Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., health-care fraud, credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment related fraud, government documents or benefits fraud, and loan fraud). Identity theft involves the misuse of any identifying information, which could include names, social security numbers, account numbers, passwords, or other information linked to an individual. According to the Federal Trade Commission (FTC), identity theft is the most common complaint from consumers in all 50 states. With the continued media reports of data security breaches, concerns about new cases of identity theft are widespread.
While the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) intensifies its enforcement of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associate may find the Federal Trade Commission (FTC) knocking at their door. The FTC’s position is one that Congress granted it broad powers to regulate unfair and deceptive practices under Section 5 of the FTC Act, (http://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf) including concurrent jurisdiction over the privacy and security practice of covered entities and companies who handle Protected Health Information (PHI) and that are regulated under HIPAA.
The FTC and the OCR have a history together. They have conducted parallel investigations in security practices. Their dual agency efforts of coordinating investigations can be seen in the cases such as CVS Caremark and Rite Aid. Both pharmacies entered into consent decrees with the FTC under the FTC Act and a resolution agreement with HHS under HIPAA for the improper disposal of personal health information (PHI).
In an investigation of a hospital billing company, Accretive Health, Inc., considered a HIPAA business associate, the FTC independently investigated the company for the alleged failure to adequately provide safeguards of laptops used by a health care transcription. The order stated that the providers lack of diligence of monitoring offshore contractor’s encryption and typist authentication, and its statement that it was “HIPAA compliant,” constituted unfair or deceptive practices. This independent investigation resulted in a 20-year consent order requiring a biennial security assessment by an external auditor.
The FTC’s track record of investigations, with or without the OCR in HIPAA related cases, covered entities, or any health care related companies should review and strengthen their HIPAA compliance programs. Here are some tips:
Be clear in all patient communications, such as Notice of Privacy Notices, Website Privacy Notices. Communicate thoroughly about protections you provide over individually identifiable health information, in order that your communications are not misrepresented or that you overpromise. This could be seen as deceptive to a consumer.
A must, under HIPAA, would be the security requirements; current risk analysis and risk management, identifying potential risks and vulnerabilities. Other HIPAA standards with recent record enforcement interest have been media disposal, workforce privacy and security training, disaster recovery and technical safeguards for access control.
HIPAA security safeguards that are currently deemed, “addressable” require implementation unless it can be documented and proven how the safeguard would be mitigated. Documentation must be present showing how the addressable measure is not a reasonable and appropriate choice for your organization from a consumer perspective.
A complete and through due diligence pertaining to all Business Associate (BA) contractor before releasing protected health information. In my consulting practice, I recommend my clients to receive a copy of the BA’s annual risk assessment and a certificate of their liability insurance coverage.
Be prepared to respond to a breach. These events are typically stressful and fast-paced events. Amidst the immediate need to analyze and report the breach, identify effective remediation strategies that address the specific risks that effect consumers and mitigate those to lessen the risk and harm to the consumer. Both FTC and OCR have used their enforcement authority where notice and remediation were untimely or lacking and where the breach is a reoccurring one due to the lack of follow through.
By using its authority under the Safeguards Rule, the FTC has brought a number of enforcement actions to address the failure to provide reasonable and appropriate security to protect consumer information.
Judith Lindsay, CEO of JAL tackles the elements of the compliance puzzle. Successfully assisting organizations to make sense of it all, by implementing the correct policies and procedures that are reasonable and appropriate for each entity. Judith is available for training, speaking engagements and consultations. To read more about the world as it pertains to the compliance, visit JAL’s new website www.jalconsultantsaz.comor connect on Twitter @judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.