Rules proves both informative and timely. Red Flag Rules Add to Healthcare Providers Data Security Obligations provides a comprehensive overview of the rules and to whom they apply; it further describes how to design, implement, and update an identity theft prevention program. Our final article derived its inspiration from recent news items (and a Grey s Anatomy episode). Cell Phone Camera Use in Healthcare Facilities: Shutter It, by Erin Zuiker and Patricia Markus, explores the new reason why some hospitals are again banning the use of cell phones on their premises patient privacy concerns and the ubiquitousness of cell phone cameras. As I coordinate publications for the HIT Practice Group this year, I want to address key issues on a timely basis, but I am well aware that many important issues arise each month about which I am uninformed. Please contact me at trish.markus@smithmoorelaw.com if you have ideas for, or wish to participate in writing an article for HIT News or a Member Briefing. I look forward to working with you.

7 theft to patients that could result from the provider s maintenance of medical records, then those records should be treated as covered accounts and be included within the scope of the provider s identity theft prevention program. Moreover, it may not be in healthcare providers best interests to interpret these definitions too narrowly. Regardless of whether the Red Flag Rules technically apply to patient medical records assuming such records are maintained electronically it is clear that the HIPAA Privacy and Security Rules do apply to them. Those rules require providers to take reasonable steps to protect the confidentiality and integrity of medical records they maintain. Accordingly, it only makes sense for providers to treat their patient medical records as covered accounts to be included in the identity theft prevention program they implement to comply with the Red Flag Rules. Designing a Program Healthcare organizations subject to the Red Flag Rules must implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. 8 The Rules do not specify the contents of the program that must be adopted. An appendix to the Rules contains guidelines to assist companies in creating and maintaining their programs. The Rules require that the guidelines be considered, but companies are free to tailor their programs as they see fit. The Rules give companies a great deal of flexibility, requiring merely that a company design and implement a program that is appropriate to the size and complexity of the company and the nature and scope of its activities. The Red Flag Rules do require identity theft prevention programs to include reasonable policies and procedures to identify relevant red flags and incorporate them into the program, to detect those red flags, to respond appropriately when red flags are detected, and to ensure that the program is updated periodically. Each of these elements is discussed below. Identify Relevant Red Flags The first element in creating an identity theft prevention program, as required by the Red Flag Rules, is to determine which red flags are relevant to the company and to incorporate those red flags into its program. 9 Red flags are patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account. Therefore, healthcare providers need to identify red flags for identity theft, including medical identity theft. A supplement to the Rules sets forth twenty-six examples of potential red flags. While not all twenty-six must be incorporated into a given prevention program, providers should seriously consider each example and have legitimate reasons for withholding any from the written program. A company should also take into account its previous experience with identity theft in determining the appropriate red flags for its program. Detect Red Flags The identity theft prevention program should include procedures to detect the identified red flags. For example, healthcare providers should verify the identity of persons opening new patient accounts and should authenticate patients when they arrive to receive medical services. Similarly, they should verify the validity of change-of-address requests. Respond Properly to Red Flags The program s policies and procedures should provide for appropriate responses to any detected red flags. The responses should be commensurate with the degree of risk posed, which for healthcare providers may include monitoring patient accounts for evidence of identity theft, contacting the patient, changing passwords that permit access to patient accounts, or notifying law enforcement. If a provider determines that identity theft has occurred, it should notify the affected patient and take steps to ensure that the medical record is corrected. If the provider already has billed the patient for services provided to an imposter, it should promptly recall the bill and refund any monies it improperly collected. Ensure that the Program Is Updated Periodically Each healthcare company periodically should update its program to reflect changes in identity theft risks for patients or providers. The healthcare company must remain up to date with changes in identify theft methods specifically medical identity theft and, as necessary, it must incorporate new methods of combating identity theft. Finally, healthcare providers should periodically conduct risk assessments of their businesses to determine if they maintain covered accounts that should be included in their program. Methods for Administering the Program The Red Flag Rules also contain requirements for administering the identity theft prevention program. Approval of the initial program must be obtained from the company s board of directors or an appropriate committee thereof. 10 The board, a board committee, or a designated employee at the level of senior management must be involved in the oversight, development, implementation, and administration of the program. 11 Healthcare workers and other staff must be trained to effectively implement the program. 12 Such training is key, as many incidents of medical identity theft are traced to people working in hospitals, such as billing or housekeeping staff, or clerical workers who have access to confidential patient information. Finally, if the company has any arrangements with service providers, it must exercise oversight of the service provider arrangements. 13 This can be done, for example, by requiring service providers to have their own Red Flag programs or by having them follow the company s program. Consequences of Non-Compliance Failure to comply with the Red Flag Rules can result in various penalties. Consequences may include a civil money penalty for each violation, a regulatory enforcement action, and negative publicity. 14 7

8 HIT News Although, as with HIPAA, the Rules do not allow for any private legal action in the event of a violation, 15 there is the potential for private plaintiff lawsuits under other laws because a violation of federal rules may itself be a violation of state laws. These state laws may permit actions by consumers or state attorneys general. Also, the Department of Health & Human Services (HHS) may take the position that compliance with the Red Flag Rules is required for a healthcare provider to meet its obligations under the HIPAA Security Rules to [e]nsure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits and to [p]rotect against any reasonably anticipated threats or hazards to the security or integrity of such information. 16 In any event, it is likely that, over time, the Red Flag Rules will become a de facto standard of care applied to determine whether a healthcare provider has negligently allowed a patient s identity to be stolen. Conclusion The Red Flag Rules will require most hospitals and other healthcare providers that extend credit to their patients to adopt and implement programs designed to detect, prevent, and mitigate identity theft in connection with their patient accounts. Implementing such programs should assist in establishing patient confidence in the security of their confidential information, and it will also help healthcare providers meet their obligations under the HIPAA Security Rules. Given HHS recent emphasis on enforcing the HIPAA Security Rules through security audits and enforcement actions, the Red Flag Rules may end up being a blessing in disguise for healthcare providers by giving them another reason to implement stronger protections for the privacy and security of healthcare records. * Kevin Lyles is a partner in the Columbus, OH, office of Jones Day. He was assisted in the preparation of this article by Corey E. Dickey, a Summer Associate in Jones Day s Columbus office U.S.C. 1681m(e)(1)(A) & (2)(A). The six agencies responsible for issuing the joint guidelines are the: (1) Office of the Comptroller of the Currency, Treasury; (2) Board of Governors of the Federal Reserve System; (3) Federal Deposit Insurance Corporation; (4) Office of Thrift Supervision, Treasury; (5) National Credit Union Administration; and (6) Federal Trade Commission. 2 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transaction Act of 2003; Final Rule, 72 Fed. Reg (to be codified at 12 C.F.R. pts. 41, 222, 333, 364, 571, and 717 and 16 C.F.R. pt. 681). Note that each of the six agencies will codify the regulations at different parts. For simplicity, all future, general references to the regulations will be cited to the Federal Trade Commission s codification at 16 C.F.R. pt. 681 because the FTC is the agency with jurisdiction over most healthcare entities. 3 Id U.S.C. 1691a(e) Fed. Reg , (to be codified at 16 C.F.R (b)(1)). 6 Id. (to be codified at 16 C.F.R (b)(3)(i) and (ii)). 7 Judith Graham, Medical Identity Theft Spreads, Aug. 22, Fed. Reg , (to be codified at 16 C.F.R (d)(2)(i)). 9 Id. (to be codified at 16 C.F.R (c)(1) through (3)). 10 Id. (to be codified at 16 C.F.R (e)(1)). 11 Id. (to be codified at 16 C.F.R (e)(2)). 12 Id. (to be codified at 16 C.F.R (e)(3)). 13 Id. (to be codified at 16 C.F.R (e)(4)). 14 Press Release, Reuters, Compliance Coach Identifies 23 New Identity Theft Red Flags Based on Recent Cases (May 5, 2008), available at article/pressrelease/idus may-2008+bw Plaintiffs have attempted to bring private actions under the Fair Credit Reporting Act (15 U.S.C. 1681m) because of an apparent drafting error in 1681m(h)(8). Courts have interpreted the drafting error differently. Most recently, the Seventh Circuit refused to permit such actions, ruling that the newly added 1681m(h)(8) was designed to preclude private enforcement of the entirety of 1681m, not just 1681m(h). Perry v. First Nat l Bank, 459 F.3d 816 (7th Cir. 2006). But see Barnette v. Brook Road, Inc., 429 F.Supp.2d 741 (E.D. Va. 2006) Fed. Reg. 8334, 8376 (codified at 45 C.F.R (a)(1) and (2)). Practice Groups Staff Trinita Robinson Vice President of Practice Groups (202) trobinson@healthlawyers.org Emilee Hughes Practice Groups Manager (202) ehughes@healthlawyers.org Magdalena Wencel Practice Groups Administrator (202) mwencel@healthlawyers.org Brian Davis Practice Groups Editorial Assistant (202) bdavis@healthlawyers.org Tangie Ricks Practice Groups Assistant (202) tricks@healthlawyers.org Denis Vidal Practice Groups Associate (202) dvidal@healthlawyers.org Mary Boutsikaris Art Director/Graphic Designer (202) mboutsik@healthlawyers.org Alex Leffers Production Specialist (202) aleffers@healthlawyers.org 8

9 Telemedicine and E-Health Affinity Group Spotlight Medicare Telemedicine Coverage Is (Slowly) Growing Amy S. Leopard, Esquire Walter & Haverfield LLP Cleveland, OH Two-thirds of respondents to a recent Health Information Management Systems Society (HIMSS) survey of healthcare information technology (IT) professionals believe that it will take four or more years for telemedicine to reach widespread adoption, and nearly half of respondents considered the lack of reimbursement as the greatest barrier to such adoption. 1 Recently, however, Medicare coverage for telehealth services received a slight shot in the arm. In July 2008, Congress expanded its coverage of the facilities at which Medicare beneficiaries may be located when presenting to their healthcare provider for care furnished using a telemedicine technology. The Centers for Medicare & Medicaid Services (CMS) also has adopted new coverage and Healthcare Common Procedure Coding System (HCPCS) codes for telehealth services in the Final 2009 Medicare Physician Fee Schedule Rule (2009 PFS Rule). 2 Nonetheless, despite telemedicine s potential to improve patients access to care, CMS continues to be cautious about extending coverage under the Medicare telehealth benefit. Expansion of Originating Sites Under the current telehealth benefit, Medicare beneficiaries must be present at an originating site located in a rural area. 3 Originating sites currently include hospitals, rural health clinics, physician offices, critical access hospitals, and federally qualified health centers. 4 Although the Medicare Modernization Act of 2003 authorized CMS to cover telehealth services furnished to skilled nursing facility (SNF) residents if CMS concluded that doing so was advisable, 5 CMS never acted upon that authority. Congress enhanced Medicare telemedicine coverage in the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) by expanding the list of facilities eligible to be considered as originating sites. 6 MIPPA added SNFs, hospital-based renal dialysis centers, and community mental health centers as facilities eligible to bill for the originating site facility fee. CMS included these sites in the 2009 PFS Rule and set the facility fee at $ Telehealth Services Physicians and other practitioners at remote sites will continue to be limited in the types of telehealth services that are eligible for payment, as CMS has been conservative in adopting new telehealth services. CMS will cover only those remote telehealth services not included in the originating site bundled payment. 7 Despite the addition of SNFs as originating sites, CMS did not include the nursing facility care codes in the list of approved telehealth services for CMS says it intends to address those services in the 2010 proposed rule. Effective January 1, 2009, CMS covers follow-up inpatient telehealth consultations furnished under the telehealth benefit. CMS adopted a new series of HCPCS codes for follow-up consults to complete an initial inpatient consult or subsequent consultative visit. 9 The new codes bundle all consultation-related services furnished before, during, and after the telehealth encounter into limited, intermediate, and complex levels of care. Medicare will pay the remote physician or practitioner the fee schedule amount that would have been paid if the services had been furnished to the beneficiary in a traditional face-to-face encounter. On the other hand, CMS declined provider requests to add diabetes selfmanagement training and critical care services to the list of covered telehealth encounters. 10 CMS viewed these services as not being similar to any current covered services and, therefore, required an evidence-based assessment. CMS was not convinced that sufficient comparative analysis supported its requirement that the proposed telehealth service be an adequate substitute for a face-to-face encounter. CMS did not consider remote diabetes self-management equivalent because it had not received a comparative analysis supporting the training of patients in the self-administration of injectable drugs performed via telehealth. CMS did not consider critical care services equivalent due to its view that current standards of critical care practice require physician presence, and because studies for a broad range of disease categories were absent. Consequently, CMS indicated that it lacked data that telehealth would be a reasonable substitute for the in-person encounter. CMS also declined to recognize the new Current Procedural Terminology (CPT) Evaluation & Management (E&M) codes for physician services furnished via as covered 9

10 HIT News Telemedicine and E-Health Affinity Group Spotlight services because the services are not furnished in-person or as a Medicare telehealth service. 11 Looking Forward Medicare coverage for telehealth continues to be a limited benefit, with significant restrictions on the location of the beneficiary, types of services covered, and the technology utilized. CMS believes that it does not have the statutory authority to expand telehealth coverage to many of the services that providers have requested, unless it finds that the expanded service is a surrogate for a traditional service. CMS accepts requests for new telehealth services on an ongoing basis, but requests must be submitted by December 31 in a given year to be considered for coverage commencing a year thereafter on January 1. Providers interested in obtaining coverage in 2011 have time to prepare a description of similarities between the proposed service and currently approved telehealth services, and to compile compelling evidence that the encounter is a good surrogate for traditional face-to-face services, including its effectiveness. Without such compelling evidence, CMS generally declines to add new services to the Medicare telehealth benefit, which currently stands at a meager $2 million annually. 12 The developments described above highlight the importance of, and the simultaneous difficulties in obtaining timely compensation for providers who adopt technological innovations. 1 See HIMSS Vantage Point, vol. 6, issue 3 (survey taken Aug. 2008). 2 See Medicare Physician Fee Schedule Final Rule, 73 Fed. Reg (Nov. 19, 2008), available at 3 Under CMS rule, the originating site must be located in a county outside an MSA, in a rural health professional shortage area (HPSA), or provided by a qualifying telemedicine demonstration participant. 42 C.F.R (b)(4) C.F.R (b)(3). 5 Section 418 of the Medicare Prescription Drug Improvement and Modernization Act of 2003, Pub. L. No (Dec. 8, 2003). 6 Section 149 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), Pub. L No (July 15, 2008). The Medicare telehealth benefit can be found at 42 U.S.C. 1395m(m) (statutory benefit); see also 42 C.F.R (conditions of payment); 42 C.F.R (reimbursement) Fed. Reg. at Id. at Medicare currently pays for the following as telehealth services: office or other outpatient visits, consults, individual psychotherapy, psychiatric diagnostic interview exam, medication management, end-stage renal disease services in the monthly capitation payment (except for one visit per month to examine the access site), and individual medical nutrition therapy. 42 C.F.R See 73 Fed. Reg , (July 7, 2008), available at access.gpo.gov/2008/pdf/e pdf. 11 The telehealth payment conditions currently exclude C.F.R (a)(3) Fed. Reg. at Health Information and Technology Practice Group Leadership Edward F. Shay, Chair Post & Schell PC Philadelphia, PA (215) eshay@postschell.com Gerald Jud E. DeLoss, Vice Chair Educational Programs Gray Plant Mooty Minneapolis, MN (612) gerald.deloss@gpmlaw.com Phyllis F. Granade, Vice Chair Strategic Activities Adorno Yoss LLC Atlanta, GA (404) pgranade@adorno.com Patricia A. Markus, Vice Chair Publications Smith Moore LLP Raleigh, NC (919) trish.markus@smithmoorelaw.com Rebecca L. Williams, Vice Chair Research & Website Davis Wright Tremaine LLP Seattle, WA (206) beckywilliams@dwt.com Robert Q. Wilson, Vice Chair Membership GTx Inc. Memphis, TN (901) rwilson@gtxinc.com Alan S. Goldberg, Listserve Moderator Attorney & Counsellor-At-Law McLean, VA (703) Alan@GoldbergLawyer.com 10

11 Telemedicine and E-Health Affinity Group This Affinity Group addresses the many issues related to telemedicine, including technology, regulatory compliance, professional licensing, coverage and billing, and how those issues relate to telemedicine and telehealth. The Telemedicine and E-Health Affinity Group will also address e-health issues (excluding electronic health records). For example, Telemedicine and E-Health Affinity Group will address e-prescribing, computer physician order entry, remote patient monitoring, and related developments. The group will coordinate with the Electronic Health Records Affinity Group when those interests and issues converge. Co-Leaders: Maryam Khotani Sutter Health San Francisco, CA (415) Amy S. Leopard Walter & Haverfield LLP Cleveland, OH (216) If you are interested in joining, please and indicate that you would like to enroll in this Affinity Group: Betty S. Adler Mark D. Aurand Alice J. Becker Elisabeth Belmont Stephen W. Bernstein Deborah Lynn Biggs Michael L. Blau Rodney L. Buck Patricia I. Carter Barry B. Cepelewicz Ellen V. Chiniara Kathryn R. Coburn Michelle Wilcox DeBarge Gerald E. DeLoss Rafael Santos Del Valle Heidi Y. Echols Linn Foster Freedman Lisa M. Frenkel Sherry C. Furr Mark T. Garsombke Mark C. Gary Nancy P. Gillette Daniel F. Goldman Phyllis F. Granade Sandra P. Greenblatt Shannon B. Hartsfield Barry S. Herrin William Reece Hirsch Maryam Khotani Robert H. Klein, Jr. Current Members: Marilyn Lamar Amy S. Leopard D. K. Lewis Keisha A. Lightbourne Barros Elizabeth S. Lincoln Morris D. Linton Mary J. Lopez Kevin D. Lyles Tracy J. Mabry Peter Mancino Susan A. Miller Arturo Muela Austin M. O Flynn Daniel H. Orenstein Helen Oscislawski, Esquire Charles Warren Ott Nestor J. Rivera Linda S. Ross Jeffrey M. Sconyers Edward F. Shay Jeffrey W. Short Howard L. Sollins Sharon L. Tasman Mark Tatelbaum Nancy M. Weinman Colin J. Zick 11

12 HIT News Cell Phone Camera Use in Healthcare Facilities: Shutter It Patricia A. Markus, Esquire Erin S. Zuiker, Esquire Smith Moore Leatherwood LLP Raleigh, NC For many years, cell phone usage was prohibited in hospitals because it was believed that such usage presented radio wave or electromagnetic danger to certain patient equipment. Findings published in the March 2007 Mayo Clinic Proceedings refuted this long-held assumption and confirmed that cell phones used in a normal way do not interfere with patient equipment. 1 Accordingly, the researchers advised hospitals to abandon the ban on cell phone use. 2 Today, the renewed concern about cell phone use in hospitals is related not to interference with patient equipment but to protecting patients privacy. Hospitals, nursing homes, assisted living or adult care homes, and other healthcare facilities have a duty under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect confidential patient information. HIPAA defines protected health information (PHI) as individually identifiable health information (IIHI) that is (1) transmitted by electronic media; (2) maintained in any medium described in the definition of electronic media; or (3) transmitted or maintained in any other form or medium. 3 IIHI is defined as health information collected from an individual that is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse that pertains to the physical or mental health condition of an individual; the payment for, or provision of healthcare to that individual; and that identifies the individual or reasonably may be used to identify the individual. 4 Given these definitions, healthcare facilities generally have recognized that photographs that identify or allow for the identification of patients constitute PHI and, accordingly, have prohibited staff from taking photographs of a patient without the patient s consent. With the ever-increasing popularity of cell phone cameras and online social networking websites, the potential for inappropriate use of such cameras in healthcare settings is tremendous. Over the past several years, numerous incidents in hospitals have led to employee suspensions or firings over the inappropriate and unauthorized dissemination of patient photographs. One of the most troubling occurred at Rady Children s Hospital in San Diego, CA, where a respiratory therapist was sentenced to forty-five years in prison after authorities discovered he had been molesting many of the severely disabled children under his care. 5 He also was involved in Internet pornography and used his cell phone to photograph the children, and he may have posted the pictures to the Internet. 6 Another incident involved a chief resident of general surgery at Mayo Clinic s Phoenix Hospital, who used his cell phone to take an inappropriate photograph of a patient under anesthesia and then showed the picture to his colleagues. 7 Shortly following the incident, the resident either resigned or was asked to leave the hospital. 8 And earlier this year, two employees at the University of New Mexico Hospital used their cell phone cameras to take close-up photos of emergency room patients injuries and then posted the pictures to their MySpace webpages. 9 These employees were fired because their actions violated the hospital s policy against the use of cell phone cameras in patient areas. 10 Incidents of inappropriate cell phone camera use are not limited to physicians and healthcare facility employees, however. At the University of California at Los Angeles Resnick Neuropsychiatric Hospital (Resnick), a patient violated the privacy of other patients after photographs taken during a group therapy session were posted to a social networking website. 11 The patient who took and posted the photos claimed that the other patients consent was obtained, but hospital administrators rejected that claim, expressing their concern that given the nature of the group session, the individual patients involved may not have been fully competent to give their consent. 12 Hospitals, nursing homes, and other healthcare facilities are certainly not alone in navigating the privacy issues arising from ongoing technological advancements. However, given the strict regulatory environment in which they operate and the increasing industry concern for patient privacy, healthcare facilities must be proactive in addressing cell phone camera use. 12