Kroll Fraud Solutions Blog – A Dialogue on Data Security

In the last segment, we introduced two recent laws that have significantly increased the regulatory compliance obligations of the health care industry – the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Identity Theft Red Flags and Notices of Address Discrepancy (Red Flags Rule). As the Office for Civil Rights (OCR) reporting website demonstrates, the impetus for these new data breach regulations clearly has not been overstated. HITECH requires the OCR to post PHI breaches involving more than 500 individuals, and since the rule went into effect in February of 2009, 288 incidents have been reported, four of which involve over 1 million individuals. With the threat of data breaches clear and regulatory fever now in full swing, it is important to understand the specific requirements and implications of these new laws on the health care industry.

Flu season may be over, but for the health care industry, a more troublesome and persistent threat is just warming up. Regulatory fever, a common side effect of an ailing economy, is now nearly in full swing. Beginning with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, ensuring privacy and security of patient information in the health care industry has been a primary concern for legislators over the past decade and a half. The HIPAA Privacy Rule extends federal protection to personal health information held by covered entities, and is fulfilled by the Security Rule, which prescribes the use of security safeguards to ensure confidentiality is maintained.[1] While HIPAA was a significant step forward in the security of personal health information management, two new regulations are raising the bar even higher in an effort to integrate and benefit from advancements in information technology.

Determining whether or not your third party provider should be classified as a Business Associate (BA) according to HIPAA is not always a clear cut issue. Case in point: Authors Adam Greene and Michael Sloan of Davis Wright Tremaine recently published a legal advisory warning that Covered Entities (CEs) need to look closely at whether or not their telecommunications and internet service providers should be classified as BAs due to incidentally maintaining PHI on behalf of a CE using the service.

Skimming is a crime that’s not only increased in frequency, it’s also evolved, some would say a lot faster than the security measures in place to thwart it. Last year, incidences of skimming increased substantially, and not just at the ATM, but at virtually any retail point of service where a consumer would swipe their credit or debit card. Certainly no location is immune, but it is the ATM that is notorious for being a target of identity thieves.

The proposed rule from the Office for Civil Rights expanding an individual’s right to an accounting of disclosures of their PHI has drawn the ire of several groups within the healthcare industry, who have written letters to the Department of Health and Human Services urging them to rethink the scope. The American Hospital Association (AHA), Medical Group Management Association (MGMA), and the College of Healthcare Information Management Executives (CHIME), to name a few, have all expressed serious doubts as to the capacity of healthcare providers to comply with the rule as proposed.