Patient Verification vs. Identity Fraud

A recent article in the Healthcare Info Security discusses a study conducted by the Ponemon Institute, sponsored by Experian’s ProtectMyID. The study asserts that nearly 70 percent of the medical ID theft incidents involved others fraudulently using credentials to obtain healthcare services. In more than half of the medical ID theft cases, the victims didn’t report the incidents to law enforcement, often because they knew the person who stole their identity.

This is often called the “Robin Hood effect” because family members are allowing the use of their insurance card to cover uninsured relatives. It is understandable why someone might help out an ailing relative, however, cases have been found where cards were used to purchase medical devices and equipment like scooters that were later sold on eBay.

The Affordable Care Act estimates that healthcare reform could bring coverage to 30 million uninsured who lack coverage. By covering more people with healthcare, we should see a substantial drop in the number of uninsured but will we see a corresponding drop in medical ID theft? That may be optimistic.

That’s because not all health insurance policies are created equal. Some of the least expensive new offerings expected to be obtainable on the market, or provided through the expansion of state-level Medicaid and Children’s Health Insurance Programs, might not offer all the benefits someone wants, Ponemon says. There could still be a motivation to fraudulently gain access to better polices which have more benefits.

One way to deter medical identity fraud is to add advanced technologies like biometrics to insurance cards. The biometrics would be used to verify the identity of the patient at every visit and would prevent fraudulent use of the insurance plan. Biometric identification would also support […]

Utah Getting Act Together on Healthcare IT Security

Healthcare IT security has been a sensitive subject for the past 12 months in Utah’s health care community with two major healthcare security breaches.

The Future of EHR Security: Good and Bad News

The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.

HealthCare Providers Need IT Security Training

It appears that the health care industry lacks understanding of basic information technology security. Dr David Lee Scher, MD, just wrote an article for the Healthcare IT and Technology blog outlining five things healthcare providers should know about electronic health care record security. From his article, it is obvious that health care workers could use some IT security training.

Here are some of the problems he described.

30% of physicians did not use antivirus on their office computers.
34% of physicians offices did not have network firewalls.
The Inspector General of the HHS Office for Civil Right inspected 7 hospitals for HIPPA compliance and found that although ALL of them had implemented some policy and rules to protect EHRs, None had implemented sufficient controls to adequately protect patient privacy. Common violations were improper disposal of printed records and leaving computer screen on and unattended.
Most EHR systems date and time stamp all entries, these entries are permanent records and cannot be deleted, just corrected so healthcare providers should be careful about what they put in the record. The entry log may be audited by the practice or IT manager , as well as attorneys during discovery.
Most breaches of privacy data, do not come from “Hackers” but from improperly stored or lost data from individual not following hospital security protocols.

Data Security is the responsibility of everyone in the hospital or the doctor’s office. All staff should be fully aware their role and responsibilities in keeping private patient information safe and secure. Like anyone else who works with Information Technology, healthcare providers should have annual security training and be aware of the consequences for not following the protocols.

You can read Dr. Scher’s blog at healthcaretechnologymagazine.com.

Privacy by Design or Redesign—a new International Standard

Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, is recognized as one of the leading privacy experts in the world. She has been working with a concept called Privacy by Design for over 20 years. The idea is that Privacy should be designed into systems from the beginning, not added as an afterthought. Systems designers should be made aware of privacy issues and be proactive about embedding them into the system.

Dr. Cavoukian states: “We know from the academic literature that whatever the default condition is, that condition rules 80 percent of the time. I want that to be privacy. By default, I mean it is automatically available to the user without them having to ask for it. It’s embedded; it’s built into the system.”

Once a year, there is an annual international privacy commissioners and data protection regulators conference, usually in Europe. Last year, the conference was hosted in Israel where the privacy commissioners unanimously passed an international resolution making Privacy by Design an international standard.  The standard is now being adopted worldwide, in not only Canada and the EU. The Federal Trade Commission has made it one of its three recommended practices. Senators Kerry and McCain recently introduced a commercial bill of privacy rights which uses language taken directly from the Privacy by Design standard for the first time.

Privacy has become a recent “hot topic” due to what seems to be endless security breaches in the health care and banking industries. To address this current state of affairs, Dr. Cavoukian has developed a new concept called Privacy by Redesign, to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, […]

Access Logs Recommended for EHRs

Department of Health and Human Services’ Office for Civil Rights’ recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals—the access report.

The HIPAA Security Rule’s information system activity review specification [164.308(a)(1)] requires organizations to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The rule’s audit controls standard [164.312(b)] requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Adam Greene, the primary author of the proposed accounting of disclosures rule mandated under the HITECH Act, states that the proposed rule takes a two-pronged approach.

First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health.

Second, the proposal requires providing patients, upon request, with “access reports” that summarize who electronically accessed their information. Greene explains the rule attempts to address “What’s the best way to get the information that individuals are most interested in, which is, who has seen their records?” He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.

Kate Borten, president of The Marblehead Group, a health information privacy and security consulting firm, agrees that the Access Report recommendation deserves industry support.

“Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized user—a serious problem wherever many users have access […]

Health IT Policy Committee Recommends Two-Factor Authentication for EHRs

The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative (NwHIN) should use digital certificates that meet the same authentication standards already required for federal agencies. Ultimate approval for the recommendation falls on the Department of Health and Human Services.

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, “all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal Public Key Infrastructure Framework.”

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records (EHR) vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization.

In addition to the authentication recommendations, the committee recommended that for stage two of the HITECH Act electronic health record incentive program participants should verify how they’re keeping stored data secure, such as through encryption.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year’s end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, […]

Electronic Health Records Help Bring Hospital Back On Line After Disaster

Just weeks before the powerful F5 tornado ripped though Joplin Missouri severely damaging the St. John’s Regional Medical Center, St. John’s had converted to a new electronic health records system. Having all their records online and backed up in another city, allowed the hospital to be up and running a 60 bed mobile hospital in less than a week.

“If the tornado had hit a month earlier, before installing the electronic health record system in Joplin, St. John’s would not have been able to bring up our mobile hospital within a week’s time. We still would not be operational at this point,” said Mike McCreary of Mercy Technology Services.

“Today, patients have continuity of care across all of our physician locations and the new St. John’s Mercy Hospital, and connection to the entire Mercy health system, because of our EHR and our ability to quickly re-establish communication services.” McCreary noted that St. John’s patients also have access to historical medical records. More current health information was stored within the new EHR, and older paper records had been scanned prior to the tornado and are securely stored on servers located in other communities.

Read the complete story at Healthcaretechnologymagazine.com.

HHS OIG finds Security Lacking in Health Information Technology Infrastructure

The Department’s Office of the National Coordinator (ONC) provides leadership for the development and nationwide implementation of an interoperable health information technology (HIT) infrastructure. ONC is charged with guiding the nationwide implementation of interoperable HIT to reduce medical errors, improve quality, produce greater value for health care expenditures, ensure that patients’ individually identifiable health information is secure and protected, and facilitate the widespread adoption of electronic health records (EHR).

On May 16, 2011, the Health and Human Services Office of the Inspector General (OIG) released the Audit of Information Technology Security Included in Health Information Technology Standards.

The Executive Summary states that the : “ONC had application information technology (IT) security controls in the interoperability specifications, but there were no HIT standards that included general information IT security controls. General IT security controls are the structure, policies, and procedures that apply to an entity’s overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls.”

At the time of the initial audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general IT security controls.

The OIG recommendations are as follows:

The ONC should broaden its focus from interoperability specifications to also include well-developed general IT security controls for supporting systems, networks, and infrastructures.
The ONC should use its leadership role to provide guidance to the health industry on established general IT security standards and IT industry security best practices.
The ONC should  emphasize to the medical community the importance of general IT security.
The ONC should coordinate its work with the Centers for Medicare […]

HHS Privacy and Security Tiger Team Findings Part 2

Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe […]

Google+