Useful Links

Disclaimer

  • The materials and opinions presented by the author on this blog/website are the author's views, are for educational and informational purposes only, are not intended to be legal advice and should not be used for legal guidance or to resolve specific legal problems. You understand that by reading this blog no attorney client relationship is created between you and the author. In all cases, legal advice applicable to your organization’s own specific circumstances should be sought form knowledgeable counsel. The author may change this site without notice and does not guarantee the site to be complete, correct, or up-to-date. Neither the author, publisher, or the author's firm are responsible for the content of any linked sites.

Information Privacy/Security

03/02/2010

Recent Study Shows Costs of Data Breach

While on the internet last night, I came across the results of the Fifth annual Ponemon Institute study on costs of a data breach.  This is an annual study performed by the Ponemon Institute.  It takes into account the costs of detection, notification, and response.  It also considers the costs to businesses of lost customers resulting from a data breach incident.

The study evaluated 45 breaches ranging from 5,000 records to 101,000 records.  Now before you say, "Whoa Bob, whatever this study found, it doesn't mean anything to me, I don't have that many records", think about that low end number for a second.  If you have even a moderate census, with turnover and record storage, you may very easily find yourself with several thousand records in storage.  The point is that you likely have more records than you think and even if you don't have 5,000 records, this study still serves as a warning that data breaches are expensive.  It also has other information regarding trends in data breaches and data security.

The biggest number in the study was the average per-incident cost.  The average per-incident cost for a data breach was $6.75 million dollars. The lowest total cost for a data breach response in the study was $750,000.  That illustrates the point pretty well -- even a low number of records can result in a large expense to respond. 

A number that is more relevant to most homecare providers is the average cost per compromised record.  On average, the study determined that businesses who had a data breach spent $204 per compromised customer record to respond to a data breach.   At that number, a mere 50 records gets you over $10,000 to respond.  It climbs from there.  This is an average, but using that number in conjunction with the number of records you possess can give you an estimate of what responding to a data breach will cost you. I would guess that many providers come up with a number larger than they expected. 

The occurrence of breaches due to negligence is down.  The authors attribute this to increased education and training.  The study also found that third parties accounted for 42% of breaches and that this type of breach remained the most costly.  (Think business associates.)

The study also shows that the use of encryption is up.  WIth HIPAA and state laws providing exceptions to breach notification laws, I would expect this trend and would expect it to continue.  For providers who are still not encrypting data, you should keep reevaluating this each year (if not more often).  As more and more health care entities adopt encryption, it will likely become an expectation, even if not required by HIPAA.  As the technology becomes cheaper to implement, it will become harder and harder to justify not encrypting data.  (Especially when clean up later will cost you an average of $204 per record.)

If nothing else, this study should give you a few things to consider the next time you review and revise your privacy and security policies and procedures.

Posted by Robert Markette on 03/02/2010 at 06:42 AM in Compliance, HIPAA, Home Health and Hospice Regulations, Information Privacy/Security, Private Duty | | Comments (0) | TrackBack (0)

02/02/2010

Providers ask FTC for Exception to Red Flags Rule

On Friday, a four trade associations for health care professions issued a press release announcing that they had requested the FTC specifically exempt members of their organizations from the Red Flags Rule.  You can read their letter here.  This group includes the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association.   

This request is based upon a recent federal court ruling that found the Red Flags Rules do not apply to lawyers. This ruling came out of a lawsuit filed by the American Bar Association(Hey, We control Congress and The courts, you didn't think lawyers would really have to comply did you?)  These providers argue that the court's rationale for excluding lawyers applies equally to them.   This makes sense, because the court determined that lawyers did not fit the definition of creditor and that it appeared the FTC was attempting to regulate monthly invoice billing.   Personally, I think the judge is correct.  

The ABA case and the AMA letter are worth keeping an eye on in the coming months, because the same rationale would apply to home health, hospice and private duty providers.  The FTC's rationale has always been that invoice billing amounted to an extension of credit which made you a creditor.  If a lawyer does not become a "creditor" by virtue of invoice billing, it is hard to see how a home health agency, hospice, or private duty provider would.  Hopefully, the court ruling and pressure from the AMA and others will lead the FTC to dial back the rules.

Some privacy advocates are lamenting the AMA's move in this case.  They think the Red Flags Rule is another needed tool to protect patients from the loss or disclosure of information that leads to identity theft.  In my opinion, this is not as big of a concern as some might think.  

The Red Flags Rule is more about detecting indicators of identity theft than protecting patient information from loss.  Safeguarding and securing patient information is addressed by HIPAA.  Regardless of what happens with the Red Flags Rule, HIPAA will still be in place and still require providers to protect patient's PHI. In addition, HIPAA's effectiveness has been enhanced, due to the new breach notification requirements, expansion of business associate coverage and the much steeper penalties allowed.  Increased HIPAA enforcement alone will do a great deal to curtail disclosure of patient information that leads to identify theft.  

Limiting the application of the Red Flags Rule as the AMA is requesting will not lead to less security of patient's PHI.  

Posted by Robert Markette on 02/02/2010 at 10:15 AM in Home Health and Hospice Regulations, Information Privacy/Security, Private Duty, Red Flags Rule | | Comments (2) | TrackBack (0)

10/19/2009

CMS joins fight against Medical Identity Theft

With less than two weeks until the Red Flags Rule deadline, CMS issued a press release today announcing its release of new resources to help seniors fight Medical Identity Theft.  You can access the full press release here.

The press release directs individuals to www.stopmedicarefraud.gov.  If you click through, it leads to a page that includes tips for individuals to protect themselves as well as a link to the FTC's website on identity theft.  

I don't think there is anything new here, but it is one more place to direct individuals who have questions about identity theft and protecting themselves from it.

Posted by Robert Markette on 10/19/2009 at 10:14 AM in Compliance, Information Privacy/Security, Medicare/Medicaid | | Comments (0) | TrackBack (0)

06/19/2009

If you use GMail, Google Docs or similar offerings, you're not as secure as you think

A group of researchers sent a letter to Google this week regarding the security of the Google Cloud services (GMail, Google Docs, etc.).  It seems these services may not be secure as advertised.  If you use these services for work, it is an interesting read.   I know some small businesses use GMail and similar services for communications.  I also know that smaller business like to use Google Docs and Calendar for collaboration.  

If you are a home health or hospice agency that does this, you should re-assess how secure your e-mail and other "cloud services" are.  The letter mentions other e-mail providers, including Hotmail and Yahoo Mail as being subject to the same security risks.  

The primary concern is the use of encryption by these services. The researchers' concern is that although encryption is enable for login, it is not enabled by default for the session once authenticate.  This means that if you are on a public connection, school, hotel, etc., the default setting would send confidential information in the clear.  This information is then relatively easy to intercept.  So if you were e-mailing information about a client to a colleague, a relatively unskilled hacker with easy to obtain tools could intercept this information.  That's a scary thought.

Users can enable session encryption and the letter explains how to do that.  For providers that use these services for any work related communications, I would suggest amending your privacy and security policies to address ensuring use of encryption during a session, not just at log-in.  Providers should also consider when and where employees are allowed to connect to networks to transmit information and that point of care systems are encrypting transmissions when sending over public networks.  You might also consider whether it is appropriate to use this type of e-mail.  For other ISP e-mail providers, you use a similar web interface for e-mail.  You should discuss with your ISP whether their systems encrypts only log-in information or if in encrypts the entire session.

Posted by Robert Markette on 06/19/2009 at 06:37 AM in Information Privacy/Security | | Comments (2) | TrackBack (0)