Thursday, May 21, 2009

New Data Initiatives Converge For Information Protection


Health Information Technology for Economic and Clinical Health Act (HITEC) points to some substantial changes in the rules relating to the minimum necessary disclosures of personal health information, imposes additional notice requirements in the case of security breaches and grants new enforcement powers to the states.
The Health and Human Services Department, which enforces HIPAA security and privacy laws, recently released guidance on what counts as “unsecured” information and a request for comments on breach notification under HITECH.
For employers whose health plans must comply with HIPAA privacy and security rules, HITECH means they will have to review and update contracts with business associates to ensure that the documents reflect the new privacy and security laws.
The changes introduced by HITECH will have enormous consequences for third-party vendors, such as benefits brokers and consultants, that act as business partners for self-funded group health plans and large, experience-rated insured plans.
Such vendors will need to take steps to conform to the substance of the HIPAA security standards. Compliance will, at a minimum, entail the adoption of physical, administrative and technical safeguards. This will include implementing security polices and procedures.
In the case of business associates, HITECH makes the following changes:

• Business associates are now subject to the substantive provisions of the HIPAA security rules generally in the same manner and to the same extent as covered entities;
• Business associates must now enter into and abide by a business associate agreement (previously, the burden was on the covered entity to identify business associates and to obtain the necessary business associate agreements);
• Business associates are now subject to civil and criminal penalties for violation of these rules; and
• HHS is required to conduct periodic compliance audits of business associates as well as covered entities.

Remember, the Red Flags Rule ammendment to FACTA also calls for changes in the contracts with service providers and third party vendors. Under law the changes must include an understanding of that vendors’ policy concerning information security and identity theft prevention. A lot of companies are not used to this kind of oversight, and might not understand their responsibility regarding sensitive information policy.

On August 1 of 2009 the FTC will begin the enforcement phase of the Red Flegs Rule meaning that since the law went into effect on January 1st of 2008, different industry sectors have been on notice to implement a program to address identity theft and how to respond in the event of a breach of information. Now enforcement in the form of audits and possible fines and prosecution will begin for businesses who have ignored or skirted the law as it applies to them. For more information on the Red Flags Rule see the link in my column to the Red Flags Rule.

When a medical facility, Human Resources contractor, or benefits broker applies the newest rules of HITEC with regard to medical information security they will not be precluded from adherence to FACTA as well. HIPAA and its initiatives only address the security of medical data not other types of personally identifiable information such as employee files or financial information. A recent case in January of this year involving the theft of 30,000 personnel files from the Kaiser Medical facilities in Oakland California points out graphically that compliance with one law doesn’t necessarily cover the business regarding the other, even though both laws address information security. Compliance for both inititiaves do have common ground however. A written policy is essential as a starting point to establish the culture of security from the Board down. Training, as I mention here as often as I can is next. I can’t over emphsize the importance of onging training of all staff. Contractor oversight is another common point. Without that the system cannot work effectively. It isn’t as important for one company to adhere to a good security program as it is for all the companies that share the information to do so.

It has also come to my attention that enforcement of the HITEC initiatives will be transferred to the FTC, and not be enforced by HSS as previously thought. Although oversight will remain with HSS, the FTC has a track record of enforcement of consumer protection regulations.

Wednesday, May 20, 2009

No State Secrets Lost This Time, Just (maybe) Yours!

The FBI is investigating the loss of a computer hard drive from the National Archives record center, reports the New York Times. The drive contains a terabyte of data, including the personal information of individuals affiliated with the Clinton presidency. A National Archives statement said the drive houses "an as-yet unknown amount of personally identifiable information of White House staff and visitors." Social Security numbers, home addresses and security procedures, but no classified information, are believed to be on the drive. Authorities confirmed the breach in April. Analysts are still reviewing the drive's content.

No system or method of safekeeping of yours and my information will ever be completly fraud proof, nor will your information, which resides in everything from your elementary school records, your dentists' office, military records, to your County recorders' office, so on and so on, be safe from thieves. The opportunity for theft is too vast, and methods of theft too varied for any combinations of methodology to be effective.

This column is maintained to provide some insight for businesses and other enterprizes which maintain personal information. The fact of the matter is that unless we as individuals engage our own identity theft service we are at the mercy of data thieves and imperfect systems everywhere.

Tuesday, May 19, 2009

A Matter of Value

I would like to step back from identity theft for a moment. The main business of Taylor and Associates is to offer certain benefits to employees in all types and sizes of organizations. The company that I represent, Pre-Paid Legal Services Inc is the only underwriter of legal services plans and identity theft restoration services in America. We are growing in public acceptance precisely because of the immediate and practical value our clients receive from the benefit. That is the topic of this column, value.
The services we represent are divided into seven separate areas of coverage. In 2008 our law firms were able to save or recover for our clients $21.9 million within just one benefit area alone! Unlike EAP programs which have limited legal services built in, our services are comprehensive and are not so severely limited. In fact the popularity of EAP programs is based partly on the demonstrated need for legal services. The majority of the legal needs of a family are completely covered by the membership without spending additional money. When you combine our legal plans with our identity theft program administered by Kroll Fraud Solutions for us, the employee has unparalleled coverage for the two biggest problems Americans face, access to quality private law firms for any and all legal needs, and full protection and restoration from any type of identity theft. According to the U.S. Secret Service identity theft has surpassed the international drug trade as the most profitable crime in the world. The legal plans were designed to address the areas that families encounter the most. Things like traffic court representation to keep auto insurance costs under control, or contract review when refinancing or making purchases, to consumer issues and product liability, estate planning, IRS audit help, and more. As a victim of massive identity theft in 2000 I was first advised to retain counsel. Because I didn't have the services of Pre-Paid at the time that became a $26,000 dollar episode for me. Remember, an identity theft episode is a legal situation.

When we work with employee groups the very first thing we do is to hold a Will Workshop with all of our new clients to get them started on a will along with the advance medical directive and durable POA, for each of them and their partners. I want them to receive a benefit the very first day they have our membership. I encourage them to use their services as often as possible simply because it can be a value benefit but only if they take advantage of what it can do for them. In this current economic crisis our attorney firms are making a real difference for people who are in danger of losing their homes to foreclosure, and along the Gulf Coast thousands of families have been helped in the aftermath of the devastating hurricanes. All of the law firms in our proprietary network also have privacy specialists on staff to directly handle identity theft issues. This fact has not been lost on the fifty sitting Attorneys General who have recognized us as a force for equal justice in America. The cost of these services is far less than a dollar a day for everything combined, and as we want to earn the business of each client monthly we never engage in long-term contracts.

After 37 years of continued growth Pre-Paid Legal Services is the pioneer and leader in this industry. Our position on the NYSE shows continuous growth in a volatile market. At Taylor and Associates we take great pride in delivering more value to our clients throughout the country than we receive in money from them. A benefit that people can use is a valued benefit.

I've spoken about the value we bring to employers in the past, but it does bear repeating that by offering the services of trained identity theft risk specialists and the compliance documentation we provide, there is an additional value to the company. Whether legal issues or identity theft, or both, the value to the employee cannot be calculated in simple dollar savings alone but also in terms of a peace of mind that family issues are being handled by professionals with the clients' best interest in mind. The value to the employer besides what I just mentioned is in the ongoing training and assistance we provide to help with an identity theft program as required by law for most employers. No other firm has all three components in place, identity theft protection services for the employee, comprehensive legal service plans for employees, and a program for the company to reduce its' risk from data breach and the fallout from identity theft episodes. All in all the value of the combination of these programs has a proven 37 year track record with over 35,000 employers in every type of business, local government, and non-profit. Value is at the core of how the plans are devised. Pre-Paid Legal Services has ammassed what I believe is the largest database of actuarial data in existence to bear this out.