By Peter Keohane, JD, MPH, CPC
Protect your medical records, or you could be setting yourself up for unforeseen problems.
As most coding professionals know, identity theft is an increasingly common problem for businesses that collect and maintain personal information. According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all 50 states, and complaints regarding identity theft have grown for three consecutive years. Since 2005, the Privacy Rights Clearinghouse has identified over 97 million data records exposed because of security breaches, and that number is expected to increase exponentially in the near future. Many state legislatures have taken action by enacting new laws designed to protect identity theft victims. These laws, found in more than 30 states, generally require companies to adopt security safeguards to protect their patients’ or customers’ personal information (usually stored electronically).
How would this affect a medical practice? It’s likely that the personal information found in an electronic medical or billing record database would fall within the scope of the state legislation. If a practice suspects a breach of its computer system, the notice requirement may be triggered and practices will have to inform all patients of the possible security breach.
The nuances of identity theft laws vary by state, so let’s examine the California law, which was the first state to enact a notice requirement, and is the model for many other states as well.
In 2002, California became the first state to pass a law requiring that companies (including medical practices) provide notices of any data security breaches that might have compromised residents’ personal information.
The California “Notice of Security Breach” law (Civil Code Section 1798.82) requires any person, state agency or company (such as a medical practice) that does business in the state or owns information about its residents, to notify Californians if their personal information is acquired by an unauthorized person, or when the practice reasonably believes that personal information may have been compromised. This law also applies to others who maintain the computer records on behalf of the California business, such as a billing service or off-site electronic medical records system. Thus, in the case of a billing service system breach, the responsibility under California law for notifying patients falls back to the practice.
The California law encompasses only certain data elements found in medical or billing records; this does not apply to the more broadly defined Protected Health Information or PHI of HIPAA (though that may be a next step). Specifically, California defines “personal information” as a first name/initial and last name combined with any one of the following unencrypted identifiers: (1) Social Security number, (2) drivers license or state identification card number, or (3) any financial account number in combination with a security code that would allow access to the account. Many medical records include a Social Security number, and many billing records have payment information such as credit card numbers, checking account numbers, etc. It is this information that the California law seeks to protect; of course, this information is often “co-mingled” with the rest of the record, so in essence, the entire record could fall within the statute.
What is “notice” in California? For most practices, the answer is a written letter to each California patient who has a record in the system. There are exceptions. For example, if the practice can demonstrate a significant financial burden, the notice requirement could be satisfied through a media press release.
Follow State Procedures
These new state laws add another wrinkle to the already complex HIPAA Security Rule requirements. Nonetheless, they should be addressed in a similar manner through policies and procedures on how to respond to potential security breaches. What is different here, though, is that legal requirements vary from state to state, so practices that have locations in multiple states (or have patient records from residents of multiple states) must understand their patients’ different state identity theft notice laws (if they exist at all).
Until Congress decides upon a national standard for identity theft and notification requirements, the states will continue to enact their own unique legislation, meaning practices that see patients from multiple states will need to be aware of the potential requirements in the event of a computer system security breach. Perhaps the most sound policy is to notify all patients of each breach or potential breach of the practice’s medical or billing system; if nothing else, it demonstrates the practice’s willingness and attention to protect its patients’ personal information.
Peter Keohane, JD, MPH, CPC, CHC, is a nationally recognized health care consultant and attorney with over 16 years of experience in the industry. He has assisted numerous physician practices, hospitals and other providers with key health care compliance issues, including coding/billing fraud, false claims, kickbacks, Stark, and other compliance topics.