Kroll Fraud Solutions Blog – A Dialogue on Data Security

Determining whether or not your third party provider should be classified as a Business Associate (BA) according to HIPAA is not always a clear cut issue. Case in point: Authors Adam Greene and Michael Sloan of Davis Wright Tremaine recently published a legal advisory warning that Covered Entities (CEs) need to look closely at whether or not their telecommunications and internet service providers should be classified as BAs due to incidentally maintaining PHI on behalf of a CE using the service.

The proposed rule from the Office for Civil Rights expanding an individual’s right to an accounting of disclosures of their PHI has drawn the ire of several groups within the healthcare industry, who have written letters to the Department of Health and Human Services urging them to rethink the scope. The American Hospital Association (AHA), Medical Group Management Association (MGMA), and the College of Healthcare Information Management Executives (CHIME), to name a few, have all expressed serious doubts as to the capacity of healthcare providers to comply with the rule as proposed.

Last week, the Department of Health and Human Services Office of the Inspector General (OIG) released to the public two reports, the Audit of Information Technology Security Included in Health Information Technology Standards, and the Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight. Both reports contain some rather eye-opening revelations about IT security controls in hospitals across the US, as well as the regulations that govern them.

This month, Connecticut Attorney General Richard Blumenthal announced that his office reached a settlement with health insurance company Health Net over their breach of sensitive patient data. The agreement resolves allegations that Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state privacy protections. The Health Net breach dates back to May 2009, when the company lost a disk drive with PII and PHI for some 2 million patients. The company took more than what Blumenthal considered a reasonable amount of time to report the missing disk and notify affected individuals. Blumenthal alleged that the company delayed and otherwise failed to properly inform the state governing authorities.

Ten tips for fax safety

As we discussed in the last two posts in this series, you can see how even mundane office equipment can pose a serious security risk. Part of the security battle here is simply understanding the issue, because the technology already exists to help you erase your fax or copier hard drive. So, are you safeguarding against what amounts to pure error?

As it turns out, there are several steps you and your staff can take to reduce the risk of misdirected faxes: