Identify Theft

Recent news in the trade press points to an increasing incidence in identity theft in health care. If you can, imagine your health care enterprise featured on the front page of your local newspaper while you are forced to explain to your board, rotary club and friends how such an embarrassing and harmful breach of public trust could have occurred. Below find a rather complete review on the topic from a trusted colleague, Michael O'Rourke.

IDENTITY THEFT: A MAJOR RISK FOR HEALTHCARE PROVIDERS
By Michael O’Rourke ■ 09/25/06

As if healthcare providers don’t have enough to worry about with all the other compliance issues – now ID Theft is on the radar – or should be.

Envision what steps would be taken in your healthcare organization if 10 million people were affected by bird flu last year. Would every employee be trained and every employee be protected ? Last year the ID Theft epidemic affected 10 million individuals in the U.S. alone. And loss of data continues unabated destroying lives and generation law suits.

Of the 32 major data breaches reported by companies just this month (Sept 1st -23rd) 8 of them have been healthcare related – data lost from a hospital or physician group, or data lost by third parties that include a patient’s personal identifiers and medical information.
View details: http://www.privacyrights.org/ar/ChronDataBreaches.htm

Most people have heard of identity theft (IDT) but unless you have been a victim, few people consider that they are at risk. An alarming figure is that over half of the 10 million new IDTs each year originate from a place of business, employer, or other entity ( not-for-profit, state, or federal government.) And yes, that includes hospitals and clinics.

Healthcare breaches: For accidental breaches the risk is high in healthcare due to the large number of employees and the daily handling of information. For intentional breaches by identity thieves, who intentionally become employed in healthcare, where better than healthcare (other than the banking industry) could someone easily access names, socials, birthdates, credit card numbers, checking account numbers, and health insurance information? Many hospitals even take a photo copy of a patient’s driver’s license. For a low-paid hourly employee with no fear and no morals, getting paid $10 per IDT is pretty tempting. To them, reimbursement has a whole different meaning.

Healthcare Organization Vulnerability:
The major risks to healthcare is the same for any business, and they include:
o Victimization of owners, managers, employees, customers (patients), clients and venders.
o Fraudulent use of the business identity.
o Public, legal and financial consequences of privacy, security and regulatory breaches.

When any person with a relationship to a business becomes a victim of identity theft, the business is potentially at risk. ID Theft can have a significant impact on the management, operations, financial credit, public creditability, and income of a healthcare organization.

Laws that aim to protect NPI ( non-public personal information).
Violation of the following federal laws include hefty federal and state fines per each occurrence, civil liability for victim losses ( including class action law suits), and in some instances the legislation provides for removal and/or imprisonment of culpable business executives.


• Fair and Accurate Credit Transactions Act Disposal Rule

This provision of FACTA (aka FACT Act) requires reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. This rule applies to any person that maintains or possesses consumer information, and it applies to individuals such as landlords, all businesses, and all entities (government and non-profits) that possess consumer information. Employees are considered consumers under the law.

• Gramm-Leach-Bliley Act Safeguards Rule

The GLBA Safeguards Rule requires any financial institutions to implement policies and procedures to maintain the security and confidentiality of nonpublic personal information. A financial institution is defined as a business significantly engaged in providing financial services or products for personal, family, or household use.

It applies to check-cashing and payday loan services companies, mortgage brokers, non-bank lenders, personal property and real estate appraisers, professional tax preparers, credit reporting agencies, ATM operators, debt collectors, financial advisors, insurance agents, agencies and brokers, and a variety of other businesses that fit the definition.

• Health Insurance Portability and Accountability Act

HIPAA rules apply to any individual or organization that collects or retains protected health information in paper or electronic form. It also requires all businesses with small self-insured or fully-insured health plans to maintain the confidentiality, integrity, and security of employee health information.

Internal Actions to Consider:

There are a number of legal, regulatory, human resource, and business insurance issues that employers must consider. For example, some businesses and entities are taking an affirmative defense against penalties, lawsuits, and business interruption by offering some form of identity theft risk mitigation service and legal counsel service to employees and even to their customers when appropriate.

The aim is minimizing lost work time, penalties, lawsuits, and compensatory damages that may result from workplace identity theft.

What you can do:

• Understand what legislation may apply to your healthcare organization.
• Appoint an information security officer if GLBA or HIPAA applies.
• Develop policies, procedures and training for FACTA and other applicable legislation.
• Conduct and document employee training on IDT and confidentiality policies.
• Take an affirmative defense against penalties, litigation, and business interruption.

You can defuse the threat to your healthcare organization by taking appropriate steps to minimize risks to your organization and by accepting broader responsibility to protect the nonpublic personal information of employees, customers, and others.

■ ■ ■
Disclaimer: The author is not an attorney. Information provided herein should not be construed as legal advice. Each business entity is different and requires consultation with qualified legal counsel and risk managers.
■ ■ ■
Michael O’Rourke is a certified identity theft risk management specialist. He is co-owner of the Secure Business Group of Colorado Springs CO helping small businesses and large healthcare organizations mitigate the threat of ID Theft through an affirmative defense program. He can be reached at (719) 339-9929 or visit on the web at: SecureBizGroup.com