• Are Health Providers Gambling With Your Protected Health Information (PHI)?

  • The fallouts from the recent health care breaches can be devastating for both the health care community and the patients involved.  Early estimates for both the Community Health Systems (CHS) and Anthem breaches put costs north of $100 million apiece. Legally, breached entities could face potential class-action lawsuits and multiyear compliance plans.

    What is the price to the patient, beyond the loss of trust? The bedrock for provider and payer relationships with patients.

    Medical identity theft incidents increased 21.7 percent in 2014, according to the “Fifth Annual Study on Medical Identity Theft,” which was released by the Medical Identity Fraud Alliance (MIFA) and conducted by the Ponemon Institute. “More than a thousand people in the U.S. participated in the study, all of whom identified themselves as victims of identity theft,” Ann Patterson, SVP and program director at MIFA, told SCMagazine.com. In the study, medical identity theft occurred when a person's information was used by another to fraudulently receive medical services or prescription goods, and includes attempts to commit fraudulent billing. Patterson goes on to say the “increase in medical identity theft over the last year is attributed to a variety of factors, including healthcare-related breaches.” Patterson states the rise of electronic health records (EHR) and other forms of digital PHI “creates a larger attack surface for cyber criminals,” and added that the increasing number of connected devices has created more entry points for attackers.

    Not all medical identity theft is the result of hacking, Patterson noted. She said that stolen computers, laptops and mobile devices containing EHR or PHI puts data at risk, as do insiders who access sensitive information – possibly for malicious purposes.

    What are the repercussions for the patient with medical identity theft? Cost appears to the biggest factor. In the Fifth Annual Study on Medical Identify Theft, it has been noted, the average medical identity theft victim paid over $13,000.00 to resolve the issue, including provider payments and legal fees. “Unlike the financial services industry where the Fair Credit Reporter Act limits a victim's liability to $50 if your credit card is fraudulently used, a similar provision does not exist in the healthcare sector,” Patterson said. “The cost is borne throughout all the stakeholders – it may be the victim, the healthcare provider or the health plan. There is no uniform practice.”

    Also noted in the Medical Identity Theft study, over 53 percent of respondents believe their healthcare provider's negligence caused or contributed to the medical identity theft. Over 50 percent said that they had loss the security and confidence in the relationship with their medical provider. Of those, 35 percent said that their trust and confidence somewhat diminished.

    To combat increasing medical identity theft breaches, steps to address problems from a technology perspective should involve:

    • A defensible plan;
    • Perform scheduled risk assessments of all systems; 
    • Anticipate any foreseeable risks and mitigating them, 
    • Schedule mandatory on-going staff training (as 60 percent of breaches are due to staff errors).

    Judith Lindsay, owner of JAL Consulting & Associates, tackles all the elements of the HIPAA compliance puzzle, successfully assisting covered entities to make sense of it all, implementing the correct policies and procedures that are reasonable and appropriate for their entity.  In addition to this monthly newsletter, Judith has authored a 2015 comprehensive and customizable compliance manual that will be launching in the Second Quarter of 2015. The manual contains appropriate procedures, policies, compliance forms, staff training and staff testing. 

    judithconsulting@gmail.com    |   Twitter:  @judithconsult