Kroll Fraud Solutions Blog – A Dialogue on Data Security

Last week, the Department of Health and Human Services Office of the Inspector General (OIG) released to the public two reports, the Audit of Information Technology Security Included in Health Information Technology Standards, and the Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight. Both reports contain some rather eye-opening revelations about IT security controls in hospitals across the US, as well as the regulations that govern them.

Performing information security due diligence with third party vendors can be an all-too-vital component to ensuring that the information shared by your company is kept secure. But what is unfortunately the case, at times, is that due diligence efforts amount to little more than a good-faith exercise, meant to limit legal liabilities in the event that data is lost.

Certainly limiting liability is an important objective, but it will not necessarily do much of anything to truly lower the risk of loss. Once a potential third party vendor has cleared the initial due diligence hurdle and is awarded the bid, expectations must be clearly defined, and followed with action. Here are a few more items organizations should consider during this process:

Last month Colorado’s governor signed into law the Protections for Youth in Foster Care Act which, among other things, mandates that certain children in foster care between ages of 16 and 18 be provided a free credit report and assistance in resolving any inaccuracies. Children in foster care are especially vulnerable to having their personal identifiers misused by others due in part to the number of people who might have access to their information.

In a series of articles about medical identity theft from Scripps Howard News Service, a much-needed light is shed on an issue that is particularly damaging to victims – denial of access to their own personal medical records.

In particular, the article exposes a very common misinterpretation of HIPAA Privacy Rule, whereby providers believe that they would be violating the thief’s right to privacy by providing the identity theft victim access to his or her own medical record. It’s unfortunate that this is the case – according to the Federal Trade Commission, even in cases of identity theft, “patients have the right to get a copy of their records.” Further, patients have the right to an accounting of disclosures, to learn where the medical information was shared, and to have their medical records amended or corrected, or at the very least, have an explanation of dispute placed in the file to avoid future problems with the victim’s medical information.