May 11 2010

OCR draft guidelines for security risk analysis

Category: hipaa,Security Risk AssessmentDISC @ 12:42 am

US Department of Health & Human Services
Image by veeliam via Flickr

The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

OCR dratf guigelines details

Information Security Risk Analysis, Tom Peltier

Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security

Apr 12 2010

Healthcare ID theft may rise with digital records

Category: hipaa,Information SecurityDISC @ 12:25 pm

By Margaret Collins BLOOMBERG NEWS

Sierra Morgan was billed $12,000 on her health care credit card in November for liposuction, a procedure she never requested or received.

“It’s depressing to know that someone used my name and knows so much about me,” said Morgan, 31, a respiratory therapist from Modesto, Calif.

There were more than 275,000 cases in the U.S. last year of medical information theft, twice the number in 2008, according to Javelin Strategy & Research, a market research firm. The average fraud cost $12,100, Javelin said.

“A trend we’ve seen over the past few years is using stolen information to file false claims,” said Louis Saccoccio, executive director of the National Health Care Anti-Fraud Association, a nonprofit research group.

Criminals set up fake clinics to bill for phony treatments, said Pam Dixon, founder of the World Privacy Forum, a nonprofit consumer-research group based in San Diego, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, as in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The digital files will improve care and help lower costs, the government said, without projecting savings.

“Once files are in electronic form, the crime scales up quickly,” said Dixon, whose group analyzed a decade of consumer data from the Federal Trade Commission and medical identity theft cases from the Department of Justice.

“There are cases where someone has walked out with thousands and thousands of files on a thumb drive,” she said. “You can’t do that with paper files.”

Patients’ medical records are altered to reflect diseases or treatments they never had, which can be life-threatening if they receive the wrong treatment or find their health insurance exhausted, Dixon said. A thief may change the billing address for a victim’s insurance so they’re unaware of charges, she said.

“Once you aggregate and put data in one place, it’s easier for you to see it, but it’s also easier for a criminal to see and use it,” said Scott Mitic, chief executive of TrustedID, a consumer data-protection firm. “The digitization of medical records over the next years is certainly going to make this more of an issue.”

Fraud at a high cost

Brandon Sharp, 38, found more than $100,000 of unpaid medical bills on his credit report when he went to buy a home. The charges included $19,501 for a life-flight helicopter trip and emergency room visits he never used, said Sharp, a project manager for a Houston-based oil company.

“I’m as healthy as they come,” he said.

Sharp said he spent six to nine months correcting his medical files, outstanding charges and credit report.

Medical identity theft is about 2½ times more costly than other types of ID frauds, said James Van Dyke, president of Javelin, in part because criminals use stolen health data an average of four times longer than other identity crimes before the theft is caught.

The average fraud involving health information was $12,100, compared with $4,841 for all identity crimes last year, and consumers spent an average of $2,228 to resolve it, or six times more than other identity fraud, according to Javelin.

“It’s becoming the credit card with a $1 million limit,” said Jennifer Leuer, general manager of, an identity-protection service provided by Experian PLC, a credit reporting firm. “If the health insurance is valid, they’ll treat you and not always check your ID.”

Insurers are improving technology to spot false claims, said Tom McGraw, a senior vice president at Ingenix, a subsidiary of UnitedHealth Group Inc. McGraw leads a group focusing on fraud involving Medicaid and Medicare, the two government-sponsored health programs for the poor and the elderly, he said. The company can now track distances between providers and beneficiaries to identify whether physicians are treating patients who don’t live nearby, he said.

Legislation passed last year requires doctors and hospitals to notify patients when their information has been exposed from a security breach, said Randy Sabett, co-chairman of the Internet and data protection practice at Sonnenschein Nath & Rosenthal, based in the law firm’s Washington office.

To read the remaining article

Tags: Credit card, Health care, health insurance, identitytheft, medicaid, medicare, National Health Care Anti-Fraud Association, Scott Mitic, Sierra Morgan, Sonnenschein Nath & Rosenthal, UnitedHealth Group

Oct 30 2009

HIPAA and business associate

Category: hipaaDISC @ 10:14 pm

How ARRA and HITECH provisions affect HIPAA compliance
AIS reported taht the new HITECH Act requires hospitals, providers, health plans and other HIPAA covered entities (CEs) to meet a February 2010 deadline for revising their business associate (BA) agreements. New language in BA amendments should require BAs to comply with (a) the HIPAA Security Rule,(b) new security breach notification rules and related strategies that CEs choose to implement, and (c) new privacy obligations imposed on CEs by the HITECH Act. Developing and maintaining effective BA relationships should be a top compliance priority for CEs, since privacy and security breaches often take place at the BA level and can be just as damaging to a covered entity’s reputation. With February approaching and lots of tricky questions to resolve, covered entities need a quick crash course in what their options are for designing and implementing these amendments in the next three months.

While the HITECH Act did not come right out and say “business associate agreements must be revised,” it does stipulate that certain provisions “shall be incorporated into the business associate agreement between the business associate and the covered entity.” Among them: business associate agreements must be amended to reflect the new mandate that BAs must comply with the Security Rule, should be amended to provide the covered entity with adequate notice in the event of a security breach, and should incorporate new privacy obligations imposed on CEs by the HITECH Act

Reblog this post [with Zemanta]

Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", breach of privacy, covered entities, health insurance, hipaa, hipaa privacy, hippa compliance, hitech, hitech act, hospital, privacy, SOX HIPAA, status of arra and hitech