Are Health Providers Gambling With Your Protected Health Information (PHI)?
The fallouts from the recent health care breaches can be devastating for both the health care community and the patients involved. Early estimates for both the Community Health Systems (CHS) and Anthem breaches put costs north of $100 million apiece. Legally, breached entities could face potential class-action lawsuits and multiyear compliance plans.
What is the price to the patient, beyond the loss of trust? The bedrock for provider and payer relationships with patients.
Medical identity theft incidents increased 21.7 percent in 2014, according to the “Fifth Annual Study on Medical Identity Theft,” which was released by the Medical Identity Fraud Alliance (MIFA) and conducted by the Ponemon Institute. “More than a thousand people in the U.S. participated in the study, all of whom identified themselves as victims of identity theft,” Ann Patterson, SVP and program director at MIFA, told SCMagazine.com. In the study, medical identity theft occurred when a person's information was used by another to fraudulently receive medical services or prescription goods, and includes attempts to commit fraudulent billing. Patterson goes on to say the “increase in medical identity theft over the last year is attributed to a variety of factors, including healthcare-related breaches.” Patterson states the rise of electronic health records (EHR) and other forms of digital PHI “creates a larger attack surface for cyber criminals,” and added that the increasing number of connected devices has created more entry points for attackers.
Not all medical identity theft is the result of hacking, Patterson noted. She said that stolen computers, laptops and mobile devices containing EHR or PHI puts data at risk, as do insiders who access sensitive information – possibly for malicious purposes.
What are the repercussions for the patient with medical identity theft? Cost appears to the biggest factor. In the Fifth Annual Study on Medical Identify Theft, it has been noted, the average medical identity theft victim paid over $13,000.00 to resolve the issue, including provider payments and legal fees. “Unlike the financial services industry where the Fair Credit Reporter Act limits a victim's liability to $50 if your credit card is fraudulently used, a similar provision does not exist in the healthcare sector,” Patterson said. “The cost is borne throughout all the stakeholders – it may be the victim, the healthcare provider or the health plan. There is no uniform practice.”
Also noted in the Medical Identity Theft study, over 53 percent of respondents believe their healthcare provider's negligence caused or contributed to the medical identity theft. Over 50 percent said that they had loss the security and confidence in the relationship with their medical provider. Of those, 35 percent said that their trust and confidence somewhat diminished.
To combat increasing medical identity theft breaches, steps to address problems from a technology perspective should involve:
A defensible plan;
Perform scheduled risk assessments of all systems;
Anticipate any foreseeable risks and mitigating them,
Schedule mandatory on-going staff training (as 60 percent of breaches are due to staff errors).
Judith Lindsay, owner of JAL Consulting & Associates, tackles all the elements of the HIPAA compliance puzzle, successfully assisting covered entities to make sense of it all, implementing the correct policies and procedures that are reasonable and appropriate for their entity. In addition to this monthly newsletter, Judith has authored a 2015 comprehensive and customizable compliance manual that will be launching in the Second Quarter of 2015. The manual contains appropriate procedures, policies, compliance forms, staff training and staff testing.
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.