Data Breach Prevention and Notification Plan

In today’s expanding HIPAA compliance environment, staying on top of privacy and security regulations amended by the recent HITECH Act can be daunting. For example, one new regulatory requirement includes establishing data breach notification requirements for HIPAA covered entities and their business associates. The challenge for healthcare organizations in this provision alone becomes the process of measuring exposure to a data breach, developing policies and procedures to reduce exposure and developing a data breach incident plan to help minimize risk.

Need for Compliance Support
While the process of implementing new data breach requirements appear simple enough, most healthcare organizations admit they are not equipped to meet new data breach requirements. In fact, a recent study[1] on Patient Privacy and Data Security by the Ponemon Institute reports a key takeaway…”Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. Healthcare organizations in our study told us they have inadequate resources (71 percent), few (if any) appropriately trained personnel (52 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.”

Full Impact of Data Breach
According to another Ponemon Institute study[2] , the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays of investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Reducing Data Loss: People, Process and Technology
In response to the potential negative effects of a data breach, healthcare organizations continue to upgrade their technology, yet according to Rick Kam, president of ID Experts, a data breach solutions company, explains in a recent data breach press statement[3] that, “Hardly a day goes by without news of some type of data breach being reported. Data breach incidents are growing in frequency and severity, while regulatory requirements for data privacy protection and incident notification are becoming more stringent. Although organizations entrusted with PII and PHI are making investments in technologies such as encryption and data loss prevention (DLP), none of these are “silver bullets” that will eliminate data breach risks. Despite the focus on failure or lack of adequate security controls within organizations, a far more significant and common portion of these events are simply the result of staff’s lack of awareness and/or compliance to internal security policies and lax practices to safeguard sensitive information.”

To be sure, any healthcare organization is complex, with countless internal and external data points touched by people, processes and technology. To achieve privacy and security assurance of data integrity a thorough analysis of “all” data points is key to a successful compliance program.

How We Can Help
Our data breach prevention audit examines PHI handled by people, processes and technology. Our audit will inventory PHI, evaluate policies and procedures, examine staffing roles, review business processes, conduct a security evaluation and upgrade training and awareness programs as needed.

[1] Benchmark study on patient privacy and data security, November 2010, Ponemon Institute, sponsored by ID Experts.
[2] Fourth Annual US Cost of Data Breach Study, January 2009, Ponemon Institute.
[3] Data breach risks and privacy compliance: The expanding role of the IT Security professional, Data Breach Press 2010, ID Experts.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us

President Signs Red Flags Rule Clarification Act Into Law

The “Red Flags” Rule, in effect since January 1, 2008, requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts. By identifying red flags in advance, organizations are better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.

The Red Flag Program Clarification Act of 2010 was the result of continued confusion over which businesses were required to implement Red Flags Rule Programs designed to prevent and mitigate the risk of identity theft by the end of the year. The Red Flags Rule is regulated by the Federal Trade Commission (FTC).

The bill amends the original definition of “creditor” that the FTC was instructed to use in writing the regulation. The bill limits the definition of a “creditor” under the Fair Credit Reporting Act to only those entities that use consumer reports, furnish information to consumer reporting agencies, or advance funds to or on behalf of a person. This definition in effect excludes law firms, health care practices, retailers, utility companies, telecommunications firms, automobile dealerships, and other small businesses from complying with the Red Flags Rule. The purpose of the limitation was to ensure that the Red Flags Rule covers creditors who pose the highest risk for identity theft, including creditors which use consumer reports, furnish information to consumer reporting agencies, or loan money to individuals.

For healthcare organizations that have developed and implemented the Red Flags rule, experts point out that you still have a duty to safeguard the confidentiality of protected health information, and an organization that had a policy in place and then stopped using it because of a relaxation in the law may be particularly vulnerable to claims that it could have prevented someone’s identity theft and didn’t. We recommend reviewing your policies and procedures regarding identity theft prevention.

You can find practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts. Learn how to put in place your written Identity Theft Prevention Program at http://www.ftc.gov/redflagsrule

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us