Thursday, June 18, 2009

Five Point HITECH Prep Plan

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) compliance deadline is September 18, 2009. The law sets new health privacy requirements, including a breach notification mandate and a broader definition of "personal health information" (PHI). In an article for CSO, ID Experts Chief Security Officer Rick Kam outlines steps organizations can take toward compliance. Among them, Kam recommends: conducting a risk-based assessment; securing PHI; and planning for breach detection and response, among others. "[The Act] will likely affect every aspect of your operations...," Kam writes. "With increasing risks, a better understanding of the compliance process will benefit your patients, your employees and your business." Full Story

Wednesday, June 17, 2009

FTC Issues Consent Order Against Nutter & Co.

The Federal Trade Commission (FTC) yesterday issued a consent order against James B. Nutter & Company for violations of the Gramm-Leach-Bliley Act privacy and safeguards rules. The commission found that the mortgage lender failed to: maintain a written information security program; adequately protect information stored on its network; institute appropriate security measures for personal information on its network; and provide adequate privacy notices, among other violations. The notice sets out actions the company must take as a result, including an order requiring biennial third-party assessments for the next 10 years. Privacy expert Rebecca Herold, CIPP, says: "This case demonstrates the long-term consequences of not implementing a strong information security program."Full Story

Now as we prepare to enter the enforcement phase of Red Flags Rule compliance it is important to note that enforcement of GLB and other privacy-based laws is ongoing. GLB has very similar recommendations as FACTA regarding compliance.
  • The adoption of an identity theft response and prevention plan specific to the business
  • The training of all employees on the specific plan
  • The oversight of the policies of all contractor businesses and 3rd parties that might have access to NPI.
  • A full documentation of the above
  • Optionally offering a mitigating identity theft service to all employees for their individual protection.

All of the above combined with other procedures specific to each business comprise a proactive response to the threat of data breaches. That is precisely what the FTC is asking every business to do, establish a proactive program to mitigate the risk of breach and train all employees on their roles to protect the data. If you include in the training a general awareness of identity theft as it affects the individual you create the "culture of security" that is essential in todays' world.

The guidelines set out in GLB and again in FACTA affect almost virtually every business in America either directly as a requirement, or as a service provider for a business that is directly covered. The regulations under a new HIPAA (HITECH), initiative along with new states and federal breach reporting laws will soon make it mandatory for virtually all businesses to adopt such a plan.

While August 1st is set as the enforcement phase date for the Red Flags Rule now is the time for businesses, non-profits, municipalities, school districts, etc, to put such plans in place and get the staff up to speed. In the programs I help my clients initiate, the staff training meeting lasts from 45 minutes to an hour to complete. That along with a short meeting with management and the framework can be in place. It can be much simpler to accomplish than it seems at first.

Monday, June 15, 2009

Medical Problems Could Include Identity Theft

By WALECIA KONRAD New York Times June 12, 2009

Everyone needs to pay attention to this. When you are shopping for an identity theft service ask yourself if the one you are considering will absolutely protect you or restore you from this nightmare.

Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, has never had any real health problems and, luckily, he has never stepped foot in an emergency room. So imagine his surprise a few years ago when he learned he owed thousands of dollars worth of emergency-service medical bills.
Mr. Sharp, as it turned out, was a victim of a fast-growing crime known as medical
identity theft.
At the time, Mr. Sharp was about to get married and buy his first home. Before applying for a
mortgage he requested a copy of his credit report. That is when he found he had several collection notices under his name for emergency room visits throughout the country.
“There was even a $19,000 bill for a Life Flight air ambulance service in some remote location I’d never heard of,” said Mr. Sharp, who made this unhappy discovery in 2003. “I had emergency room bills from places like Bowling Green, Kan., where I’ve never even visited. I’m still cleaning up the mess.”
The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of
a report on medical identity theft.
And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.
Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and
Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.
In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.
Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.
In a widely reported case in 2006, a clerk at a Cleveland Clinic branch office in Weston, Fla., downloaded the records of more than 1,100
Medicare patients and gave the information to her cousin, who in turn, made $2.8 million in bogus claims.
When people are not aware their medical identities have been stolen, insurance companies may simply continue to pay the fraudulent claims without the victim’s knowledge. The person might learn of the fraud only when trying to make a legitimate claim, and the insurance company informs them they have reached their lifetime cap on benefits.
Or victims may eventually discover erroneous information in their medical files during a doctor or hospital visit. And that may pose a bigger danger than the financial risks. The medical records may now contain vital information like blood type,
allergies, prescription drug use or a history of disease that is just plain wrong. In an emergency, doctors could treat you based on this erroneous information.

And there are none of the consumer protections for medical identity theft victims that exist for traditional identity theft. Under the Fair Credit Reporting Act you can get a free copy of your credit report each year, put a fraud alert on your account and get erroneous charges deleted from your record. If your credit card is stolen and the thief goes on a spending spree, you’re not liable for more than $50 worth of the charges. 1

With medical identity theft, though, the fraudulent charges can remain unpaid and unresolved for years, permanently damaging your credit rating. Under the federal law known as Hipaa — the Health Insurance Portability and Accountability Act — you are entitled to a copy of your medical records, but you may have to pay a hefty fee for them.
Worse, Hipaa privacy rules can actually work against you. Once your medical information is intermingled with someone else’s, you may have trouble accessing your files. Privacy laws dictate that the thief’s medical information now contained in your records must be kept confidential, too.
Even when you are able to correct a record, say in your doctor’s office, the erroneous information may have been passed on to dozens of other health care providers and insurers. Victims must track down and resolve these errors largely on a case-by-case basis, Ms. Dixon says.
Medical providers contend that they are taking precautions against identity theft. At Cleveland Clinic, for example, security personnel routinely audit electronic medical record systems and all records are password-protected. Many Blue Cross Blue Shield insurers use software to screen for spikes in claims from providers that look suspicious. They also work with providers on encrypting medical files and carrying out data access restrictions, said Calvin Sneed, senior antifraud consultant at the Blue Cross and Blue Shield Association.
And some medical centers and doctors’ offices now require patients to show photo ID and attach photos to patient charts.
But privacy advocates worry that these steps do not go nearly far enough, especially in light of President Obama’s plans to spend $20 billion to increase the use of electronic medical records nationwide as part of the stimulus package. “Without aggressive safeguards, we could be building an infrastructure for massive medical fraud,” said Ms. Dixon.

If you find yourself a victim of this kind of fraud you are not likely going to be as concerned about new privacy laws as you will about getting help for your situation. Nearly every states Attorney General has gone on record regarding identity theft. With millions of cases each year, and with the amount of investigative work each one requires, the states AG offices cannot give each case the attention it requires. We all need to find ways to safeguard ourselves. A good identity theft service is by far the most efficient way to do that. A restorative service will handle the brunt of the work of sorting out records and establishing a clear record of the crimes that were committed. And finally to go about the process of clearing false records entries.

1 Actually that is not completely true. If you report debit card fraud within 72 hours or within 30 days of a regular bank statement being mailed to you your liability is limited. Banks do not have to recover your losses after those times expire. ed.