SlideShare ist ein Scribd-Unternehmen logo

Health Care Technology And Privacy

S
Scott Fikes

Describes risks and exposures relating to privacy breaches including "red flag rules"

1 von 4
Downloaden Sie, um offline zu lesen
  HEALTH CARE TECHNOLOGY AND PRIVACY By Scott Fikes, Vice President at InLight Risk Management, LLC Today, physicians and healthcare organizations rely on electronic data, computers and networks to support their operations. Health Care Technology and Privacy provides a summary of the exposures, regulations and recommendations to assist health care providers in managing this risk. EXPOSURE Do you store data, including private information on computers; use e-mail; process patient payments; access, upload or download patient health records? If so, then you are at risk. Is your medical billing outsourced? Does your physicians or staff access records on a laptop at home or away from the office? The following is a sample of privacy and security breaches in the health care industry:  A major online health product vendor inadvertently revealed detailed information – including bank account and credit card information – of thousands of customers on its web site.  University researchers accidentally revealed the names of deceased organ donors to 410 patients who received kidneys from the deceased donors.  A hacker downloaded medical records, health information, and social security numbers of more than 5,000 patients at a major university.  A West Coast managed care organization mistakenly sent email responses to the wrong recipients, exposing sensitive patient information.  A patient sued a major East Coast hospital when an email error revealed his HIV-positive status to his coworkers.  A Fortune 1000 pharmaceutical firm inadvertently revealed over 600 patient email addresses when it sent a collective message to every individual registered to receive reminders about taking a certain medication. Insider attacks are also a worry. Tenet Healthcare, which owns more than 50 hospitals in twelve states, disclosed a security breach involving a former billing center employee in Texas who pled guilty to stealing patient personal information. He got nine months in jail. In an identity fraud case in Sarasota, Fla. last month, an office cleaner who gained access to the patient files of an anesthesiologist who rented an office pled guilty to fraud for ordering credit cards on the Internet with stolen patient personal information. He got two years jail time. Lost and stolen laptops have also been a problem, with disclosure of missing personal information related to patients or employees at Duluth, Minn.-based Memorial Blood Center; Mountain View, Calif.-based Health Net; Sutter Lakeside Hospital at Lakeside, Calif.; and the West Penn Allegheny Health System revealed just within three months of each other. The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft by Steven Toporoff, attorney with the FTCʼs Division of Privacy & Identity Protection. As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe. Medical identity theft happens when a person seeks health care using someone elseʼs name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.   1  
  The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctorsʼ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Does the Red Flags Rule cover your practice? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft? WHO MUST COMPLY Every health care organization and practice must review its billing and payment procedures to determine if the Red Flags Rule covers it. Whether the law applies to you isnʼt based on your status as a health care provider, but rather on whether your activities fall within the lawʼs definition of two key terms: “creditor” and “covered account.” Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry. On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule. The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts. SPOTTING RED FLAGS The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Ruleʼs requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point. If youʼre covered by the Rule, your program must: 1. Identify the kinds of red flags that are relevant to your practice; 2. Explain your process for detecting them; 3. Describe how youʼll respond to red flags to prevent and mitigate identity theft; and 4. Spell out how youʼll keep your program current. What red flags signal identity theft? Thereʼs no standard checklist. Supplement A to the Red Flags Rule — available at ftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be relevant to health care providers: • Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient. • Suspicious personally identifying information. If a patient gives you information that doesnʼt match what youʼve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesnʼt match information on file or from the insurer, fraud could be afoot. • Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or   2  
  she didnʼt get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft. • Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing. SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM Once youʼve identified the red flags that are relevant to your practice, your program should include the procedures youʼve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If youʼre notified that an identity thief has run up medical bills using another personʼs information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how youʼll keep it current to address new risks and trends. No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesnʼt have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures. WHATʼS AT STAKE? Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that youʼre doing your part to fight identity theft. RISK REDUCTION RECOMMENDATIONS  Anti-virus – Utilize anti-virus software on all computing devices – Automatically update anti-virus software at least daily – Automatically scan and filter e-mail attachments and downloads before opening files  Automatically receive virus and threat notifications from the United States Computer Emergency Readiness Team (US-CERT), SANS Institute or a similar provider  Securely configure firewalls using other than a default configuration  Configure networks using multiple firewalls (or equivalent) to separate back-office operations from Internet-facing operations  Promulgate a security policy to all employees and contractors  Have a tested disaster recovery plan that includes recovery from data center disasters Have a tested security incident response plan that addresses both direct (e.g., hacking) and indirect (e.g., virus) attacks upon network    Back up network data and configuration files daily  Store back-up files in a protected location  Allow remote access to network only if it is via a VPN or equivalent system  Monitor network platform vendors at least daily for availability of security patches and upgrades  Test and install security patches and upgrades within 30 days of availability, preferably within seven days  Always lock server rooms or otherwise limit access only to authorized personnel     3  
  RISK TRANSFER SOLUTIONS InLight Risk Management provides multiple risk transfer solutions designed to meet your specific needs. This critical liability coverage is necessary for any organization that uses computers to manage information. What does it cover?  All network information is covered, enterprise-wide and not just information on Web sites  Covers claims related to identity theft  Covers damage due to viruses, denial of service and security breaches  Includes theft of othersʼ trade secrets, proprietary or confidential information from the insured's network  Privacy Injury and Identity Theft  Unauthorized disclosure of private information  Regulatory expense  Private actions arising from unauthorized disclosure of othersʼ private information in violation of: Any applicable privacy law, e.g., HIPAA, GLBA, COPPA and EU Data Protection Act  Insuredʼs published privacy policy  Any security breach notice law  All network information is covered, enterprise-wide and not just information on Web sites  Covers any current or future applicable privacy laws worldwide  Covers claims related to identity theft resulting from unauthorized disclosure of private information  Insuredʼs cost to notify others if they suspect a security breach or compromise of their private information  Insuredʼs cost to comply with any applicable privacy law or regulation if a regulatory authority notifies them that they may be noncompliant  Regulatory expense covers first-dollar loss, with no deductibles or co-insurance . Network Damage to information residing on insuredʼs network, including:  Insuredʼs own information, upon which others rely, residing on a network  Othersʼ information on insuredʼs network  Damage to othersʼ information on insuredʼs network if damage caused by insured  Network interruption or customers inability to access or use insuredʼs network or their network if interruption is caused by insured  Theft or unauthorized disclosure of othersʼ information on insuredʼs network  All network information is covered, enterprise-wide and not just information on Web sites  Covers damage due to viruses, denial of service and security breaches  Includes outsourced network services for which insured is liable  Includes theft of othersʼ trade secrets, proprietary or confidential information in insuredʼs care What does it cost? Premiums are determined by underwriting criteria specific to your company. It stands to reason that the exposure for a solo physician practice has a reduced number of exposures than a hospital located in a highly populated city. For this reason, premiums begin as low as $500 annually. Protect your organization from a significant, unexpected financial loss by purchasing technology/privacy liability coverage. Scott L. Fikes Vice President InLight Risk Management, LLC 101 Park Avenue, Suite 1100 Oklahoma City, OK 73102 (O) 405.443.2024 (F) 405.443.2001 sfikes@inlightrm.com www.InLightRM.com   4  

Empfohlen

Understanding and Preventing Provider Medical Identity Theft
Understanding and Preventing Provider Medical Identity TheftUnderstanding and Preventing Provider Medical Identity Theft
Understanding and Preventing Provider Medical Identity Theft- Mark - Fullbright
 
Business Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health PlanBusiness Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
 
Medical Identity Theft and Its Serious Offshoots
Medical Identity Theft and Its Serious OffshootsMedical Identity Theft and Its Serious Offshoots
Medical Identity Theft and Its Serious Offshootsmosmedicalreview
 
DATA BREACH CHARTS
DATA BREACH CHARTSDATA BREACH CHARTS
DATA BREACH CHARTS- Mark - Fullbright
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
Redflags
RedflagsRedflags
RedflagsThe National Council
 
Complete feasibility report
Complete feasibility reportComplete feasibility report
Complete feasibility reportSharon Nemecek
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To YouCooperative of American Physicians, Inc.
 

Empfohlen

Understanding and Preventing Provider Medical Identity Theft
Understanding and Preventing Provider Medical Identity TheftUnderstanding and Preventing Provider Medical Identity Theft
Understanding and Preventing Provider Medical Identity Theft- Mark - Fullbright
 
Business Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health PlanBusiness Medical Identity Theft faq Health Care Health Plan
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
 
Medical Identity Theft and Its Serious Offshoots
Medical Identity Theft and Its Serious OffshootsMedical Identity Theft and Its Serious Offshoots
Medical Identity Theft and Its Serious Offshootsmosmedicalreview
 
DATA BREACH CHARTS
DATA BREACH CHARTSDATA BREACH CHARTS
DATA BREACH CHARTS- Mark - Fullbright
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
Redflags
RedflagsRedflags
RedflagsThe National Council
 
Complete feasibility report
Complete feasibility reportComplete feasibility report
Complete feasibility reportSharon Nemecek
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To YouCooperative of American Physicians, Inc.
 
Phx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePhx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePHXONLINE
 
red flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_Webred flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_WebDulcey Whyte
 
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...RightPatient®
 
2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraudcccpfc
 
Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...3GDR
 
Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)William Copeland
 
Medical Identity Theft
Medical Identity TheftMedical Identity Theft
Medical Identity TheftFairfax County
 
Preventing Provider Medical Identity Theft
Preventing Provider Medical Identity TheftPreventing Provider Medical Identity Theft
Preventing Provider Medical Identity Theft- Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
Healthcare Fraud
Healthcare FraudHealthcare Fraud
Healthcare FraudArgust Consulting, LLC
 
December 2008 E Newsletter
December 2008 E NewsletterDecember 2008 E Newsletter
December 2008 E NewsletterJudson P. Bruno
 
Preventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health CarePreventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health CareDr. Zabian Crosby, D.H.Ed.
 
Medical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan RajaratnamMedical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan RajaratnamVaikunthan Rajaratnam
 
Medical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant RajMedical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant RajSidhantloveraj
 
Medical Billing Fraud
Medical Billing FraudMedical Billing Fraud
Medical Billing Fraudmagicalmilon
 
Dorland Webinar Slide Managed Care
Dorland Webinar Slide Managed CareDorland Webinar Slide Managed Care
Dorland Webinar Slide Managed Caresusie4050
 
HIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical CenterHIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical CenterAtlantic Training, LLC.
 
Insurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denialsInsurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denialsOutsource Strategies International
 
bwmedicalidt
bwmedicalidtbwmedicalidt
bwmedicalidtKara Hayden
 
Beautiful
BeautifulBeautiful
Beautifulasif0001
 
Medicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit PresentationMedicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit PresentationScott Fikes
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarDaniel Versola
 

Weitere ähnliche Inhalte

Was ist angesagt?

Phx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePhx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePHXONLINE
 
red flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_Webred flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_WebDulcey Whyte
 
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...RightPatient®
 
2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraudcccpfc
 
Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...3GDR
 
Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)William Copeland
 
Medical Identity Theft
Medical Identity TheftMedical Identity Theft
Medical Identity TheftFairfax County
 
Preventing Provider Medical Identity Theft
Preventing Provider Medical Identity TheftPreventing Provider Medical Identity Theft
Preventing Provider Medical Identity Theft- Mark - Fullbright
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft- Mark - Fullbright
 
December 2008 E Newsletter
December 2008 E NewsletterDecember 2008 E Newsletter
December 2008 E NewsletterJudson P. Bruno
 
Preventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health CarePreventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health CareDr. Zabian Crosby, D.H.Ed.
 
Medical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan RajaratnamMedical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan RajaratnamVaikunthan Rajaratnam
 
Medical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant RajMedical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant RajSidhantloveraj
 
Medical Billing Fraud
Medical Billing FraudMedical Billing Fraud
Medical Billing Fraudmagicalmilon
 
Dorland Webinar Slide Managed Care
Dorland Webinar Slide Managed CareDorland Webinar Slide Managed Care
Dorland Webinar Slide Managed Caresusie4050
 
HIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical CenterHIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical CenterAtlantic Training, LLC.
 
Insurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denialsInsurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denialsOutsource Strategies International
 

Was ist angesagt? (19)

Phx Fraud And Abuse Training Module
Phx Fraud And Abuse Training ModulePhx Fraud And Abuse Training Module
Phx Fraud And Abuse Training Module
 
red flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_Webred flag Medical_Identity_Theft_Web
red flag Medical_Identity_Theft_Web
 
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...
 
2hourhealthcarefraud
2hourhealthcarefraud2hourhealthcarefraud
2hourhealthcarefraud
 
Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...Universal Patient Identity: eliminating duplicate records, medical identity t...
Universal Patient Identity: eliminating duplicate records, medical identity t...
 
Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)Fellow Ais 4 Laws Regs & Ethics (Revised)
Fellow Ais 4 Laws Regs & Ethics (Revised)
 
Medical Identity Theft
Medical Identity TheftMedical Identity Theft
Medical Identity Theft
 
Preventing Provider Medical Identity Theft
Preventing Provider Medical Identity TheftPreventing Provider Medical Identity Theft
Preventing Provider Medical Identity Theft
 
The Geography of Medical Identity Theft
The Geography of Medical Identity TheftThe Geography of Medical Identity Theft
The Geography of Medical Identity Theft
 
Healthcare Fraud
Healthcare FraudHealthcare Fraud
Healthcare Fraud
 
December 2008 E Newsletter
December 2008 E NewsletterDecember 2008 E Newsletter
December 2008 E Newsletter
 
Preventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health CarePreventing Fraud, Waste, and Abuse in Health Care
Preventing Fraud, Waste, and Abuse in Health Care
 
Medical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan RajaratnamMedical fraud and its implications Dr Vaikuthan Rajaratnam
Medical fraud and its implications Dr Vaikuthan Rajaratnam
 
Medical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant RajMedical Billing Work Flow by Sidhant Raj
Medical Billing Work Flow by Sidhant Raj
 
Medical Billing Fraud
Medical Billing FraudMedical Billing Fraud
Medical Billing Fraud
 
Dorland Webinar Slide Managed Care
Dorland Webinar Slide Managed CareDorland Webinar Slide Managed Care
Dorland Webinar Slide Managed Care
 
HIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical CenterHIPAA Training by Greater Baltimore Medical Center
HIPAA Training by Greater Baltimore Medical Center
 
Insurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denialsInsurance eligibility verification – steps to reduce claim denials
Insurance eligibility verification – steps to reduce claim denials
 
bwmedicalidt
bwmedicalidtbwmedicalidt
bwmedicalidt
 

Andere mochten auch

Medicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit PresentationMedicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit PresentationScott Fikes
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarDaniel Versola
 

Andere mochten auch (6)

Beautiful
BeautifulBeautiful
Beautiful
 
Medicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit PresentationMedicare - CMS RAC Audit Presentation
Medicare - CMS RAC Audit Presentation
 
ITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security SeminarITSolutions|Currie Network Security Seminar
ITSolutions|Currie Network Security Seminar
 
Task
TaskTask
Task
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
Appeals How To Win When To Fold
Appeals How To Win When To FoldAppeals How To Win When To Fold
Appeals How To Win When To Fold
 

Ähnlich wie Health Care Technology And Privacy

Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft- Mark - Fullbright
 
Identity theft: Could it happen in your office?
Identity theft: Could it happen in your office?Identity theft: Could it happen in your office?
Identity theft: Could it happen in your office?- Mark - Fullbright
 
How to Protect Your Healthcare Facility From Medical Identity Theft
How to Protect Your Healthcare Facility From Medical Identity TheftHow to Protect Your Healthcare Facility From Medical Identity Theft
How to Protect Your Healthcare Facility From Medical Identity TheftThe Identity Advocate
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Fraud And Abuse In The U.S. Healthcare System
Fraud And Abuse In The U.S. Healthcare SystemFraud And Abuse In The U.S. Healthcare System
Fraud And Abuse In The U.S. Healthcare SystemKendra Cote
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxkarlhennesey
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxhoney690131
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacykendale
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Fraud and Abuse 2017
Fraud and Abuse 2017Fraud and Abuse 2017
Fraud and Abuse 2017faemont
 
Assignment 5 consumer fraud protection
Assignment 5 consumer fraud protectionAssignment 5 consumer fraud protection
Assignment 5 consumer fraud protectionBayo Cary
 
Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxsmile790243
 
Confidentiality
ConfidentialityConfidentiality
Confidentialitycpryor52
 
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt... The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...Health 2Conf
 
Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Modupe Sarratt
 

Ähnlich wie Health Care Technology And Privacy (20)

Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft
 
Medical Identity Theft
Medical Identity Theft Medical Identity Theft
Medical Identity Theft
 
Identity theft: Could it happen in your office?
Identity theft: Could it happen in your office?Identity theft: Could it happen in your office?
Identity theft: Could it happen in your office?
 
How to Protect Your Healthcare Facility From Medical Identity Theft
How to Protect Your Healthcare Facility From Medical Identity TheftHow to Protect Your Healthcare Facility From Medical Identity Theft
How to Protect Your Healthcare Facility From Medical Identity Theft
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Hippa
HippaHippa
Hippa
 
Fraud And Abuse In The U.S. Healthcare System
Fraud And Abuse In The U.S. Healthcare SystemFraud And Abuse In The U.S. Healthcare System
Fraud And Abuse In The U.S. Healthcare System
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
Addressing Data Security Issues in Healthcare
Addressing Data Security Issues in Healthcare Addressing Data Security Issues in Healthcare
Addressing Data Security Issues in Healthcare
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacy
 
Confidentiality & privacy
Confidentiality & privacyConfidentiality & privacy
Confidentiality & privacy
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
Fraud and Abuse 2017
Fraud and Abuse 2017Fraud and Abuse 2017
Fraud and Abuse 2017
 
Assignment 5 consumer fraud protection
Assignment 5 consumer fraud protectionAssignment 5 consumer fraud protection
Assignment 5 consumer fraud protection
 
Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt... The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...
 
Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)Developing healthcare finance fraud (2)
Developing healthcare finance fraud (2)
 

Health Care Technology And Privacy

  • 1.   HEALTH CARE TECHNOLOGY AND PRIVACY By Scott Fikes, Vice President at InLight Risk Management, LLC Today, physicians and healthcare organizations rely on electronic data, computers and networks to support their operations. Health Care Technology and Privacy provides a summary of the exposures, regulations and recommendations to assist health care providers in managing this risk. EXPOSURE Do you store data, including private information on computers; use e-mail; process patient payments; access, upload or download patient health records? If so, then you are at risk. Is your medical billing outsourced? Does your physicians or staff access records on a laptop at home or away from the office? The following is a sample of privacy and security breaches in the health care industry:  A major online health product vendor inadvertently revealed detailed information – including bank account and credit card information – of thousands of customers on its web site.  University researchers accidentally revealed the names of deceased organ donors to 410 patients who received kidneys from the deceased donors.  A hacker downloaded medical records, health information, and social security numbers of more than 5,000 patients at a major university.  A West Coast managed care organization mistakenly sent email responses to the wrong recipients, exposing sensitive patient information.  A patient sued a major East Coast hospital when an email error revealed his HIV-positive status to his coworkers.  A Fortune 1000 pharmaceutical firm inadvertently revealed over 600 patient email addresses when it sent a collective message to every individual registered to receive reminders about taking a certain medication. Insider attacks are also a worry. Tenet Healthcare, which owns more than 50 hospitals in twelve states, disclosed a security breach involving a former billing center employee in Texas who pled guilty to stealing patient personal information. He got nine months in jail. In an identity fraud case in Sarasota, Fla. last month, an office cleaner who gained access to the patient files of an anesthesiologist who rented an office pled guilty to fraud for ordering credit cards on the Internet with stolen patient personal information. He got two years jail time. Lost and stolen laptops have also been a problem, with disclosure of missing personal information related to patients or employees at Duluth, Minn.-based Memorial Blood Center; Mountain View, Calif.-based Health Net; Sutter Lakeside Hospital at Lakeside, Calif.; and the West Penn Allegheny Health System revealed just within three months of each other. The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft by Steven Toporoff, attorney with the FTCʼs Division of Privacy & Identity Protection. As many as nine million Americans have their identities stolen each year. The crime takes many forms. But when identity theft involves health care, the consequences can be particularly severe. Medical identity theft happens when a person seeks health care using someone elseʼs name or insurance information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.   1  
  • 2.   The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctorsʼ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft. Does the Red Flags Rule cover your practice? If so, have you developed your Identity Theft Prevention Program to detect, prevent, and minimize the damage that could result from identity theft? WHO MUST COMPLY Every health care organization and practice must review its billing and payment procedures to determine if the Red Flags Rule covers it. Whether the law applies to you isnʼt based on your status as a health care provider, but rather on whether your activities fall within the lawʼs definition of two key terms: “creditor” and “covered account.” Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry. On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule. The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts. SPOTTING RED FLAGS The Red Flags Rule gives health care providers flexibility to implement a program that best suits the operation of their organization or practice, as long as it conforms to the Ruleʼs requirements. Your office may already have a fraud prevention or security program in place that you can use as a starting point. If youʼre covered by the Rule, your program must: 1. Identify the kinds of red flags that are relevant to your practice; 2. Explain your process for detecting them; 3. Describe how youʼll respond to red flags to prevent and mitigate identity theft; and 4. Spell out how youʼll keep your program current. What red flags signal identity theft? Thereʼs no standard checklist. Supplement A to the Red Flags Rule — available at ftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be relevant to health care providers: • Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you — for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient. • Suspicious personally identifying information. If a patient gives you information that doesnʼt match what youʼve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesnʼt match information on file or from the insurer, fraud could be afoot. • Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or   2  
  • 3.   she didnʼt get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft. • Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing. SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM Once youʼve identified the red flags that are relevant to your practice, your program should include the procedures youʼve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you request additional documentation? If youʼre notified that an identity thief has run up medical bills using another personʼs information, how will you ensure that the medical records are not commingled and that the debt is not charged to the victim? Of course, your response will vary depending on the circumstances and the need to accommodate other legal and ethical obligations — for example, laws and professional responsibilities regarding the provision of routine medical and emergency care services. Finally, your program must consider how youʼll keep it current to address new risks and trends. No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if your organization or practice doesnʼt have a Board, by a senior employee. The Board or senior employee may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers — for example, those who manage your patient billing or debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures. WHATʼS AT STAKE? Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that youʼre doing your part to fight identity theft. RISK REDUCTION RECOMMENDATIONS  Anti-virus – Utilize anti-virus software on all computing devices – Automatically update anti-virus software at least daily – Automatically scan and filter e-mail attachments and downloads before opening files  Automatically receive virus and threat notifications from the United States Computer Emergency Readiness Team (US-CERT), SANS Institute or a similar provider  Securely configure firewalls using other than a default configuration  Configure networks using multiple firewalls (or equivalent) to separate back-office operations from Internet-facing operations  Promulgate a security policy to all employees and contractors  Have a tested disaster recovery plan that includes recovery from data center disasters Have a tested security incident response plan that addresses both direct (e.g., hacking) and indirect (e.g., virus) attacks upon network    Back up network data and configuration files daily  Store back-up files in a protected location  Allow remote access to network only if it is via a VPN or equivalent system  Monitor network platform vendors at least daily for availability of security patches and upgrades  Test and install security patches and upgrades within 30 days of availability, preferably within seven days  Always lock server rooms or otherwise limit access only to authorized personnel     3  
  • 4.   RISK TRANSFER SOLUTIONS InLight Risk Management provides multiple risk transfer solutions designed to meet your specific needs. This critical liability coverage is necessary for any organization that uses computers to manage information. What does it cover?  All network information is covered, enterprise-wide and not just information on Web sites  Covers claims related to identity theft  Covers damage due to viruses, denial of service and security breaches  Includes theft of othersʼ trade secrets, proprietary or confidential information from the insured's network  Privacy Injury and Identity Theft  Unauthorized disclosure of private information  Regulatory expense  Private actions arising from unauthorized disclosure of othersʼ private information in violation of: Any applicable privacy law, e.g., HIPAA, GLBA, COPPA and EU Data Protection Act  Insuredʼs published privacy policy  Any security breach notice law  All network information is covered, enterprise-wide and not just information on Web sites  Covers any current or future applicable privacy laws worldwide  Covers claims related to identity theft resulting from unauthorized disclosure of private information  Insuredʼs cost to notify others if they suspect a security breach or compromise of their private information  Insuredʼs cost to comply with any applicable privacy law or regulation if a regulatory authority notifies them that they may be noncompliant  Regulatory expense covers first-dollar loss, with no deductibles or co-insurance . Network Damage to information residing on insuredʼs network, including:  Insuredʼs own information, upon which others rely, residing on a network  Othersʼ information on insuredʼs network  Damage to othersʼ information on insuredʼs network if damage caused by insured  Network interruption or customers inability to access or use insuredʼs network or their network if interruption is caused by insured  Theft or unauthorized disclosure of othersʼ information on insuredʼs network  All network information is covered, enterprise-wide and not just information on Web sites  Covers damage due to viruses, denial of service and security breaches  Includes outsourced network services for which insured is liable  Includes theft of othersʼ trade secrets, proprietary or confidential information in insuredʼs care What does it cost? Premiums are determined by underwriting criteria specific to your company. It stands to reason that the exposure for a solo physician practice has a reduced number of exposures than a hospital located in a highly populated city. For this reason, premiums begin as low as $500 annually. Protect your organization from a significant, unexpected financial loss by purchasing technology/privacy liability coverage. Scott L. Fikes Vice President InLight Risk Management, LLC 101 Park Avenue, Suite 1100 Oklahoma City, OK 73102 (O) 405.443.2024 (F) 405.443.2001 sfikes@inlightrm.com www.InLightRM.com   4