What Are Some Lessons from the Anthem and Premera Breaches?
We have all heard about the two recent breaches with Anthem and Premera Insurance. Over 91 million customers between these two organizations. In addition to these two publicized breaches, there were over 258 reported breaches for 2014, in which over 2 million additional individuals were affected.
What are some of the lessons and the impact of these two events? And the other breaches? We know that each of the breaches have victims, along with their related associates, and business associates. Is the industry, as a whole, tainted or suspect?
Premera Blue Cross is facing five class action suits over the recent breach, said James Bilborrow, an attorney representing the plaintiffs with law firm Weitz & Luxenberg. Several other class action suits have already been filed against the insurer Anthem.
Keyes to Prevent, Preserve and Protect:
Know where your organizations Protected Health Information (PHI) is stored. In the Office of Civil Rights, (OCR) Annual Report to Congress on Breaches of Unsecured Protected Information, required by the HITECH Act, reported that over 49% of all breaches come from desktop computers, network servers and paper records.Do you have Risk Policy?
The OCR also reported a jump in breaches involving portable devices, such as laptops and smart phones.Do you have policy for bringing your own mobile device? Do you employ MDM software?
Monitor your Business Associates and their obligations to you as a provider handling PHI. The OCR report revealed a 26% jump in the two year reporting period of 2011-2012, in the number of individuals affected by a breach. Over 59.3% of the total individuals affected by a breach are the result of a Business Associate.Do you annually review your Business Associates obligations and require them provide you with their Risk Assessment?
Will your breach lead to an OCR Audit and Compliance Review? According to the OCR report, the agency opens a compliance review to investigate “all reported breaches affecting 500 or more individuals and may open compliance reviews into certain reported breaches affecting less than 500 individuals.Do you have a Breach and Response Policy?
Breaches less than 500 affected individuals needs to be reported 60 days after the end of the year. However, the OCR demonstrated in a Resolution Agreement with Hospice of North Idaho, a first of its kind, that small breaches are not immune to a Compliance Review. Small related breaches can be a trigger, which can be indicative of a systemic compliance problem within an organization.Do you have a process in place to address foreseeable risks, and to mitigate them?
Daniel Solove, a John Marshall Harlan Research Professor of the Law at the George Washington University Law School said during the HIPAA Summit in the District of Columbia last month, “data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."
Compliance needs to be a part of all organizations. Not only does it instill confidence in your work force, customers, patients and shareholders, it is the foundation of business and it is the law. Internal controls, procedures and policies go a long way in preventing, protecting and preserving your business.
Judith Lindsay, owner of JAL Consulting & Associates tackles all the elements of the HIPAA compliance puzzle, successfully assisting covered entities to make sense of it all, implementing the correct policies and procedures that are reasonable and appropriate for their entity. In addition to this monthly newsletter, Judith has authored a 2015 comprehensive and customizable compliance manual that will be launching in the Second Quarter of 2015. The manual contains procedures, policies, staff training and staff testing.
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.