The call for going paperless obviously is nowhere close to what was expected and to this day paper documents post just as much of a risk to an organization as electronic documents. Click on the following link for some statistics and comments from identity theft expert John Sileo. Click Here!

I was recently contacted by someone that asked me about a possible privacy breach that they had experienced and I responded by recommending they contact the appropriate Government agency. This particular breach had to do with a dispute over payment of a past medical bill that was taken care of by this person's insurance yet they were being harrassed by a collection agency for nonpayment.

The possible violation occurred when the insurance company sent proof of payment to the collection agency which also included health privacy issues about the person in question. I think this illustrates the importance of all companies and organizations, not just health related companies, to have HIPAA compliance standards in place.

The AMA has a section on their website that deals with many HIPAA FAQ's, one of which is "How is the government enforcing Privacy Rules". The "Office for Civil Rights" ("OCR") has indicated that enforcement will be complaint-based.  The "OCR" will respond to complaints that are filed but will not proactively investigate. A violation of HIPAA can result in civil fines and/or criminal penalties so it's important that entities come into compliance as soon as possible and respond  quickly to complaints.

 

 

JOURNALISM AND THE PUBLIC'S RIGHT TO KNOW

In an article by Kristin Buehner of The Globe Gazette, she examines an unintended consequence that affects journalists' ability to obtain and publish common medical information.  When HIPAA went into effect, some health care and emergency services professionals withheld information they legally had a right to release for fear of violating HIPAA.

Newspapers used to publish information their readers expected about their neighbors, whether it be about births or hospital admittance information. People would use this information to congratulate, sympathize, or offer help to those involved.

Reporters worry that because of the penalties involved the medical community may be hesitant to release information, even if it is not specifically part of the regulations. Case in point in the instance of a natural disaster medical personnel may be reluctant to release information even though HIPAA makes an exemption in this case in general terms such as the number of patients, gender, age and general medical condition.

For journalists it's a delicate balance between HIPAA privacy laws and public access laws guaranteed by the First Amendment.

The Security of Paper Documents in the Workplace study, conducted by the Ponemon Institute and sponsored by the Alliance for Secure Business Information ASBI dispels the myth that the cause of most or all data breaches is lost or stolen electronic documents.

In the study, the vast majority of repondents polled (80%) indicated their company had experienced one or more dats breaches in the last 12 monthes alone. Forty-nine % stated that one or more of these breaches involved the loss or theft of paper documents.

 Key findings from the study also revealed the need for companies to take tighter control on how they manage their paper trail through stronger enforcement policies.

Click here for the full report.

245,159,743 is the number of records containing sensitive personal information as of early 2008, that were involved with security breaches in the United States since January 2005.

One large breach with relevance to the current mortgage crisis involved as many as 2,000,000 records from Country Wide Financial Corp. The FBI arrested a former employee in a scheme to steal and sell personal information, including social security numbers.  This employee with accomplices would download as many as 20,000 customer profiles per week and sell the excel files for $500.00 to buyers in the mortgage industry who would use the information to make sales pitches to these "potential" customers.

I am a big fan of NFL football and of course being from Green Bay, The Packers.  During last weeks game The Packers suffered a rash of injuries the most serious being to Al Harris who sustained a serious injury to his spleen. This got me thinking about how NFL teams, and this could apply to all levels from High School on up, must walk a tight line on the injury front when sharing injury information to the media.

The coaches and GMs on one hand have an obligation to fans and the Press to convey honest information while weighing the privacy rights of the individuals involved.  I'm wondering if sometimes when there seems to be something missing from answers and comments from coaches and players alike it could be dictated in some way by privacy laws!

An article on June 15 from the Green Bay Press Gazette examines how HIPAA regulations can interfere with the ability of law enforcement officials to obtain timely information and details about the release of suspects who are hospitalized.

Hospital officials - bound by federal and state privacy regulations - often cannot provide details about a patient's condition or planned release date without a waiver from the patient or a subpoena from a judge. Much of the problem hinges on interpretation of HIPAA, which mandates what information health-care providers can release about their patients, even to law enforcement.

HIPAA rules allow hospitals to release some information to law enforcement but only when officers can show it is "relevant and material" to an investigation. But even then, hospitals can release only limited information based on what's needed at that point in the investigation and the application of HIPAA and state laws requires interpretation.

For law enforcement purposes hospitals may disclose protected health information under the following six circumstances:

1) as required by law (including court orders, warrants, and subpoenas).

2) to identify or locate a suspect, fugitive, material witness, or missing person.

3) in response to a law enforcement officials request for information about a victim or suspected victim of a crime.

4) to alert law enforcement of a person's death if the covered entity suspects that criminal activity caused the death.

5) when a covered entity believes that the protected health information is evidence of a crime that occured on its premises.

6) by a covered health-care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

 

 

 

 

Arnold S. Rosenbaum, MD in an article from FOR THE RECORD discusses the financial liability presented by the possibilities of leaked, misplaced, unsecured, or internet-hacked information. There is a widespread misunderstanding that malpractice and professional liability policies cover damages resulting from civil lawsuits regarding HIPAA privacy and security breaches.

Physicians and providers are not protected from civil HIPAA litigation by their standard malpractice, errors and omissions, or general liability policies. Most insurance companies have taken a position that only stand- alone, specific HIPAA coverage is acceptable.

HOW MUCH RISK?

Personal injury attorneys have indicated that lawsuits arising from the inadvertent or purposeful release of PHI(personal health information) will be a significant component of their practices. Any failure to comply with HIPAA permits not only federal prosecution, but also civil remedy for damages.

PROTECT YOURSELF AND YOUR PRACTICE!

HIPAA mandates that every organization with access to PHI must secure and protect that information - whether it is in verbal, paper(see Record Shredders), or electronic form. The following are four major steps for compliance and to avoid HIPAA related civil litigation:

1. Secure record storage, lock file cabinets, and lock file rooms . Secure record storage is the first step to ensuring that PHI is handled in accordance with the HIPAA regulations.

2. Secure fax machines. It is essential to consider who has access to your fax machine and who has authorization to view patients' records.

3. Secure Virtual Private Network. A secure internet connection with proper firewall protection is essential in protecting PHI.

4. Background Checks. These are essential in determining the level of security within your organization.

HIPAA COMPLIANCE

To protect against this serious liability threat, healthcare organizations are required to implement a best-practices procedure of full compliance, with documentation, and purchase liability insurance. A thorough compliance package should include needs assessment, gap analysis, training, secure networks for electronic data transmission, on-site and off-site paper, and digital data storage, background checks, and data recovery services.

 

 

.

WISCONSIN PRIVACY PROTECTION BUILT WITH A WALL OF SWISS CHEESE

In a little over a year the State of Wisconsin has had 3 mailings with Social Security numbers clearly visible. The first breach came when the state mailed 170,000 2006 tax booklets with Social Security numbers printed on the mailing labels. This gaff was blamed on a programming error at the printing company responsible for the mailings.

The second potential gift to security thieves was earlier this month when 260,000 brochures were sent to Medicaid, SeniorCare, and BadgerCare recipients, with Social Security numbers printed on the front.

The most recent problem occurred when 5,000 taxpayers were mailed 1099-G tax forms with there Social Security numbers showing.

That's 436,000 Wisconsin citizens exposed to possible security breaches by the Departments of Revenue and Health and Family services. One can only wonder the liability a private company would be facing for similar violations. The Moral of this story is be ever vigilant with your security compliance strategies!

Taxpayers affected by the latest mishap can call toll free 888-844-4474 or e-mail dor1099G@revenue.wi.gov.

For information about identity theft protection visit www.equifax.com

 

 

The following are interesting facts posted by NAID National Association for Information Destruction.

1. EVERY BUSINESS HAS INFORMATION THAT REQUIRES DESTRUCTION

All businesses have occasion to discard confidential data.  Customers lists, price lists, sales statistics, drafts of bids and correspondence, and even memos, contain information about business activity which would interest any competitor.  Every business is also entrusted with information that must be kept private.  Employees and customers have the legal right to be protected. 

Without the proper safegaurds, information ends up in the dumpster where it is readily, and legally, available to anybody.  The trash is considered by business espionage professionals as the single most available source of competitive and private information from the average business.  Any establisment that discards private and proprietary data without the benefit of destruction, exposes itself to the risk of criminal and civil prosecution, as well as the costly loss of business.

2. STORED RECORDS SHOULD BE DESTROYED ON A REGULAR SCHEDULE.

The period of time that business records are stored should be determined by a retention schedule that takes into consideration their useful value to the business and the governing legal requirements. No record should be kept longer than this retention period. 

By not adhering to a program of routinely destroying stored records, a company exhibits suspicious disposal practices that could  be negatively contrued in the event of litigation or audit.  Also the new "Federal Rule 26" requires that, in the event of a law suit, each party provide all relevant records to the opposing counsel within 85 days of the defendants initial response.  If either of the litigants does not fulfill this obligation, it will result in a summary finding against them.  By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search through to comply with the law.

From a risk management perspective, the only acceptable method of discarding stored records is to destroy them by a method that ensures that the information is obliterated.  Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.

3. INCIDENTAL BUSINESS RECORDS DISCARDED ON A DAILY BASIS SHOULD BE PROTECTED.

Without a program to control it, the daily trash of every business contains information that could be harmful.  This information is especially useful to competitors because it contains the details of current activities. Discarded  daily records include phone messages, memos, misprinted forms, drafts of bids and correspondence.  All businesses suffer potential exposure due to the need to discard these incidental records.  The only means of minumizing this exposure  is to make sure such information is securely collected and destroyed.

4. RECYCLING IS NOT AN ADEQUATE ALTERNATIVE FOR INFORMATION DISPOSAL

To extract the scrap value from office paper, recycling companies use unscreened, minimum wage workers, to extensively sort the paper under unsecured conditions.  The " acceptable paper" is stored for indefinite periods of time until there is enough of a particular type to sell. The sorted paper, still intact, is then baled and sold to the highest bidder, where it is again stored until it is finally used to make new products.  There is no fiduciary responsibility inherent in the recycling scenario.

Paper is given away or sold and by doing so, a company gives up the right to say how it is handled. There is also no practical  means of establishing the exact date that a record is destroyed.  In the event of an audit or litigation, this could be a legal necessity.  Further if something of a private nature does come up, the selection of this unsecured process could be interpreted as negligent.  For all these reasons, the choice of recycling as a means of information destruction is undesirable from a risk management perspective.  If enviromental responsibility is a concern, materials may be recycled after they are destroyed.  Any recycling company that minimizes the need for security has its own interest in mind and should be avoided. 

5.  A CERTIFICATE OF DESTRUCTION DOES NOT RELIEVE A COMPANY FROM ITS OBLIGATION TO KEEP INFORMATION CONFIDENTIAL.

Any company contracting an information destruction service should require that it provide them with a signed testimonial, documenting the date that the materials were destroyed.  The " Cetificate of Destruction" is an important legal record of compliance with a retention schedule.  It does not, however, effectively transfer the responsibility to maintain the confidentiality of the materials to the contractor.

If private information surfaces after the vendor accepts it, the court is bound to question the process by which the particular contractor was selected.  Any company not showing due diligence in their selection of a contractor that is capable of providing the necessary security could be found negligent.  From a practical standpoint, if proprietary or private information is lost or leaked by the fraud or neglgence of a vendor, the obligations of that vendor are irrelavent.  The firm whose information falls into the wrong hands stands to lose the most, either from loss of business, prosecution or unfavorable publicity.

Since a business cannot transfer its responsibility to maintain confidentiality, it must be certain that it is dealing with a reputable company with superior security procedures.  Unfortunately, there are those information destruction services that provide certificates of destruction while having no semblance of security and, in some cases, no destruction process available to them.  Anyone interested in contracting a data destruction service is advised to thoroughly review their policies and procedures, conduct an initial site audit and conduct subsequent unannounced audits.  On-site document destruction is also available in most locations.

6.  MOST RECORD STORAGE COMPANIES DO NOT HAVE THE EQUIPMENT TO PROVIDE SHREDDING SERVICES

Many commercial records storage facilities offer records destruction as a service to their customers.  However, in a survey conducted by NAID, a majority of the commercial storage firms were found lacking the equipment necessary to provide the service themselves.  It is a common practice to subcontract the destruction of the records.  In some cases, disreputable storage firms were found to be misleading their customers by charging for secure records destruction, while the materials were being sold to a recycling firm for scrap.

Any business using a commercial records storage company should inquire as to the nature of the destruction services.  It is an unacceptable risk to permit a storage firm to select a subcontractor to provide the records destruction.  The owner of the records is ultimately responsible for their security and, therefore, should be selecting the vendor directly.

7.  INTERNAL PERSONNEL SHOULD NOT BE RESPONSIBLE TO DESTROY CERTAIN INFORMATION.

Common sense dictates that payroll information and materials that involve labor relations or legal affairs, and competition sensitive information should not be entrusted to lower level employees for destruction.  Employees are the most likely to realize the value of certain information to competitors and the incentive to capitalize on their access to it.  The only acceptable alternatives are to have the materials destroyed under the supervision of upper management or by a carefully selected, high security service.

8.  INFORMATION PROTECTION IS VITAL TO UPPER MANAGEMENT

In a survey conducted by the Conference Board, top executives from 300 companies ranked the security of company records as one of the top five critical issues facing business.  When asked which issues required immediate attention and policy development, the security of company records ranked second only to employee health screening.