HIPAA - Parents and Their Children’s Medical Records

 Parents and Their Children’s Medical Records

Situations when parents can and cannot see their children’s medical records

Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?

 The answer is YES; the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.

Exceptions when the parent would not be the minor’s personal representative under the Privacy Rule.

1. When the minor is the one who consents to care, and the consent of the parent is not required under State or other applicable law;

2. When the minor obtains care at the direction of a court or a person appointed by the court and

3. When and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.

Four exceptions to the exceptions

Even in these exceptional situations, there are additional rules to follow:

1. The parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access.

2. Parental access would be denied when State or other law prohibits such access.

3. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.

4. Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse, neglect or that treating the parent as the child’s personal representative could endanger the child.

Can a minor child’s doctor talk to the child’s parent about the patient’s mental health status and needs?

Again the answer is generally yes. With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule.

Here come the exceptions

However, section 164.502(g) of the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when:

1.  State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service and the minor child has not requested the parent be treated as a personal representative;

2. Someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent, or

3. A parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service. For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.

HIPAA defers to State Laws

Unlike some HIPAA Rules, the Privacy Rule concedes to State or other applicable laws in allowing or not allowing disclosure. Regardless of whether the parent is otherwise considered a personal representative, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent that it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent when and to the extent it is prohibited under State or other laws (including relevant case law).

What if the State Laws are silent?

In cases in which State or other applicable law is silent concerning disclosing a minor’s protected health information to a parent, and the parent is not the personal representative of the minor child based on one of the exceptional circumstances described above, a covered entity has the discretion to provide or deny a parent access to the minor’s health information, if doing so is consistent with State or other applicable law, and the decision is made by a licensed health care professional in the exercise of professional judgment.

Mental Health and Substance Abuse laws may be stricter

In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA. In these cases, it is wise to know your State laws and HIPAA rules, found here: https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html

Reminder: A parent also may not be a personal representative if there are safety concerns. A provider may decide not to treat the parent as the minor’s personal representative if the provider believes that the minor has been or may be subject to violence, abuse, or neglect by the parent or the minor may be endangered by treating the parent as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the parent as the personal representative.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

 HVAC Systems and COVID-19

Do we need to protect employees from our building’s air conditioners?

 

Cause for concern?

In one study, available online as a preprint and has not undergone scientific review, researchers in Oregon collected samples from various places inside a hospital’s HVAC system and found genetic material from the virus that causes COVID-19. This demonstrates that it may be possible for the virus to be transmitted through HVAC systems.

The research started late; the final evidence is not in yet

However, researchers did not assess if the genetic material they found was able to cause infection, and they noted there were no confirmed COVID-19 cases associated with the samples found in the ventilation systems.

There is currently no conclusive evidence documenting the possibility of COVID-19 transmission through an air conditioning unit.

The known risk is non-circulation indoors

The known risk is that hot weather outside makes people seek air-conditioned comfort indoors. And indoors, there is less ventilation and more opportunity to spread disease. The risk to healthcare workers is that we are indoors and, on occasion, not socially distancing and rebreathing the air that people have just exhaled.

When we shut the doors and windows to keep the hot air outside, we are essentially eliminating the flow of fresh air, so everyone in the room is breathing and rebreathing the same air. If someone in the room is infected with COVID-19, then they are breathing out the virus, which can linger in airborne droplets and be inhaled by another person, potentially causing infection.

By comparison, if you were outside and near an infected person who breathed out some viral particles, there is a much larger volume of air flowing to disperse and dilute those particles quickly, reducing the risk of spread to another person nearby. That is why infectious disease experts consider outdoor gatherings and activities less risky than indoor ones (though not completely risk-free).

Another suspected risk of air conditioning

The other significant risk is that air conditioning units, fans, or even an open window can create strong enough air currents to move virus-containing droplets around a room. This happened in January at a restaurant in Guangzhou, China, where a person with COVID-19 infected five other people sitting at neighboring tables from 3 to 6 feet away, according to a study by scientists from the Chinese Center for Disease Control and Prevention. After examining video footage of the diners who were infected and simulating the transmission of the virus, scientists concluded that the small outbreak was caused by strong air currents from the air conditioning unit above the diners, which was blowing virus-containing aerosols from an infected person to those nearby. The restaurant also had no windows — and thus no ventilation bringing in fresh air and diluting virus particles in the air.

A clue: Flu particles can travel 30 feet in the air

The fact that aerosolized viral droplets can move in air currents in this way means that if you are in a room with an infected person and fresh air is not circulating, even if you are socially distancing to keep 6 feet apart at a minimum, you may not be safe.  Although there are currently no published studies that have examined precisely how far airborne COVID-19 particles can travel, previous research on influenza found that viral particles may travel upward of 30 feet in the air.

To be clear, this is only a concern in shared public places. At home, the risk of contracting COVID-19 through air currents or air conditioning units is no more likely than spreading the virus through close contact or touching contaminated surfaces.

CDC Engineering recommendations for protecting employees right now:

• Modify or adjust seats, furniture, and workstations to maintain social distancing of 6 feet between employees, where possible.

o   Install transparent shields or other physical barriers where possible to separate employees and visitors where social distancing is not an option.

o   Arrange chairs in reception or other communal seating areas by turning, draping (covering the chair with tape or fabric so seats cannot be used), spacing, or removing chairs to maintain social distancing.

• Use methods to physically separate employees in all areas of the building, including work areas and other areas such as meeting rooms, break rooms, parking lots, entrance and exit areas, and locker rooms.

o   Use signs, tape marks, or other visual cues such as decals or colored tape on the floor, placed 6 feet apart, to show where to stand when physical barriers are not possible.

o   Replace high-touch communal items, such as coffee pots and bulk snacks, with alternatives such as pre-packaged, single-serving items. Encourage staff to bring their own water to minimize the use and touching of water fountains or consider installing no-touch activation methods for water fountains.

o   Consider taking steps to improve ventilation in the building, in consultation with an HVAC professional, based on local environmental conditions (temperature/humidity) and ongoing community transmission in the area:

o   Increase the percentage of outdoor air (e.g., using economizer modes of HVAC operations) potentially as high as 100% (first, verify compatibility with HVAC system capabilities for both temperature and humidity control as well as compatibility with outdoor/indoor air quality considerations).

o   Increase total airflow supply to occupied spaces, if possible.

o   Disable demand-control ventilation (DCV) controls that reduce air supply based on temperature or occupancy.

o   Consider using natural ventilation (i.e., opening windows if possible and safe to do so) to increase outdoor air dilution of indoor air when environmental conditions and building requirements allow.

o   Improve central air filtration:

•  Increase air filtration to as high as possible without significantly diminishing design airflow.
•   Inspect filter housing and racks to ensure appropriate filter fit and check for ways to minimize filter bypass.

o   Consider running the HVAC system at maximum outside airflow for 2 hours before and after occupied times, in accordance with industry standards.

o   Generate clean-to-less-clean air movements by re-evaluating the positioning of supply and exhaust air diffusers and/or dampers and adjusting zone supply and exhaust flow rates to establish measurable pressure differentials. Have staff work in “clean” ventilation zones that do not include higher-risk areas such as visitor reception or exercise facilities (if open).

• Consider using portable high-efficiency particulate air (HEPA) fan/filtration systems to help enhance air cleaning (especially in higher-risk areas).
• Ensure exhaust fans in restroom facilities are functional and operating at full capacity when the building is occupied.
• Consider using ultraviolet germicidal irradiation (UVGI) as a supplemental technique to inactivate potential airborne virus in the upper-room air of common occupied spaces, in accordance with industry guidelines.

CDC References and links for these recommendations are found here: https://www.cdc.gov/coronavirus/2019-ncov/community/office-buildings.html

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Dangerous Hand Sanitizers

The FDA's list of dangerous hand sanitizers is now at 100+

On August 7, 2020, the FDA issued updated guidance to provide additional clarification on testing of alcohol used in hand sanitizers manufactured under FDA’s temporary policies to help ensure that harmful levels of methanol are not present in these products. This testing will help ensure widespread access to alcohol-based hand sanitizers that are free of contamination.

The FDA updated their guidance to provide clarification that companies must test each lot of the active ingredient (ethanol or isopropyl alcohol (IPA)) for methanol if the ethanol or IPA is obtained from another source. The FDA recommended using the test methods described in the USP monograph for alcohol (ethanol) and conducting the testing in a laboratory that has been previously inspected by the FDA and is compliant with current good manufacturing practices (CGMP).

Additionally, any alcohol (ethanol) or IPA found to contain more than 630 ppm methanol does not fall within the policies described in the temporary guidance and as a result, may be considered evidence of substitution or contamination, or both. Alcohol-based hand sanitizers that are contaminated with methanol are subject to adulteration charges under the FD&C Act. The alcohol (ethanol) or IPA should be destroyed following guidelines for hazardous waste, and the manufacturer or compounder should contact the FDA regarding the test results and the alcohol’s source.

Pharmacy list also updated

The temporary guidance has also been updated to provide adverse event reporting guidelines for state-licensed pharmacies and outsourcing facilities.

The agency also included an additional denaturant formula in the temporary guidance. Denaturing alcohol in hand sanitizers is critical to deterring children from unintentional ingestion. The FDA has said that consumer and health care professional safety is a top priority for FDA, and an important part of the FDA’s mission is to protect the public from harm, especially as they seek to help increase hand sanitizer supply.

For questions, email the FDA here:  COVID-19-Hand-Sanitizers@fda.hhs.gov 

The list of dangerous hand sanitizers

For the latest list of dangerous hand sanitizers as of August 10, 2020, and a list of products on their dangerous hand sanitizer list, go here (scroll down to see the list).

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Medical Records Retention Time-frames

If you Google “Medical Records Retention,” it says to keep records 4, 6, 7, up to 10 years or forever. That is why our call center at HCSI receives many questions about how long medical records need to be retained. Medical Records Retention (MRR) is a challenging issue. There are many variables. This entire newsletter is dedicated to helping explain a few of these variables.

The idea that records, either in paper or electronic form, should be saved for around ten years to comply with all requirements is an oft-touted rule of thumb. And it is often a good one. But, of course, there are exceptions. It is confusing!  Unfortunately, there is no single "exact line" that describes federal, state, and other statutory laws that establish how long medical records must be maintained in every case. But we have assembled Ten MRR Rules to help you understand how long to keep your patient records. This list is not exhaustive, but it covers the majority of situations.

Why is it so important to properly maintain medical records?

Beyond the laws and regulations, at its core, your medical records retention policy should be based primarily on two principles: 

1. Medical Considerations 

2. Continuity of Care for your practice and with other providers who care for your patients

Additional reasons for retaining medical records 

1. Providing Patients with Information should they wish to access their records 

2. Protecting the Provider in case a legal claim is made in the future

a. Relying on the practitioner’s testimony of general habit and practice to show that the standard of care was met—without supporting documentation to establish the treatment that was rendered—often fails to convince a jury that the treatment the patient received was consistent with community standards.

3. Complying with Federal and State Laws for such things as billing audits

4. MRR establishes the quality of care rendered in the event of a medical board or peer review inquiry. 

a.  Patient complaints are often based on an individual’s mistaken recollection of events or on a failure to understand the course of treatment or adverse consequences involved in the dispute. With complete charting, frivolous allegations are readily resolved, frequently well before a formal administrative process is even initiate

MMR Rule #1: Is it practical to keep all your records?

Should we begin thinking about keeping all records for 30 years or more?

With the advent of inexpensive high-speed storage, HCSI would like to suggest the idea that if all your medical records are electronic, they may be kept permanently. This would be helpful should access to patient information becomes necessary, as has been evidenced by litigation cases involving exposure to chemicals, drugs, or substances such as asbestos. 

We realize that the storage of hard copy records makes permanent retention impractical; however,

Sound too expensive. It used to be. One estimate states that 2000 patient over 30 years could take up 4000 gigabytes of computer storage, or about 30 Terabytes. At today’s prices, a 30 TB hard drive can be purchased for under $1,000.

Another side of the coin

There’s another side of this that is sometimes suggested by law firms. Here’s the argument:

Destroying records, digital or otherwise, once their retention deadlines arrive lessens the volume of Protected Health Information (PHI) theft that is possible. Even if your backroom is locked and your health IT system offers top-notch encryption, security breaches and HIPAA violations can still occur.

There’s no reason to leave any patient information – especially data that’s unnecessary to retain – vulnerable to being compromised. As long as you keep documented records of all destructions, proper disposal of old data is the best way to ensure patient confidentiality is upheld. If you’ve got plenty of space at your practice for stowing old paper records, you may be tempted to hang on to them forever, if only to avoid the hassle of electronic archiving or digging through them to determine what you can pitch.

So comb through your old charts, dig through your electronic data and destroy what no longer needs to be retained.

MRR Rule #2: Coordinate State and Federal laws

Whichever law instructs you to keep medical records the longest prevails

Know your State Laws:

• Providers must comply with individual state regulations on Medical Record Retention (which often differ from the national standards) and their states’ statutes of limitations on malpractice lawsuits.
• If Federal laws require individual medical records to be kept 10 years and your state law says 12 years, keep them 12 years – and vice versa. This rule applies to all other retention laws. 
• You can find the state laws on retention periods for your state and practice type at: (PDF) 

MRR Rule #3: Maintain a policy for retaining your medical records 

Share it with your staff and patients

Share your medical record retention rules with your entire staff and new employees

Even a simple practice such as holding a meeting (and making a record of it) to go through the rules in this newsletter will help your staff understand the importance of medical records. You can customize your policies based on your specialty and needs.

Some practices provide a summary MMR policy to new patients as part of their "introduction to the practice" materials.

When new patients are informed in advance about how their medical records will be handled, there is substantially less likelihood of a complaint to the Medical Board if/when a practice is closed. Be sure current and future patients at some point receive assurance about their medical records. This may be as simple as a paragraph at the top or bottom of an intake form that says something like. “At ABC Medical, we carefully maintain and protect your private medical records according to all federal and state laws. Should you at any time desire access to these records, please consult with your physician or our staff.”

Have your MMR policy reviewed

It is a wise idea to check with your medical liability insurance carrier and legal representative before finalizing your policy. They have experience defending other practice policies. 

MRR Rule #4: MINORS: Typically 3 Years after they reach majority 

Consult State/Federal/Hospital/etc. laws and retaining them for whichever is longest 

• Typically Age of Majority is 18-20. 
• A typical exception for minors is hospitals usually require age of majority plus 6 years.
• Once a minor reaches majority, the adult retention recommendation applies, e.g., 10 years from the last medical service for which a medical entry is required.
• If a lawsuit is filed, it is essential to note that the statute of limitations may not begin to run until the plaintiff (patient) learns of the causal relationship between an injury and the care received.
• The American Academy of Pediatrics recommends that, at a minimum, pediatric records should be retained for 10 years or the age of majority plus the applicable state statute of limitations (time to file a lawsuit), whichever is longer.

MRR Rule #5: Adults: 7-10 years

Measured from the date of the last medical service for which a medical entry is required. 

• In some instances Federal law mandates that a provider keep and retain each record for a minimum of 7-10 years from the date of last service to the patient, we recommend keeping them for a minimum of 10 years.
• For Medicare Advantage patients, 10 years.
• Deceased adult patients: 10 years from the time of death. State exceptions may apply.

MRR Rule #6: Legal matters: Keep accruing’ ‘till they’re all done suin’ 

In other words, maintain medical records as long as they might be used to defend against a malpractice allegation.

• Should you ever discover or suspect that legal action is pending from a patient, be sure to save his relevant records, even if you’ve already kept them past their other retention deadlines.
• No destruction is allowed once you have knowledge of the litigation. 

MRR Rule #7:  OSHA: 30 years

For workplace injuries, if OSHA was involved, keep them for 30 years after the last date of service.

MRR Rule #8:  Veterans: 70 years - Indefinitely

• Be prepared to store vet charts for a long time – 75 years.
• If a patient was not mentally competent at the time of treatment, retain the records indefinitely.

MRR Rule #9: HIPAA: 6 Years

Six years from when the document was created, or – for policies – from when it was last in effect

• According to the Department of Health and Human Services, the HIPAA Privacy Rule has no requirements for medical record retention at a doctor's office. Only HIPAA Related documents. How long a doctor is required to keep a chart is based on what each state's legislation decides. So, Tennessee's medical record retention rules may completely differ from Georgia's and so forth.
• Although there are no HIPAA retention requirements for medical records, there is a requirement covering how long HIPAA-related documents should be retained. This is covered in
• CFR §164.316(b)
• While the HIPAA Privacy Rule does not determine how long a chart must be kept at a doctor's office, it does; however, require that any covered entities apply all safety guidelines necessary to protect the privacy of all patients,
• As with all these rules, states requiring less than six years, health organizations must still retain HIPAA information for six years – the longer of the two rules.

The list of documents subject to the HIPAA retention requirements, and depends on the nature of business conducted by the Covered Entity or Business Associate. The following list is an example of the most common types of HIPAA documents beyond patient files.

• Notices of Privacy Practices.
• Authorizations for the Disclosure of PHI.
• Risk Assessments and Risk Analyses.
• Business Associate Agreements.
• Employee Sanction Policies.
• Incident and Breach Notification Documentation.
• Complaint and Resolution Documentation.
• IT Security System Reviews (including new procedures or technologies implemented).

MRR Rule #10: Rule of Thumb Rule: 10 years and 28 years

When all else fails

Where no statutory requirement exists, and no legal threat is imminent, HCSI makes the following 

• Adult patients, 10 years from the date the patient was last seen.
• Minor patients, 28 years from the date of birth. 

http://www.hcsiinc.com

 

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

The Stark Law – Be Careful Who You Give To

Questions about the Stark Law

Named after U.S. Rep. Pete Stark, the Stark law is also known as the physician-referral law, or the kick-back law

Healthcare Compliance Solutions Inc. (HCSI) recently received this question from a client regarding the Stark Law (Names and places have been changed in this example):

Hello,

Would any of the following violate the Stark Law? Our doctors here at Ophthalmology Associates of Kansas City (OAKC) purchase two NFL season football ticket package for our employees. Sometimes there are tickets left over.

Is it against Stark Laws if:

1.      OAKC doctors give tickets to an employee working at Topeka Optometry Center (TOC) when one of their employees has been extra helpful to us?

2.   An OAKC doctor gives tickets to a TOC employee for a raffle.

3.   OAKC donates the tickets anonymously to TOC?

(Note: Sometimes TOC refers patients to us for surgery).

Thank you for taking the time to read this email.

Lynn B. Jones

Ophthalmology Associates of  Kansas City

We answered their questions by sharing a quote from the website of one of the thousands of law firms trolling for clients who might be willing to blow the whistle on a doctor's best intentions. Both the lawyer and the whistleblower get money for “turning in” doctors. Here is their pitch:

“Learn your rights as a first-to-report whistleblower. You may be entitled to a substantial cash reward. Doctors often try to skirt the law by offering ‘bennies’ to entities who have the potential to favor their services. We have seen many attempts to get around the anti-kickback laws, e.g., Stark Law, including:

• Free lunches to office staff;
• Golf outings;
• Sporting event tickets and hard to get concert seats;
• Etc.

Call this Law Firm for a free, confidential analysis (phone #).”

Overall the original concept of the Stark Law was to protect Medicare patients from being taken advantage of by physicians or organizations who might stand to benefit from referrals for testing, or bribes and kickbacks that might appear to financially benefit a specific physician or other health-care entity.

So what do you do to keep your doctors and clinic safe in your three scenarios:

• Because your doctors get referrals from TOC, unfortunately, that is a fairly clear indication that it violates the Stark Law to give them tickets.
• See #1. It may seem casual and no big deal to say “Yea,we’ve got extra tickets to the game, just come pick ‘em up.” But there’s always the danger of a disgruntled whistleblower that “heard Billy got free tickets to the game from Dr. Jones.”
• If there is a way for OAKC to donate the tickets anonymously you are okay. The challenge is that TOC already knows you have given them tickets. Would they know it is you, even if a third party donated them? You would have to work that out carefully.

A safe rule of thumb to help you steer clear of Stark laws:

Don’t take or give anything of value to entities where there is a potential to benefit one or both of you.

Additional Stark Law and related information:

The High Cost of Stark Law Violations

Anti-kickback & Stark Compliance Information

Don't Write Off Patient Copays

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Massachusetts Expands Its Breach Notification Requirements: Are You Ready?

As of April 11, 2019, Massachusetts data breach victims will be entitled to enhanced rights and protections under An Act Relative To Consumer Protection From Security Breaches.
Any company that deals with the personal information of Massachusetts residents should be mindful of these regulatory changes and update its data security policies and practices—importantly, including its required Written Information Security Program—to reflect these changes in advance of the April 11, 2019 effective date.
Highlights of the regulatory change include:

Effective April 11, 2019
Data Breach Regulations
Consumer Notification Requirement	Notice must include: (i) resident’s right to a police report; (ii) how resident may request a security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided. A sample copy of the notice sent to consumer must be sent to the attorney general and the office of consumer affairs and business regulation. Mass. Gen. L. c. 93H § 3(b)
Consumer Credit Monitoring Services	Breached party is required to provide at least 18 months free-of-charge to Massachusetts residents if breach includes a social security number. Requirement is increased to 42 months if the breached party is a credit monitoring services. Breached party may not require a resident to waive the resident’s right to a private right of action as a condition of the offer of credit monitoring services Mass. Gen. L. c. 93H § 3A
State Regulators Notification Requirement (attorney general and said director, and consumer reporting agencies or state agencies)	Notice must include (i) nature of breach; (ii) number of Massachusetts residents affected by breach; (iii) name and address of breached party; (iv) name and title of party reporting the breach and their relationship to the breached party; (v) type of person or agency reporting the breach; (vi) the person responsible for the breach of security, if known; (vii) type of personal information compromised; (viii) whether the breached party maintains a written information security program; and (ix) any steps the breached party has taken or plans to take relating to the incident; and (x) a report with the attorney general and the director of consumer affairs and business regulation certifying that the breached party’s credit monitoring services comply with Massachusetts regulations. Mass. Gen. L. c. 93H § 3(b)
Consumer Report Regulations
Consent from Consumers Before Obtaining their Reports	Nonwaivable requirement that third parties obtain the prior consent of a consumer AND disclose the reason for obtaining the consumer report to the consumer prior to obtaining consent, before obtaining a consumer report. *note: there are limited exceptions to these requirements for existing accounts. Mass. Gen. L. c. 93 § 51B
Consumers’ Right to Information from Consumer Reporting Agency	Upon request and identification of the consumer, consumer reporting agencies must inform consumers of certain information in their consumer reports such as: · The nature, contents and substance of all non-medical information in its file on the consumer at the time of the request and the source of such information; · The sources of all credit information obtained through routine credit reporting or through any other credit reporting techniques in the file at the time of the request; · The recipients of any consumer report on the consumer which it has furnished for employment purposes within the 2-year period preceding the request, and for any other purpose within the 6-month period preceding the request. Mass. Gen. L. c. 93 § 56a
Consumer Reporting Agency’s Obligation to Advise Consumers of Rights	Advise the consumer of the consumer’s rights with each written disclosure, or in response to a request by the consumer to be advised as to the consumer’s rights. See section for prescribed language. Mass. Gen. L. c. 93, § 56b
Requirements When Providing Paid Security Freeze Products	A consumer reporting agency shall not knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer’s credit unless at the time of transaction, it notifies the consumer of the availability of obtaining a security freeze without charge AND provides information to the consumer on how to obtain a security freeze. Mass. Gen. L. c. 93, § 62B

As your organization prepares to incorporate these changes into your incident response plans, members of any breach response teams should receive updated training to ensure that the regulatory required information is shared with the appropriate parties. In addition, if your company handles SSNs of Massachusetts residents, you should identify a consumer credit monitoring service to engage in the event of a breach.
These changes are a continuation of Massachusetts’ history of being at the forefront of data protection law development in the U.S. Accordingly, it would not be surprising if other states followed suit in amending their respective data protection laws to enhance consumer rights and breached party reporting requirements.

Article courtesy of : Burns & Levinson LLP - Brooke A. Penrose

State Minimum Wage Increases for 2019 (Map) from BLR.com

Minimum wage increases will affect numerous states across the country in January 2019.

Under the Fair Labor Standards Act (FLSA), the current federal minimum wage is $7.25 per hour, but the FLSA does not supersede any state or local laws that are more favorable to employees. Therefore, if a state or municipality has a minimum wage that is higher than the federal minimum, employers subject to the state or local minimum wage law are obligated to pay the higher rate to employees working there. The minimum wage for federal contractors in 2019 is $10.60 per hour.

The map below shows the states that are increasing their minimum wages, including the new rates and amounts of the increases as of the date of publication of this article. We also provide a listing of the states increasing their minimum wages and the effective dates of the changes below the map.

State Minimum Wage Changes Effective December 31, 2018

New York: New York City (NYC) large employers (11 or more) $15.00. NYC small employers (10 or fewer) $13.50; increasing to $15 12/31/19.

Long Island and Westchester $12.00; increasing to $13.00 12/31/19; $14.00 12/31/20; $15.00 12/31/21.

Remainder of New York state $11.10; increasing to $11.80 12/31/19; $12.50 12/31/20. Annual increases for the remainder of New York state will continue until the rate reaches $15 per hour, then the rate will increase on an annual basis.

Fast food employees in NYC $15.00. Fast food employees outside NYC $12.75; increasing to: $13.75 12/31/19; $14.50 12/31/20; $15.00 7/1/21.

State Minimum Wage Changes Effective January 1, 2019

Alaska: $9.89 per hour.

Arizona: $11.00 per hour. Increasing to: $12.00 1/1/20. Local laws may require different minimum wage rates.

Arkansas: $9.25 per hour. Increasing to: $10.00 1/1/20; $11.00 1/1/21.

California: $12.00 per hour with 26 employees or more; $11.00 per hour with fewer than 26 employees. There are scheduled future increases. For 26 employees or more the minimum wage rate is increasing to: $13.00 1/1/20; $14.00 1/1/21; $15.00 1/1/22. For 25 employees or less the minimum wage rate is increasing to: $12.00 1/1/20; $13.00 1/1/21; $14.00 1/1/22; $15.00 1/1/23. Local laws may require different minimum wage rates.

Colorado: $11.10 per hour. Increasing to: $12.00 1/1/20.

Florida: $8.46 per hour.

Maine: $11.00 per hour. Increasing to: $12.00 1/1/20. Local laws may require different minimum wage rates.

Massachusetts: $12.00 per hour. Increasing to: $12.75 1/1/20; $13.50 1/1/21; $14.25 1/1/22; $15.00 1/1/25.

Minnesota: $9.86 per hour for large employers (annual gross revenue of $500,000 or more); $8.04 per hour for small employers (annual gross revenue of less than $500,000). Local laws may require different minimum wage rates.

Missouri: $8.60 per hour. Increasing to: $9.45 1/1/20; $10.30 1/1/21; $11.15 1/1/22; $12.00 1/1/23.

Montana: $8.50 per hour.

New Jersey: $8.85 per hour.

Ohio: $8.55 per hour (gross receipts of $314,000 or more); $7.25 per hour (gross receipts less than $314,000).

Rhode Island: $10.50 per hour.

South Dakota: $9.10 per hour.

Vermont: $10.78 per hour.

Washington: $12.00 per hour. Increasing to: $13.50 1/1/20. Local laws may require different minimum wage rates.

State Minimum Wage Changes Effective July 1, 2019

D.C.: $14.00 per hour on 7/1/19. Increasing to: $15.00 7/1/20.

Oregon: $12.50 Portland metro area; $11.25 urban counties; $11.00 rural counties on 7/1/19. The Portland metro area will increase to $13.25 7/1/20; $14.00 7/1/21; $14.75 7/1/22. The urban counties will increase to $12.00 7/1/20; $12.75 7/1/21; $13.50 7/1/22. The rural counties will increase to $11.50 7/1/20; $12.00 7/1/21; $12.50 7/1/22.

State Minimum Wage Changes Effective October 1, 2019

Delaware: $9.25 per hour on 10/1/19. Increasing to: $9.75 10/1/20, $10.25 10/1/21.

Minimum Wage Basics

The federal FLSA requires that a minimum wage be paid for all hours an employee is “suffered or permitted” to work for the employer (29 U.S.C. §203(g)) and that an overtime wage be paid for all hours “worked” over 40 in a week. The FLSA does not specifically define “hours worked” or place a limit on the number of hours an employee may work; it requires only that overtime be paid for any hours worked over 40.

Determining exactly what constitutes hours worked is essential in determining an employee’s compensation and compliance with both minimum wage and overtime requirements of the act.

Hours worked includes time during which an employee is “necessarily required to be on the employer’s premises, on duty or at a prescribed work place” (29 C.F.R. §785.7). This broad definition of hours worked may require that an employee be compensated for time the employer does not otherwise consider working time, such as travel time, waiting time and certain meal, rest and sleep periods, and time the employee is required to spend in training, at seminars, or in meetings.

The courts and the U.S. Department of Labor, however, have developed a de minimis rule, whereby employers may disregard insubstantial or insignificant periods of time beyond the scheduled working hours, if, as a practical administrative matter, such time cannot be precisely recorded.

If employees are checking e-mails for 2 or 3 minutes, employers will likely not have to pay for this time. But if employees are spending 10 to 15 minutes after work hours, employers will have to pay employees for this work time. Also, the FLSA explicitly permits the rounding of an employee’s start and stop times.

Hours worked for purposes of the FLSA does not include time spent on call, time spent waiting to work, or time when an employee is required to carry a pager or cell phone, provided the employee is otherwise free to effectively use the time for his or her own personal purposes. The FLSA does not obligate employers to pay employees for holidays, vacation, or sick days.

The rules are strict, but the penalties are stricter. Paying employees properly now will help you to avoid expensive fines, claims, and lawsuits down the line.

Article courtesy of www.blm.com