An RSS Feed from melniklegal.com

According to HHS Attorney, HIPAA Enforcement to Increase

Fri, 13 Jun 2014 10:11:11 EST

Yesterday, Law360 reported on some interesting comments made by Jerome B. Meites, a chief regional civil rights counsel at HHS (speaking on his own behalf) at the American Bar Association conference in Chicago on Physician Legal Issues. [1] According to the report, Meites told "attendees that the past 12 months of enforcement will likely pale in comparison to the next 12 months." Meites further said that, "Knowing what�s in the pipeline, I suspect that that number will be low compared to what's coming up."

Meites also addressed the risk of portable media devices, stating that "Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with." These comments regarding portable media (e.g., phones, usb drives, laptops, etc.) are not surprising considering that of the 18 published actions, 7 involved the loss of unencrypted devices. Additionally, according to OCR's most recent report to Congress [2]:

The 222 reports submitted to OCR for breaches occurring in 2012 described the following locations of the PHI (in order of frequency):
(1) laptop computer (60 reports affecting 654,158 individuals);
(2) paper (50 reports affecting 386,065 individuals);
(3) network server (30 reports affecting 986,607 individuals);
(4) desktop computer (27 reports affecting 253,720 individuals);
(5) other (22 reports affecting 166,411 individuals);
(6) other portable electronic device (20 reports affecting 463,702 individuals);
(7) e-mail (8 reports affecting 241,108 individuals); and
(8) electronic medical record (5 reports affecting 121,964 individuals).

Similarly, many of the most notable class actions and other enforcement actions also involved the loss or theft of laptops. The action against Accretive Health by both the Minnesota Attorney General and the FTC stemmed from the theft of an unencrypted laptop and the class action settlement by AvMed Health Plans involved the theft of two unencrypted laptops from its corporate office (recall that in this case, several of the plaintiffs were victims of identity theft).

According to the report, Meites also "noted that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions."

"You really have to think carefully about what a risk analysis involves, and it can�t just be the obvious," Meites said. "Everywhere in your system where [patient information] is used, you have to think about how to protect it."

Providers and business associates should remember that a Risk Analysis is not a check-the-box exercise. That is, completing the HIT Security Risk Assessment Tool provided by the National Learning Consortium is unlikely to be sufficient to meet the obligations of performing a thorough Risk Analysis. Similarly, as OCR has made clear in numerous settlements, the Risk Analysis process is an on-going effort and a Risk Analysis must be undertaken when there is a change in the environment:

move to a new office space -- settlement with Blue Cross and Blue Shield of Tennessee
update to website that handles PHI -- settlement with WellPoint
change in server configuration -- settlement with Skagit County, Washington and New York and Presbyterian Hospital

(Brief summary of the OCR settlements.)

For those providers that have attested to Meaningful Use, completing a proper Risk Analysis is that much more important because MU dollars could be clawed back based on fraud given the failure to comply with the requirements of the program.

---------------------------------------
[1] Jeff Overley, Big Year Ahead For HIPAA Fines, HHS Atty Says, Law360.com, June 12, 2014, https://www.law360.com/health/articles/547721?nl_pk=e15b4a14-9a51-44fe-8fba-30fc49555202&utm_source=newsletter&utm_medium=email&utm_campaign=health

[2] HHS, OCR, Report to Congress on Breach Notification Program: 2011 - 2012 Report to Congress on the Breach Notification Program, https://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreptmain.html
---------------------------------------

Posted by Tatiana Melnik on June 13, 2014

Can a Board of Medicine Use the State�s Prescription Drug Database in Investigating Physician Actions?

Sun, 30 Nov 2014 14:25:49 EST

And where do patients' rights stand?

According to a California appellate court, the California Board of Medicine can use a patient's record from the state's controlled substances drug database to build its case against a physician. But, on September 17, 2014, the California Supreme Court granted the appeal of the decision in Alwin Carl Lewis v. The Superior Court of Los Angeles County (Medical Board of California, Real Party in Interest), 226 Cal. App. 4th 933 (May 2014). Opening briefs on the merits are due to the Supreme Court of California by January 16, 2015.

A few preliminary comments....The Medical Boards of each state wield enormous authority over the license of a physician. And this is understandable because the Boards are entrusted, in part, with protecting the public. The aggregation of data, whether it be through a controlled substances prescription database or big data analytics of the type being undertaken in the hunt for Medicare fraud, is empowering regulators and giving them a better understanding of physician practices as well as how the practices of the one physician compares to the practices of many physicians. Further, as we see a move towards the Interstate Medical Licensure Compact and the prospect of greater data sharing among the various Boards, the adverse findings of one Board of Medicine against a physician will surely impact the physician's licenses in other states.

At the same time, based on the Appellate Court's description of the circumstances in this case, patients are left with very little choice or recourse with respect to the sharing of their controlled substances prescription records. As the Court described, the Board sent releases to six of Dr. Lewis's patients to obtain their medical records, but only obtained signed released from three of the patients. For two of the patients, the Board obtained the medical records after an administrative subpoena. (It's not clear what happened with the medical records of the sixth patient.) It is possible that the two patients whose records were subpoenaed did not provide releases because they, for whatever reason, did not want to participate in the process. Is it really proper for the Board to issue administrative subpoenas for the medical records of patients who (1) were not the ones that filed a complaint, (2) failed to return a release and therefore may not have wanted to participate in the process, particularly when three of Dr. Lewis's patients voluntarily released their records to the Board? Was the Board investigating the doctor or the patients? Moreover, there is no way for patients to opt-out of the prescription drug database programs--the only way patients can opt-out is to not fill their prescriptions. That doesn't seem like a true choice for patients.

The case revolves around Dr. Alwin Carl Lewis. The investigation began in 2008 when one of Lewis's patients complained to the Board of Medicine (Board) regarding his advice that "she lose weight and start a diet that the [she] considered to be unhealthful."[1] During the investigation, the Board ran reports on the provider's prescribing history in the Controlled Substance Utilization Review and Evaluation System (CURES) from November 1, 2005, through November 25, 2008, and from December 16, 2008, through December 16, 2009. After reviewing his history, the Board sent releases to six of Dr. Lewis's patients to obtain their medical records. Three of the patients signed the releases voluntarily, and the medical records for two other patients were obtained via an administrative subpoena.[2]

In its complaint against Dr. Lewis, the Board accused Dr. Lewis of a number of violations with respect to his treatment of the patient that filed the complaint as well as his treatment of the additional patients whose medical records were subpoenaed. After an eight day hearing, the Administrative Law Judge "concluded that Lewis engaged in unprofessional conduct by failing to maintain adequate records" with respect to the patient that filed the complaint and "that two of Lewis's patients had been overprescribed controlled substances during a short period of time."[3]

Dr. Lewis appealed the Board's decision to the trial court. Specifically, "Lewis argued the Board violated his patients' informational privacy rights under article I, section 1 of the California Constitution by accessing CURES during the course of an investigation unrelated to improper prescription practices, and also violated their rights not to be subjected to unwarranted searches and seizures."[4]

The trial court decided for the Board and Lewis then filed an appeal to the Appellate Court.

Dr. Lewis phrased the issue for review as follows:

[W]hether the Medical Board of California is permitted to conduct searches, without any showing of any kind-whether good cause, reasonable suspicion, or some other similar standard-and without warrant or subpoena-of the controlled substances prescription records of patients throughout the State, via the State's computerized Controlled Substance Utilization Review and Evaluation System.[5]

As the Appellate Court clarified:

[T]he challenge to CURES appears to be based upon the protections of the Fourth Amendment, but Lewis makes clear that he is asserting his patients' right to informational privacy in their controlled substances prescription records. Lewis has standing to assert his patients' right to privacy under article I, section 1 of the California Constitution. . . Lewis's constitutional attack is narrowly focused on the Board's access to his patients' CURES data during an investigation unrelated to improper prescription practices without patient consent or prior judicial approval upon a showing of good cause.[6]

In upholding the lower court decision, the California Appellate Court discussed the landscape of California and Federal regulations surrounding CURES and the California privacy laws. The Court agreed that medical records deserve protection--"[t]he state of a person's gastro-intestinal tract is as much entitled to privacy from unauthorized public or bureaucratic snooping as is that person's bank account, the contents of his library or his membership in the NAACP."[7] Similarly, the Court found that prescription records are also entitled to protection and "a patient who has obtained a prescription for a controlled substance has a legally protected privacy interest in unwarranted public disclosure and unauthorized access to information contained in [the CURES] records."[8] But, just because people have an expectation of privacy, does not mean that the right is absolute because "other factors may affect a person's reasonable expectation of privacy."[9] As the Appellate Court explained:

There is a diminished expectation of privacy in controlled substances prescription records maintained in CURES. Contrary to Lewis's contention, it does not follow that a patient's expectation of privacy in his or her controlled substances prescription records is the same as the expectation of privacy in medical records. Unlike medical records, prescriptions of controlled substances are subject to regular scrutiny by law enforcement and regulatory agencies as part of the pervasive regulation of controlled substances. A reasonable patient filling a prescription for a controlled substance knows or should know that the state, which prohibits the distribution and use of such drugs without a prescription, will monitor the flow of these drugs from pharmacies to patients. Pharmacies are required to maintain records of prescriptions filled for controlled substances and present them to authorized officers of the law without a warrant. A pharmacist also has a statutory obligation to provide data of controlled substances prescriptions to the Department of Justice on a weekly basis for electronic monitoring in CURES. This well-known and long-established regulatory history significantly diminishes any reasonable expectation of privacy against the release of controlled substances prescription records to state, local, or federal agencies for purposes of criminal, civil, or disciplinary investigations.[10]

Further, the Appellate Court found that the Board's access to the CURES records for disciplinary purposes was permitted by statute and the Board has statutory obligations to maintain the privacy and security of the CURES records. Further, "there is no contention that the Board publicly disclosed Lewis's patients' information to third parties or failed to protect the confidentiality of the CURES data it received during the course of its investigation."[11] As a result, "although there are no penalties in CURES for unwarranted public disclosure," given the other statutory protections in place, the fear that "the Board will publicly disclose CURES data obtained during the course of a licensee-physician investigation does not constitute a serious invasion of privacy."[12]

The Appellate Court also found that a warrant as dictated by the Fourth Amendment was not required because a "warrantless search of a 'closely regulated' business is deemed reasonable if certain criteria are met" and the criteria were met in this case because the CURES statute provided sufficient notice.[13] Further, the statue places limits on the Board investigators because "[a]ccess to CURES data is limited to state and federal agencies for civil, criminal, and disciplinary purposes. Thus, under the statutory scheme, the physician and patient know who is authorized to receive CURES data and under what narrow circumstances."[14]

Finally, the Appellate Court concluded that the Board's access to the patients' records was justified because it had substantial interest in:

"controlling the diversion and abuse of controlled substances";
"protect[ing] the public against incompetent, impaired, or negligent physicians" and Board access prohibited doctors from stalling or otherwise impeding the Board from retrieving records when investigating the physicians.[15]

Further, the nature of the complaint against a physician should not stand to limit when the Board can access the CURES database because "a physician's prescribing practices are directly related to medical care and treatment afforded to his patients."[16] As a result, the Appellate Court appears to conclude that access to CURES data is relevant in any Board investigation against a physician where a complaint is lodged. The Appellate Court found no violation of article I, section 1 of the California Constitution.

To check on the status of this case:

Go to: https://www.courts.ca.gov/10029.htm
Click on the Search Case Information button
Enter case no. S219811 and click on the Search by Case Number button

-------------------------------------
[1] Alwin Carl Lewis v. The Superior Court of Los Angeles County (Medical Board of California, Real Party in Interest), 226 Cal. App. 4th 933, 939. (May 2014).

[2] Id. (It is not clear whether the Board obtained the medical records of the sixth patient. Dr. Lewis had no standing to challenge the release of the medical records from the patients who signed the releases.)

[3] Id.

[4] Id.

[5] Id. at 940-42.

[6] Id. (emphasis added)

[7] Id. at 946.

[8] Id. at 947.

[9] Id.

[10] Id. at 948-49 (internal quotations and citations omitted).

[11] Id. at 949.

[12] Id. at 949 - 951.

[13] Id. at 952.

[14] Id. at 953.

[15] Id. at 955.

[16] Id.

-------------------------------------

Posted by Tatiana Melnik on November 30, 2014

Is the HIPAA EMR/EHR Mandate Required by ALL Medical Providers?

Mon, 05 May 2014 13:37:44 EST

Is the HIPAA EMR/EHR Mandate Required by ALL Medical Providers?

Recently, an interesting question was posed to me by a colleague regarding a so-called 'HIPAA EMR/EHR mandate' and whether all medical providers are required to comply, or only those providers that accept Medicare and/or Medicaid.

To the best of my knowledge, there is no such thing as a "HIPAA EMR/EHR mandate." This question seems to be conflating the HIPAA privacy, security, and breach notification requirements with the EHR Incentive Program. Under the Medicare EHR Incentive Program, providers are required to initiate participation by 2014 to avoid Medicare payment adjustments that begin in 2015. See here for a timeline - https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/EHRIncentProgtimeline508V1.pdf (excerpted below). Similarly, under the Medicaid Incentive Program, providers are required to initiate participation by 2016. There are no payment adjustments for providers who are only eligible for the Medicaid program.

Further, there is no mandate for medical providers to participate in the EHR Incentive Program. To the extent that a provider accepts Medicare, the provider can take the adjustment. A number of small medical providers have opted to take the adjustment because the EHR subsidy is not enough to cover the cost of EHR implementation. Alternatively, the provider can stop accepting Medicare and transition his or her practice to a cash-only, concierge style practice, or private insurance only practice.

How a provider is paid has no impact on whether a provider is subject to HIPAA compliance. All medical providers that transmit protected health information electronically are required to comply with HIPAA.

Posted by Tatiana Melnik May 5, 2014.

Alabama Board of Optometry Makes Final a Rule on Telemedicine

Mon, 09 Mar 2015 08:30:58 EST

The Alabama Board of Optometry recently made final a Rule on the "Practice of Optometry Through Telemedicine." In making this Rule final, it repealed the "Practice of Optometry Across State Line" Rule, which has been in place since 1998.

A few preliminary comments....Under the new Rule, a physician-patient relationship may be established through the use of telemedicine. But, patients must be present at an "Established Treatment Site" to receive services. The Rule defines "Established Treatment Site" as:

A location where a patient shall present to seek optometric care (through telemedicine). An established treatment site shall have an optometrist licensed by the Alabama Board of Optometry present on site during the provision of any telemedicine to a patient, and there must exist between said optometrist and patient an optometrist-patient relationship. There shall be sufficient equipment and technology present at any established treatment site to allow for an adequate physical evaluation as appropriate for the patient's presenting complaint. A patient's home is not considered an established treatment site.

The Rule also provides greater flexibility for the means of providing services via telemedicine as compared to other states. Under the Rule, "Telemedicine" is defined as:

(7) Telemedicine. As used in these regulations, a health service that is delivered by a licensed optometrist acting within the scope of his or her license and that requires the use of telecommunications technology other than telephone or facsimile. Telecommunications technology as used herein shall include, but not be limited to:

(a) compressed digital interactive video, audio, or data transmission;

(b) clinical data transmission using computer imaging by way of still image capture and store and forward;

(c) other technology that facilitates access to health care services or optometric specialty services.

Finally, the Rule also sets out security requirements for communicating with patients, including requiring that providers implement written policies and procedures. The security requirements cover "all patient communications through electronic mail," which includes "any type-written communication that is transferred via the Internet, telephone or cable line, or cellular telephone service, but shall not include facsimile, or 'fax' communications." The Rule enumerates a number of required policies and procedures that are not required under HIPAA and therefore not typically included in a HIPAA manual:

The written policies and procedures for such security measures for electronic mail shall address all of the following:
(1) Confidentiality and integrity of patient-identifiable information;

(2) The identity�by position or title�of health care personnel who will process or otherwise have access to information sent by electronic mail;

(3) Hours of operation and availability of the provider and distant site provider;

(4) Types of transaction which shall be permitted electronically;

(5) The type of information to be included in the communication, such as patient name, identification number, and type of transaction;

(6) How and when electronic mail will be archived and retrieved;

(7) Mechanisms for the oversight of the processing, handling, storage, and archival of electronic mail.

Alabama optometrists providing services via telemedicine must carefully review their existing policies and procedures and bring them in line with these new requirements.

This new Final Rule becomes effective on March 13, 2015

New Rule (scroll down for Rule that was repealed)

PUBLICATION DATE: 03/04/2015

ACTION DATE: 02/06/2015

EFFECTIVE DATE: 03/13/2015

ALABAMA BOARD OF OPTOMETRY
Chapter 630-X-13
Practice of Optometry Through Telemedicine (New Chapter)

Chapter 630 x 13
630 x 13.01 Definitions
630 x 13.02 Optometric Telemedicine
630 x 13.03 On-site Optometrist
630 x 13.04 Security Measures for Electronic Mail
630 x 13.05 Communication in Patient Records
630 x 13.06 Alternative Forms of Communication
630 x 13.07 Patient Records
630 x 13.08 Emergency Telemedicine

630 x 13.01 Definitions

(1) Distant Site Provider. A provider of optometric services through telemedicine from a site other than the patient's then current location. A distant site provider shall hold an active Alabama optometry license as set out in � 34-22-20 and � 34-22-21 of the Alabama Code.

(2) Emergency. A situation or condition where failure to provide immediate treatment poses a threat of loss of sight to a person. For the purposes hereof, routine visual care shall not be an emergency.

(3) Established Treatment Site. A location where a patient shall present to seek optometric care (through telemedicine). An established treatment site shall have an optometrist licensed by the Alabama Board of Optometry present on site during the provision of any telemedicine to a patient, and there must exist between said optometrist and patient an optometrist-patient relationship. There shall be sufficient equipment and technology present at any established treatment site to allow for an adequate physical evaluation as appropriate for the patient's presenting complaint. A patient's home is not considered an established treatment site.

(4) Face-to-face Visit. An evaluation or appointment for treatment at which both the provider and patient are at the same physical location, or where the patient is at an established treatment site and the provider is a distant site provider.

(5) In-person Evaluation. A patient evaluation conducted by a provider who is at the same physical location as the location of the client.

(6) Provider. As used in this chapter the term "provider" shall mean an optometrist holding an active license to practice optometry granted by the Alabama Board of Optometry in accordance with � 34-22-20 and � 34-22-21 of the Alabama Code.

(7) Telemedicine. As used in these regulations, a health service that is delivered by a licensed optometrist acting within the scope of his or her license and that requires the use of telecommunications technology other than telephone or facsimile. Telecommunications technology as used herein shall include, but not be limited to:

(a) compressed digital interactive video, audio, or data transmission;

(b) clinical data transmission using computer imaging by way of still image capture and store and forward;

(c) other technology that facilitates access to health care services or optometric specialty services.

630 x 13.02 Optometric Telemedicine

(1) The provision of optometric diagnosis, treatment, or other services to a patient through telemedicine at an established treatment site may be used for all patient visits, including initial evaluations to establish an optometrist-patient relationship between a provider and a patient.

(2) A distant site provider who provides telemedicine services to a patient that is not present at an established treatment site shall ensure that a proper provider-patient relationship is established, which shall include at least the following:

(a) Having had at least one face-to-face meeting, either In person, or at an established treatment site via telecommunications technology as set out in 630 x 13.01 (7);

(b) Confirming the identity of the person requesting treatment by establishing that the person requesting the treatment Is in fact whom he or she claims to be.

(3) Evaluation, treatment, and consultation recommendations made via telemedicine, including, but not limited to the issuance of prescriptions, shall be held to the same standards of practice as those in traditional in-person clinical settings. The provision of optometric diagnosis, treatment, or other services through telemedicine shall comply with the requirements of the Alabama Code, this chapter, ana these regulations. Failure to comply with such requirements shall be considered a failure to meet standard of care as required by 630-X-12-.06 herein.

(4) Distant site providers shall obtain an adequate and complete medical history for the patient before providing treatment and shall document the medical history In the patient record.

630 x 13.03 On-site Optometrist

A provider may delegate tasks and activities at an established treatment site to an assistant who Is properly trained, supervised, and directed. There shall be, however, an Alabama-licensed optometrist present and available to assist with the provision of care at any established treatment site during the provision of optometric telemedicine.

630 x 13.04 Security Measures for Electronic Mail

Adequate measures shall be taken to ensure the security of all patient communications through electronic mail, and that said information remains confidential. Electronic mail includes any type-written communication that is transferred via the Internet, telephone or cable line, or cellular telephone service, but shall not include facsimile, or "fax" communications. Providers of optometric telemedicine shall, prior to providing optometric telemedicine services, establish and adopt written policies and procedures to ensure the security of patient communications, recordings, and records transferred by electronic mail. Policies shall be evaluated periodically so that they remain up-to-date. The written policies and procedures for such security measures for electronic mail shall address all of the following:

(1) Confidentiality and integrity of patient-identifiable information;

(2) The identity�by position or title�of health care personnel who will process or otherwise have access to information sent by electronic mail;

(3) Hours of operation and availability of the provider and distant site provider;

(4) Types of transaction which shall be permitted electronically;

(5) The type of information to be included in the communication, such as patient name, identification number, and type of transaction;

(6) How and when electronic mail will be archived and retrieved;

(7) Mechanisms for the oversight of the processing, handling, storage, and archival of electronic mail.

630 x 13.05 Communication in Patient Records

All relevant provider-patient electronic communications, including recordings and electronic mail shall be stored and filed in or with the patient's record in addition to any other storage methods.

630 x 13.06 Alternative Forms of Communication

All patients who are served through optometric telemedicine shall be informed of alternative forms of contacting their provider for urgent matters. Conventional telephone numbers used by a provider for traditional on-site optometry shall be sufficient[.]

630 x 13.07 Patient Records

(1) Patient records shall be maintained for all telemedicine services. The provider or distant site provider shall maintain the records created at any site where treatment or evaluation is provided.

(2) Patient records shall include copies of all relevant patient-related electronic communications, including relevant provider-patient email, prescriptions, laboratory and rest results, evaluations and consultation, records of past care, medical histories, and instructions. If possible, telemedicine encounters that are recorded electronically shall also be included in the patient record. Where means of storage will not allow for the storage of electronically recorded encounters with or in the patient record, the patient record shall include a notation or entry that the recording exists and the location and means of storage of such recording.

630 x 13.08 Emergency Telemedicine

(1) An optometrist who is licensed by another state to practice optometry, but who is not licensed in the state of Alabama pursuant to �� 34-22-20 or 34-22-21, who utilizes telemedicine to provide optometric services in the state of Alabama from a distant site outside of the state of Alabama during a state of emergency is not subject to the requirements of this article. For the purposes of this section 13.08(1), a state of emergency means a natural or man-made disaster for which the Governor of the State of Alabama has declared or proclaimed a state of emergency or where the President of the United States has declared a disaster in accordance with the Disaster Relief and Emergency Assistance Act of 1988 as amended. For the exemption contained in this section to apply, the patient receiving telemedicine services from the distant site must be located within the geographical boundaries established In the governor's declaration of a state of emergency or the president's disaster declaration.

(2) A provider who is contacted in an emergency shall not be subject to the notice and security provisions of this article, the provisions of this section 13.08(2) shall not apply to any non-emergency optometric services provided to the patient as a continuation of treatment initiated in the emergency or for a different condition or issue which arises later. For the purposes of this section 13.08(2), an emergency shall have the meaning and definition set out in section 13.01(2) above.

Author: Dr. Fred Wallace
Statutory Authority: Code of Ala., 1975, �34-22-80 through 87.
History: New Rule: Filed February 6, 2015; effective March 13, 2015 .

Old Rule

Alabama Board of Optometry
Chapter 630-X-13
Practice of Optometry Across State Lines (Repealed)

630-X-13-.01 Definition Of Distance-Based Optometrist
630-X-13-.02 Definition Of Alabama Patient
630-X-13-.03 Definition Of The Practice Of Optometry Across State Lines
630-X-13-.04 Special Purpose License To Practice Optometry Across State Lines
630-X-13-.05 Issuance Of Certificate Of Qualification
630-X-13-.06 Issuance Of Special Purpose License To Practice Optometry Across State Lines
630-X-13-.07 Renewal Of Special Purpose License To Practice Optometry Across State Lines
630-X-13-.08 Revocation or Suspension Of Special Purpose License To Practice Optometry Across State Lines
630-X-13-.09 Exemptions
630-X-13-.10 Reciprocity

630-X-13-.01 Definition Of Distance-Based Optometrist
For the purpose of these regulations, a distance-based optometrist is defined as an optometrist located outside the boundaries of the State of Alabama who does not have a full, unrestricted and current license to practice optometry in Alabama.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.02 Definition Of Alabama Patient.
For the purposes of these regulations, an Alabama patient is an Individual whose physical location is within the boundaries of the State of Alabama.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.03 Definition of The Practice Of Optometry Across State Lines.
The practice of optometry across state lines means the examination of, or consultation regarding, an Alabama patient by a distance-based optometrist and shall include:

(1) The rendering by a distance-based optometrist of a professional opinion, either written or otherwise documented, concerning the diagnosis or treatment of an Alabama patient as a result of transmission of individual patient data by electronic or other means to such distance-based optometrist or his or her agent, or

(2) The rendering by a distance-based optometrist of treatment to an Alabama patient as a result of transmission of individual patient data by electronic or other means to such distance-based optometrist or his or her agent, but

(3) This definition shall not include an informal consultation regarding an Alabama patient between an Alabama licensed optometrist and a distance-based optometrist provided that the consultation does not result in either:

(a) compensation or the expectation of compensation by either optometrist, or

(b) the format rendering of a written or otherwise documented professional opinion concerning the diagnosis or treatment of said patient by the distance-based optometrist.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.04 Special Purpose License To Practice Optometry Across State Lines.

A special purpose license issued by the Alabama Board of Optometry shall be required for the practice of optometry across state lines in Alabama.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.05 Issuance Of Certificate Of Qualification.

An individual may apply to the Alabama Board of Optometry for the issuance of a certificate of qualification for a special purpose license to practice optometry across state lines. Such application shall be on a form provided by the Board upon request and shall include an application fee in the amount of $600.00. The Board shall issue such certificate of qualification providing the following requirements are met:

(1) The applicant holds a current full and unrestricted license to practice optometry in a state or territory of the United States.

(2) The applicant has no previous or pending disciplinary action or other action taken against the applicant by any state or other licensing jurisdiction, provided, however, that the Board may issue a certificate of qualification in such cases where the previous or pending disciplinary action or other action does not indicate that the applicant is a potential threat to the public.

(3) The applicant shall affirm his or her intent and willingness to report to the Alabama Board of Optometry in writing the initiation of any disciplinary action against him or her by any state or territory in which he or she is licensed. Said report shall be submitted to the Alabama Board of Optometry within 15 days of the Initiation of such disciplinary action.

History; Author, Dr. William Sullins; Filed December 11, 1998. Amended effective February 20, 2008.

630-X-13-.06 Issuance OF Special Purpose License to Practice Optometry Across State Lines.

The Alabama Board of Optometry shall issue a special purpose license to practice optometry across state lines upon presentation by a distance-based optometrist of a certificate of qualification issued by the Alabama Board of Optometry in accordance with this chapter. Special purpose licenses to practice across state lines limit the holders thereof solely to the practice of optometry across state lines as defined herein and does not confer the authority to practice optometry while said licensee is within the physical boundaries of the state of Alabama.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.07 Renewal Of Special Purpose License To Practice Optometry Across State Lines.

The special purpose license to practice optometry across state lines is valid for a period of three years. Such special purpose license may be renewed for additional three year terms upon receipt of a renewal fee of $260.00.

History: Author, Dr. William Sullins; Filed December 11, 1998. Amended effective February 20, 2008.

630-X-13-.08 Revocation Or Suspension of Special Purpose License To Practice Optometry Across State Lines.

(1) A special purpose license to practice optometry across state lines may be revoked or suspended, or other disciplinary action may be imposed, by the Alabama Board of Optometry for any of the following causes:

(a) Failure to renew special purpose license according to the renewal schedule established by the Board shall result in the automatic revocation of said license.

(b) Failure to comply with rules and regulations of the Alabama Board of Optometry shall be cause for the Board to initiate disciplinary actions as set forth in Sections 34-22-1 to 34-22-43, inclusive, Code of Alabama 1975,

(c) Failure to comply with rules and regulations governing optometrists in any other state or territorial licensing jurisdiction in which the licensee holds a license to practice optometry shall be cause for the Board to initiate disciplinary actions in Alabama and to impose the same discipline it would have imposed had the violation been committed by an Alabama licensee in the course of practice in Alabama.

(2) The Alabama Board of Optometry is authorized to temporarily suspend a special purpose license to practice optometry across state lines without a hearing on either of the following grounds:

(a) The failure of the licensee to appear or produce records or materials as requested by the Board.

(b) The initiation of a disciplinary action against the licensee by any state or territorial licensing jurisdiction in which the licensee holds a license to practice optometry. The temporary suspension provided hereby shall remain in effect until the temporary suspension is terminated by written order of the Alabama Board of Optometry, finding that any violation of the rules or regulations governing optometrists committed by the licensee, or any failure by the licensee to honor requests of the Board, does not indicate that the licensee is a potential threat to the public.

History: Author, Dr. William Sullins; Filed December 11, 1998

630-X-13-.09 Exemptions.

(1) A distance-based optometrist who engages in the practice of optometry across state lines in an emergency, is not subject to this rule.

(2) A distance-based optometrist who engages in the practice of optometry across state lines on an irregular or infrequent basis is not subject to this rule. Irregular or infrequent practice of optometry across state lines is defined as such practice involving fewer than 10 patients, occurring less than 10 times in a calendar year, or comprising less than one percent of the distance-based optometrist's diagnostic or therapeutic practice of optometry.

History: Author, Dr. William Sullins; Filed December 11, 1998. Amended effective February 20, 2008.

630-X-13-.10 Reciprocity.

Notwithstanding any provision of this regulation, the Board shall only issue a special purpose license to practice optometry across state lines to an applicant whose principal optometric practice location and license to practice optometry is located in a state or territory of the United States whose laws permit or allow for the issuance of a special purpose license to practice optometry across state lines or similar license to an optometrist whose principal practice location Is within the boundaries of the State of Alabama.

History: Author, Dr. William Sullins
Statutory Authority: Code of Ala., 1975, �34-22-80 through 87.
Filed December 11, 1998

For additional details, see: https://www.optometry.alabama.gov/AdminCode.htm

-------------------------------------

Posted by Tatiana Melnik on March 9, 2015

Target's Data Breach Costs Reach $148 Million

Wed, 06 Aug 2014 09:51:19 EST

In a Press Release issued on August 5, 2014, Target Corporation announced that its costs to address the December 2013 data breach have reached approximately $148 million. This number is "partially offset by a $38 million insurance receivable,"[1] of the $100 million network security insurance coverage available.[2]

The Company further noted that, "[e]xpenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks." In its 10-Q report from May 29, 2014, Target advised that it expects these claims to "include amounts for incremental counterfeit fraud losses and non-ordinary course operating expenses (such as card reissuance costs) that the payment card networks believe they or their issuing banks have incurred."[3] Interestingly, Target specifically noted that, "[w]hile an independent third-party assessor found the portion of [its] network that handles payment card data to be compliant with applicable data security standards in the fall of 2013, the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach."[4]

As of May 29, Target also had more than 100 actions filed against the Company "on behalf of guests, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising out of the Data Breach."[5] Additionally, Target reported that "State and federal agencies, including the State Attorneys General, the Federal Trade Commission and the SEC are investigating events related to the Data Breach, including how it occurred, its consequences and [Target's] responses."[6]

On July 24, 2014, U.S. District Judge Paul Magnuson, U.S. District Court, District of Minnesota, rejected Target's motion to stay discovery in a multidistrict litigation over the data breach. Target requested the stay pending the court's decision on a motion to dismiss that Target intends to file, noting that, "any motions to dismiss will be fully briefed by the end of October in the bank cases and the end of November in the consumer cases."[7] Judge Magnuson ruled that, "[g]iven the Court's practice of issuing rulings on dispositive motions within one month of the hearing date, if not sooner, discovery will have proceeded for only a few months by the time the Court rules on Defendants' motions. Ninety days' worth of discovery does not impose such a burdensome expense to warrant disturbing the case's schedule."[8] Discovery is scheduled to begin in September 2014.

A few comments.... Data breach remediation is clearly expensive. The Target incident is also a good reflection of what we continue to see in the market for both payment card and protected health information related data breaches - numerous class actions combined with federal and state government investigations. Additionally, as noted by Target in its 10-Q report, a third-party vendor found Target in compliance "with applicable data security standards" (presumably PCI-DSS) in fall 2013, but "the forensic investigator working on behalf of the payment card networks claimed that [Target was] not in compliance with those standards at the time of the Data Breach." Organizations storing personally identifiable information, whether it be credit card data or medical records, must carefully assess their risk on a continuous basis.

-------------------------------------------

[1] SEC, Form 8-K, Target Corporation, Aug. 5, 2014, available at https://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec.

[2] SEC, Form 10-Q, Target Corporation, May 29, 2014, p. 9, available at https://investors.target.com/phoenix.zhtml?c=65828&p=irol-sec.

[3] Id. at 8.

[4] Id. at 8.

[5] Id. at 9.

[6] Id. at 9.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522, Order, July 24, 2014 (Court Order denying Defendants� Motion to Stay Discovery (Docket No. 125)), available at https://www.mnd.uscourts.gov/MDL-Target/Orders/2014/2014-0724-14MDL2522-Order.pdf.

[8] Id.

-------------------------------------------

Posted by Tatiana Melnik on August 6, 2014