Medical Identity Theft

stock-photo-39788480-identity-theftMedical identity theft is on the increase. The Identity Theft Resource Center (ITRC) reports that as of March 30, 2015, there have been a total of 68 breaches involving 99,335,375 records reported in the medical/healthcare industry. See Identify Theft Resource Center 2015 Data Breach Stats, Report Date: 3/30/2015, pages 5-7, on their website. A “breach” is defined  to include an event in which an individual’s name plus Social Security Number, driver’s license number, medical record, or financial record (including credit/debit card) is potentially at risk either in electronic or paper format. Id. at page 2.

Medical identity theft usually occurs when a person’s name and part of the person’s identity, such as insurance information, are utilized by a criminal to acquire medical goods or services without the person’s consent. Typically, the criminal is uninsured but in need of medical goods and/or services. Medical identity theft frequently results in incorrect entries in the victim’s existing medical records, or it may result in the creation of a false medical record in the victim’s name.

Gary Cantrell, Deputy Inspector General of the Office of Inspector General (OIG) recently testified before the Subcommittee on Oversight of the House Ways and Means Committee regarding the OIG’s efforts to combat Medicare fraud. He stated that medical identity theft plays a key role in many of the Medicare health care fraud schemes investigated by the OIG. Often medical identity theft occurs with the use of recruiters or marketers. They entice Medicare beneficiaries to provide their identifying information including their Medicare numbers or Health Insurance Claim Numbers by promising them something of value in return such as money, services, equipment, prescriptions, or narcotics. Other times insiders may work in the health care profession which gives them access to beneficiaries’ personally identifiable information. These insiders acquire this information which they then sell to co-conspirators who have the ability to bill Medicare using the information.

In a sample survey of 49,266 respondents who were victims of identity theft in the United States, many reported a lack of confidence in their health care providers’ privacy and security measures to protect medical records. Seventy-nine percent of the respondents stated it is important for health care providers to ensure the privacy of their medical records; 48 percent stated they would consider changing health care providers if their medical records were lost or stolen; and 40 percent stated it is important for health care providers to provide prompt notification of a breach. Ponemon Institute, Fifth Annual Study on Medical Identity Theft, February 2015, pages 3 and 4.

What Steps Can Health Care Providers Take to Prevent or Mitigate Medical Identity Theft?

While health care providers may have implemented HIPAA policies and procedures to protect against the unauthorized use or disclosure of protected health information (which may result in identify theft), many health care providers may not have implemented a Red Flags Rule Program. Whether a health care provider is required to implement a Red Flags Rule Program depends on whether it falls within the definition of “creditor” under the Red Flags Rule. There are a series of questions, the answers to which determine whether a health care provider falls within the definition of a creditor.

Does the health care provider regularly:

Defer payment for goods and services or bill customers? or Grant or arrange credit? or Participate in the decision to extend, renew, or set the terms of credit?

If the answer to any of the above three questions is “yes”, then does it regularly or in the ordinary course of business:

Obtain or use consumer reports in connection with a credit transaction? or Give information to credit reporting companies in connection with a credit transaction? or Advance funds to or for someone who must repay them, either with funds or pledged property (excluding incidental expenses in connection with the services provided?

If the answer to one or more of the above three questions is “yes”, the health care provider is a creditor covered by the Red Flags Rule. Even it the answer is “no” implementing a Red Flags Rule Program can be beneficial. A Red Flags Rule Program will assist health care providers in identifying identity theft by looking for the “red flags” or patterns, practices, or activities that indicate the possible existence of identity theft. A Red Flags Rule Program will also assist providers in taking steps to prevent or mitigate identify theft.



If you have any questions concerning medical identity theft or the privacy and security of medical records or would like assistance in developing a Red Flags Rule Program, please contact Rochelle H. Zapol, a partner in Prince Lobel’s Health Care Practice and the author of this alert. You can reach Rochelle at 617 456 8036 or

Asya Calixto Answers NENPA’s Media Law Hotline “Question of the Week” on Storing Subscriber’s Information and Private Policy

Question: My paper is considering moving to a new system of storing subscriber information, and we think we should revise our privacy policy as part of this process. What should we be considering as we do so?

Answer: You should certainly update your privacy policy to reflect changes in how you collect, use, and store information about visitors to your website. The Federal Trade Commission’s latest enforcement actions serve as a reminder of the importance of being honest and transparent with your visitors. For example, the FTC reprimanded Snapchat for telling its users that messages sent through Snapchat would disappear forever several seconds after they were received, when in fact there were well-known and widely available methods for a recipient to capture and store the messages indefinitely. American Apparel also got into trouble for representing in its privacy policy that it was complying with a self-regulatory privacy program, when in fact its certification had lapsed. The lesson? Don’t make promises you can’t keep. Be realistic, and revisit your privacy policy to make sure that what you convey to visitors is consistent with your practices.

Click here to read Asya’s complete answer.

The Media Law Hotline is a service offered free of charge to NENPA members in good standing, and is staffed by the media and intellectual property lawyers at Prince Lobel Tye LLP. You can reach the NENPA Hotline at 1-888-428-7490 or by email at

Asya Calixto

Officers’ arrest records and mugshots are fair game under Massachusetts law

Thanks to The Boston Globe’s Todd Wallack, we learned last week that the supervisor of records, charged with enforcing the Massachusetts public records law, has permitted police departments to withhold arrest reports and mug shots from the public in their “discretion.” Unsurprisingly, police departments have exercised that “discretion” to shield the identities of police officers arrested for drunken driving while publicizing the arrests of other Massachusetts residents for the same crime.

Yesterday, Secretary of State William Galvin took to Jim Braude’s “Greater Boston” show on WGBH-TV (Channel 2) to defend the rulings. He pointed out that he had previously ruled arrest reports to be public, but said he had to back down because another agency, the Department of Criminal Justice Information Systems (DCJIS), told him the records are secret under the “criminal offender record information” (CORI) statute. Former attorney general Martha Coakley shared that view, Galvin said, and the new attorney general, Maura Healey, has tentatively agreed.

But are they correct? Does the law allow the police officers to decide which arrest reports do and do not get released? The answer, thankfully, is no.

First, some quick background. The public records law creates a presumption that all government records are public. Only if a specific, listed exemption applies can the government withhold documents, and those exemptions are supposed to be construed narrowly. Galvin relies on the exemption for records “specifically or by necessary implication exempted from disclosure by statute,” here, the CORI law. The CORI law does impose certain limits on the disclosure of “criminal offender record information,” but it limits that term to information “recorded as the result of the initiation of criminal proceedings and any consequent proceedings related thereto.”

The word “initiation” is important. As late as 2010, Galvin’s office held the commonsense view that a “criminal proceeding” is initiated with the filing of a criminal complaint. Arrest reports and mug shots are generated before criminal complaints are filed, so they’re presumptively public. But in 2011, the DCJIS (which administers the state’s CORI database) told Galvin it believed “initiation of criminal proceedings” means “the point when a criminal investigation is sufficiently complete that the investigating officers take actions toward bringing a specific suspect to court.” That necessarily precedes arrest and booking, so all arrest reports and mug shots are covered by CORI. This “interpretation” is now contained in a DCJIS regulation. Another regulation says that police can release CORI information surrounding an investigation if they think it’s appropriate to do so.

In the common parlance, however, “criminal proceedings” occur in court, and they begin with the filing of a criminal charge. We don’t typically think of an arrest without charges as involving a “proceeding.” Galvin seems to agree — his office’s rulings have said only that DCJIS believes“initiation” occurs earlier — but he has thrown up his hands and deferred to this odd “interpretation” of the CORI statute.

The thing is, Galvin isn’t bound by what DCJIS says. The public records law says that the supervisor of records is entitled to determine “whether the record requested is public.” The DCJIS’s regulation adopting this view is irrelevant, too, because as noted above, the public records law only exempts documents “specifically or by necessary implication exempted from disclosure by statute.” The Supreme Judicial Court ruled in 1999 that the “statutory” exemption doesn’t extend to mere regulatory enactments “promulgated under statutory authority,” even “in close cooperation with the Legislature.” Despite this ruling, just Wednesday, Galvin’s office again refused to order state police officer mug shots to Wallack on the ground that “[b]y regulation,” — not statute — they are exempt CORI documents.

Wallack’s reporting has led us to a momentous Sunshine Week in Massachusetts. We’ve seen unusual, coordinated editorials in major Massachusetts newspapers condemning the rulings, a letter published in the Globe, the Boston Herald and GateHouse Media newspapers (including The Patriot Ledger of Quincy and The Herald News of Fall River) signed by members of the Northeastern Journalism School faculty, and extensive coverage on the normally neglected subject of government transparency.

To his credit, Galvin is calling for reforms to the public records law, and Attorney General Healey has vowed to work with his office to strengthen transparency. Reforms are sorely needed, especially to require shifting of attorneys’ fees if a requester successfully sues. But in the meantime, Galvin can and should reconsider his misguided rulings on arrest records.

– Jeffrey J. Pyle


If you have any questions about the information presented here, or would like to learn more about how Prince Lobel can address any of your media law concerns, please contact Jeffrey Pyle, the author of this post, at 617 456 8143 or, or click here to contact any of the attorneys in the firm’s Media Law practice group.

Massachusetts ruling on the withholding of officers’ criminal records is startling

In a series of sweeping rulings, the Massachusetts Secretary of State’s office has ruled that police have the “discretion” to deny public access to arrest reports, mug shots, and other criminal records.  As an excellent story by the Boston Globe’s Todd Wallack reveals, Supervisor of Records Shawn Williams has interpreted the state’s public records law not to apply to arrest records on the ground that they constitute criminal offender record information (“CORI”), as defined in another state statute.  However, Williams’ predecessor, Alan Cote, ruled as recently as 2010 that a record is not exempt from disclosure as CORI unless it is created after the filing of a criminal complaint, which arrest reports and mug shots are not.

Tellingly, the police frequently trumpet arrests they make on blogs and public statements.  However, when Wallack asked for the arrest reports of police officers accused of drunk driving, he was told they constituted non-public CORI, and the Supervisor of Records agreed.  If these rulings survive court challenge, they would appear to make Massachusetts the only state where arrest records are categorically exempt from public disclosure.  The development is another black mark on a state that has already received an “F” grade from the Center for Public Integrity on the efficacy of its public records law.

You can read the Globe story here, and hear me discuss the matter on WBUR’s Radio Boston here.


– Jeffrey J. Pyle

If you have any questions about the information presented here, or would like to learn more about how Prince Lobel can address any of your media law concerns, please contact Jeffrey Pyle, the author of this post, at 617-456-8143 or, or click here to contact any of the attorneys in the firm’s Media Law practice group.

Making the Case for a CO2 Charge on a Snowy Day in MA

stock-photo-energy-solar panal-renewable energy

What if you could receive an annual check from Massachusetts for simply reducing the amount of fossil fuel you use? On February 4, 2015, Prince Lobel hosted a panel discussion with the New England Women in Energy and the Environment (NEWIEE) to discuss this question and the proposed legislation by state Senator Michael Barrett, which would do exactly that. Sen. Barrett was joined on the panel by Tufts University Professor of Economics Gilbert Metcalf, and Wayne Davis of Harvest Power, Inc. The panel was moderated by Zaurie Zimmerman of Business Leaders for Climate Action. The timely topic drew a great crowd despite the winter weather and the Patriots’ Duck Boat parade earlier that day.

What is Carbon Pricing?

Under Senator Barrett’s proposed legislation, An Act Combating Climate Change – SD285, a “carbon charge” would be added to the price of each coal, petroleum and natural gas fuel in proportion to the CO2 thrown off as a byproduct. The CO2 charge, which is endorsed by Prof. Metcalf and Mr. Davis, is not a tax, but instead is “revenue neutral.” The goal is not to generate revenue, but to encourage individuals to be more thoughtful about their use of fossil fuels. The Act provides that each state resident would receive an equal share of the total CO2 charges collected in an annual or quarterly check. Households could then spend some of this rebate money improving the energy efficiency of their homes and vehicles, and using cleaner, renewable energy instead of fossil fuels. A sliding price scale means the CO2 charge can be lowered by switching from coal to oil, from oil to natural gas, or, ideally, natural gas to a renewable energy source like solar or wind power.  Massachusetts businesses and other entities would receive a rebate in proportion to their share of total employment in the state, though additional rebates would be provided to businesses that are energy intensive and face significant competition outside of Massachusetts.

What are the Impacts?

The most important impact is that the Act would cut CO2 emissions more substantially than any other existing or proposed regulatory policy. In addition, low and moderate income households would get back at least as much as they pay for higher costing fossil fuels. The Act would save billions of dollars spent on imported fossil fuels, leaving more money for creating and expanding Massachusetts businesses and increasing employment.

Why Massachusetts?

Massachusetts state law requires that we cut greenhouse gas emissions (primarily CO2) to 25% below 1990 levels by 2020 and to at least 80% below 1990 levels by 2050. This will require a dramatic shift from fossil fuels to clean energy such as solar and wind, while greatly improving the efficiency of our energy use. Carbon pricing has already by tried and tested – and proven to work – in British Columbia since 2008. The money from carbon pricing has gone back to the public, repeal efforts have failed, and the system is popular. With lessons learned from British Columbia, the panelists believe that Massachusetts is ripe for implementing the carbon pricing system.

Barry C.Burke
This blog was prepared by Julie Barry and Cailin Burke. For more information, see the attached materials from the event below, or contact Julie, a partner in the firm’s Renewable Energy Practice Group, at, or 617 456 8090.

Carbon Tax Panel Discussion materials

The NLRB Protects Non-Union Employees’ Ability to Complain About Working Conditions Through Electronic Mail

The National Labor Relations Board (NLRB) has continued its aggressive posture in matters involving employees’ (ability to communicate with one another in the workplace, including the virtual workplace of the cyber world). In a December 2014 case entitled, Purple Communications, Inc., the NLRB overturned a 2007 decision, in which it had held that an employer could “lawfully bar non-work-related use of its [email] system” even if the employees were using the email system for union organizing or to engage in discussions concerning wages, benefits or other workplace issues. In Purple Communications, the NLRB ruled that employees who already have access to an employer’s email system and use the system in the course of their work, have the right to use the system to communicate about union organizing and/or about workplace and employment conditions generally. These communications are protected under Section 7 of the NLRA, which gives all employees (union and non-union) the right, among other things, to discuss the terms and conditions of their employment or organize a union with their co-workers.

Although recognizing the right of employees to use their employer’s email systems to discuss or complain about matters of mutual concern, the NLRB also recognized that this right had to be balanced against an employer’s legitimate interest in efficiently managing its business. The NLRB noted that:

  • Its ruling only applies to employees who already have access to their employer’s email system for work purposes.
  • Employees can only use the email system to discuss union organizing and workplace complaints or issues with their coworkers on non-working time.
  • There might be circumstances where an employer is permitted to “apply uniform and consistently enforced controls over their email systems to the extent that such controls are necessary to maintain production and discipline.”
  • The ruling does not apply to a third party’s use of an employer’s email system, (i.e., an employer can still limit union access to its email system).
  • An employer can monitor employees’ email use to enforce a policy that employees cannot use the system to assert their Section 7 rights during working time. An employer can also monitor its email systems for other legitimate business reasons, such as productivity, the prevention of harassment among coworkers and other activities that could expose an employer to liability.

Although the NLRB states that its ruling in Purple Communications only applies to email systems, its decision leaves no doubt that it would expand its ruling to other forms or electronic communication if the opportunity is presented. Accordingly, non-union and union employers alike should review their policies to ensure that they do not contain prohibitions or restrictions on the use of email and other electronic communication systems that are contrary to NLRB’s ruling in Purple Communications.

If you have any questions about the information presented here, need assistance with reviewing and updating policies, or would like to learn more about how Prince Lobel can address any of your employment law concerns, please contact Claudia Centomini, the author of this Alert at 617 456 8064 or, or click here to contact any of the attorneys in the firm’s Employment Law Practice Group.

Must Massachusetts Employers Pay Employees for Snow Days?


With an unprecedented amount of snow falling in Massachusetts over the past three weeks, businesses have been forced to close early or not open for business on numerous occasions. Private employers want to know if they are obligated to pay employees during these wintry storms. The answer depends on whether (i) the employee is paid on an hourly basis and/or eligible for overtime after working 40 hours in a work week (non-exempt employee); or (ii) the employee is paid on a salary basis and is exempt from any overtime pay requirements (exempt employee). Employers might also have a snow day policy that offers additional benefits to their employees but those are strictly voluntary.

Exempt Employees

When the office is open and an exempt employee does not come to work because of poor driving conditions or limited public transportation, the employer can deduct a full day’s pay from the employee’s weekly salary. In lieu of deducting one day’s pay, U.S. Department of Labor (DOL) does allow an employer the option of requiring the exempt employee to take accrued vacation or other leave time, or debit the time from a leave bank. If an exempt employee has no leave time available, the employer does not have to pay the employee for not reporting to work for one or more full days during the work week.

The answer differs when the office closes early. An employer cannot deduct any pay from the exempt employee’s weekly salary when the employee has worked only part of the workday. Nonetheless, DOL does allow an employer to direct an exempt employee to use the employee’s leave time for a partial day’s absence as long as the employee receives the employee’s entire weekly salary. This rule also applies when the exempt employee has no accrued leave. The employer must still pay the employee’s guaranteed salary although the employer can deduct the leave time at a later date once the exempt employee accrues the leave time.

Non-Exempt Employees

An employer only has to pay a non-exempt employee for time worked. An employer has the option of creating a policy or practice that requires the non-exempt employee to use his/her accrued leave or vacation time when the office is closed.

Massachusetts, however, has a reporting pay requirement. When a non-exempt employee, who is scheduled to work three or more hours, reports to work and the employer sends the employee home due to inclement weather, the employer must pay the non-exempt employee for three hours at the basic minimum wage rate. (This rule does not apply to organizations granted status as charitable organizations under the Internal Revenue Code.) Issues will arise when it is unclear whether the employer notified the non-exempt employee before the non-exempt employee reported to work. Thus, it is important for an employer to communicate office closures to employees in a timely manner.


If you have any questions about the information presented here, need assistance with reviewing policies, or would like to learn more about how Prince Lobel can address any of your employment law concerns, please contact Claudia Centomini, the author of this Blog is at 617 456 8064 or, or click here to contact any of the attorneys in the firm’s Employment Law Practice Group.