Featured Articles

Monday, March 1

Since You Asked

ANSWER: It has been estimated that as many as nine million Americans have their identities stolen each year.

Some 5% of identity theft victims have experienced some form of medical identity theft—when a person seeking health care uses someone else’s name or insurance information. The result for the theft victims may be exhaustion of benefits and potentially life-threatening consequences due to inaccuracies in their medical records. Health care providers can be faced with unpaid bills racked up by scam artists at a staggering cost. In November 2007, the Federal Trade Commission (FTC) issued a set of regulations, known as the Red Flags Rule, requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft. After several delays in enforcing the Red Flags Rule, it now appears that it will take effect on June 1, 2010.

To complicate matters further, in February 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA), the Health Information Technology for Economic and Clinical Health Act (HITECH) was also enacted. HITECH mandates a rule on Breach Notification forUnsecured Protected Health Information, and in August 2009, the Department of Health and Human Services (HHS) issued an Interim Final Rule setting out when a breach of “unsecured” protected health information has occurred and how, when, and to whom such a breach must be reported.


Every health care organization and practice meeting the Red Flags Rule’s definition of creditor and covered account must comply with the Rule. A provider who regularly bills patients or clients after the completion of services, including for the remainder of fees not reimbursed by insurance, is a creditor under the Rule. Health care providers who regularly allow patients to set up payment plans after services have been rendered, or routinely help patients get credit from other sources, are also creditors. Providers who require payment before or at the time of service (which may be by credit card), and those accepting only direct payment from Medicaid or similar programs where there is no copayment required from patients, are not creditors. Covered Accounts permit multiple payments or transactions or otherwise bear reasonably foreseeable risk of identity theft. A creditor with covered accounts is required to develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.

One of a series of articles on legal issues in social work practice.


While there is no standard checklist of red flags signaling identity theft, there are particular signals including:

Suspicious documents.Identificationdocuments thatlook alteredor forged; IDphotographor physicaldescriptioninconsistentwith thepatient’s actualappearance;otherdocumentationinconsistent withwhat the patienthas otherwise stated (e.g., inconsistentbirth date; a chronic medical condition nototherwise mentioned).

Suspicious personally identifying information. Information inconsistent with that learned from other sources (e.g., ahome address, birth date, or social securitynumber different from that provided by other sources).

Suspicious activities. Mail returned repeatedly as undeliverable even though the patient still shows up for appointments; patient complaints about receiving a bill for a service not received; inconsistency between a physical examination or medical history and the treatment records.

Notices from victims of identity theft, law enforcement authorities, insurers, or other sources suggesting possible identity theft.

Health care providers covered by the Rule must institute a program that does the following things:

– Identifies the kinds of red flags that are relevant to the practice.

– Spells out the process for detecting them.

– Describes the method of response to red flags to prevent and mitigate identity theft.

– Spells out how the program will be kept current.


The identity theft and prevention program must set out:

– Everyday procedures for detecting red flags.

– A plan to prevent and mitigate identity theft.

– Response procedures when identity theft red flags appear (e.g., If a photo ID appears forged or altered, request additional documentation; If notification that an identity thief has run up medical bills using another person’s information, enact procedures to ensure that medical records are not commingled and debt is not charged to the victim).

– Legal and ethical obligations in light of the entity’s specific circumstances; (e.g., laws and professional

responsibilities regarding the provision of care).

– The policies and procedures for keeping the program current to address new risks and trends.

– Staff training and monitoring.

The program must be approved by the entity’s Board of Directors, if there is one. If there is not, then approval must be made by a senior employee. Either the board or the senior employee may oversee the administration of the program, including approving any important changes and designation of responsibility for establishing and running the program.

While there are no criminal penalties for failure to comply with the Rule, there may be financial penalties. An excellent source of additional information is the publication, Fighting Fraudwith the RedFlags Rule: AHow-To Guidefor Business, which is free and available at online at www.ftc.gov/redflagsrule. Also available is a fill-in-the blank form for businesses and organizations at low risk for identity theft offering step-by-step instructions for creating a written Identity Theft Prevention Program.


The Interim final rule became effective September 23, 2009, but HHS has stated that it will not impose sanctions for failure to provide notification of breaches until February 22, 2010.


A breach is defined as the “acquisition, access, use, or disclosure of protected Health Information (PHI) in that violates the HIPAA Privacy Rule” and “which compromises the security or privacy of the PHI.” A disclosure occurring despite the implementation of reasonable safeguards would not be a breach under the HITECH Rule.

There are three exceptions to the breach definition:

– Good faith disclosure by covered entity’s “workforce members” (persons acting under the authority of the covered entity or business associate) that does not result in further HIPAA violation.

– Inadvertent disclosure from one authorized person to another authorized person within the same covered entity, business associate, or organized health care system.

– Inadvertent good faith disclosure by covered entity to an unauthorized person who would not reasonably be expected to retain it (e.g., material erroneously sent to the wrong person and returned unopened; giving discharge orders to the wrong patient)

Harm Threshold: An unauthorized use or disclosure would not be considered a breach under HITECH unless it poses “a significant risk of financial, reputational, or other harm to the individual.”


Covered entities and business associates are required to conduct a fact-specific risk assessment in the event of an unauthorized use or disclosure. The Risk Assessment should include the following:

– Identity of the entity or individual that impermissibly used the information to whom the information as impermissibly disclosed.

– Steps taken to mitigate the harm; immediacy with which such steps were taken. Harm may be mitigated, for example, if the covered entity took immediate steps to obtain assurances that the PHI will not be used or further disclosed. These might include agreements of confidentiality or to destroy the material.

– Was the information returned before being accessed (e.g., stolen laptop recovered before the PHI had been accessed requires forensic examination)

– Type and amount of information disclosed (e.g., Did the disclosure meet the “harm threshold?). Consider the type of facility or services received—mental health or STD issues would be considered sensitive because of risk of employment discrimination.


These include blackmail, disclosure of private information, mental pain and emotional distress, address inform of abuse victim, potential for secondary uses of the information that could result in fear, uncertainty, humiliation, or loss of self esteem. Such data might include social security numbers, birth dates, passwords, mother’s maiden names.


HIPAA permits disclosure in limited data sets for healthcare operations, researchand public health activities, and may onlyshare pursuant to a data use agreement.A limited data set can be created byremoving birth dates, zip codes, andsixteen identifiers [45 CFR 164.514(e)(2)].A covered entity that wrongfully disclosesPHI that has been stripped of theseelements is not required to disclose the breach if the data set has been strippedof these factors, whether or not there is adata use agreement.

NOTIFICATION OBLIGATION  Breach notifications under HITECH applyonly to unsecured PHI—that which is notunreadable by reason of authorized usethrough approved technology or specifiedmethodology, or destruction of themedia on which the PHI has been stored.Included in this category is encryptedmaterial so long as the decryption processor key has not been breached.


To individuals: When covered entity reasonably believes that PHI has been involved in a breach, each affected individual (or for minors or incapacitated persons, to the “personal representative”— the parent or guardian) must be personally notified by first class mail to his/her last known address, or electronically (if the person has agreed to receive it (electronically). If necessary, more than one mailing can be used as information becomes available to the covered entity.

Notification must take place without unreasonable delay, not more than sixty days after discovery, and include:

– Brief description of happening including dates of breach and discovery, when known

– Description of types of unsecured PHI involved.

– Steps individual should take to protect self from potential harm by reason of the breach.

– Brief description of covered entity’s efforts to investigate, mitigate harm, and protect against future breaches.

– Contact procedures by which individuals can ask questions or learn more, including a toll free phone

number, e-mail address, Web site, or postal address.

– If the covered entity determines that misuse of the PHI is imminent, it may also notify the individual by phone or other means.

To prominent media in each jurisdiction: When more than 500 individuals areaffected.

To the Secretary of HHS: Immediately upon discovery of a breach that affects more than 500 people. A list of breaching entities will be available on the agency Web site. Breaches of fewer than 500 (even one person) must be tracked and reported annually, no later than ninety days after the year’s close.


A business associate must notify the covered entity no later than sixty days after discovery of a breach. Each individual should be named, along with such other information as the covered entity is required to impart to the individual. It is advised that the individual be notified only once.

A breach is treated as discovered only when the covered entity or business associate becomes aware of it. It is expected that these entities have in place reasonable systems to discover breaches. Discovery by workforce  members and business associates can be imputed to the covered entity, who is responsible for training them as to reporting.


Generally, federal law preempts state law. However, if state law requires notification sooner than the federal act, the earlier date should be applied. (This makes it possible for the entity to obey both laws.)


HITECH covers a wide group than HIPAA and includes vendors of PHRs, PHR-related entities, and third party service providers. The rules vary as to items such as reporting times. Entities covered by both Rules should comply with the most stringent.

... OR ELSE!

HITECH and HIPAA violations both result in severe monetary sanctions—$10,000 for each violation up to at least $250,000– $1,500,000 annually. Such violations may also increase liability for violations of state laws. Business associates are directly liable for their own violations and cannot rely solely on the covered entities for compliance responsibilities. There are numerous contractual issues that should be addressed in the drafting of business associate agreements. Legal consultation is strongly advised. Entities that provide or affiliate with PHR vendors must determine and fulfill their obligations under both Rules.

Posted on 03/01/10 at 10:48 AM


Commenting is not available in this weblog entry.


Thursday, August 16, 2018

Three Rivers District CEU Event: The Opiate Crisis (Carol Stream)

More Information

Thursday, August 23, 2018

Jane Addams District CEU Event: One Rural Community’s Response to the Opioid Crisis (Princeton)

More Information


Friday, August 3, 2018

LSW/LCSW Review Course 08.03.18 (Chicago)

More Information

Thursday, August 16, 2018

Three Rivers District CEU Event: The Opiate Crisis (Carol Stream)

More Information

  • 08-03-18

    LSW/LCSW Review Course 08.03.18 (Chicago)

  • 08-16-18

    Three Rivers District CEU Event: The Opiate Crisis (Carol Stream)

  • 08-23-18

    Jane Addams District CEU Event: One Rural Community’s Response to the Opioid Crisis (Princeton)

  • 09-14-18

    SIG Meeting: Retired Social Workers (RSWs)

  • 09-21-18

    LSW/LCSW Review Course 09.21.18 (Chicago)

Calendar »

Become a member of NASW today!


Visit the CEU Opportunities page to find free CEU events for NASW Illinois members!

Continuing Edcuation

Consider joining one of our social networking groups.