hipaa 101 basic session - assets.hcca-info.org · 12 enforcement approach centers for medicare...
TRANSCRIPT
1
HIPAA 101Basic Session
HCCA Compliance Institute April 2005
2
GOUND RULES
THIS IS A BASIC SESSION If you expected something beyond the basics this is not the session to attendYou are welcome to stayHowever, if you stay you cannot write on your evaluation that this was too basic
Please turn your cell phones and pagers to vibrate or off.
3
Agenda
1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
2. Transaction Code Sets3. National Provider Identifier (NPI)4. Privacy Regulations5. Security Regulations
4
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health insurance access, portability, and renewalAttempts to prevent healthcare fraud and abuseAllows health insurance tax deduction for self-employmentPromotes administrative simplification
5
Transactions Code Sets
Compliance Date:
Original October 16, 2002(except small health plans – 2003)
Extension October 16, 2003
6
Transaction Code Sets
(1) Original:Proposed: May 7, 1998Published: August 17, 2000
Volume 65, Number 160 pp 50312-50372Effective Date: October 16, 2000
(2) Modifications:Proposed: May 31, 2002Published: February 20, 2003
Volume 68, Number 34 pp 8381-8399 Effective Date: March 24, 2003
Document can be located at: 1. http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/finalrule/txfinal.pdf2. http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf
7
Administrative Simplification
Defines standards for electronic transaction submissionEstablishes standard codes setsEstablished unique identifiers
8
Administrative Simplification
Standard Electronic Transactions837I (institutional)837P(professional)835 (payment and remittance advice)270/271 (eligibility inquiry and response)276/277 (claim status inquiry and response)278 (referral certification and authorization)834 ( Health Plan enrollment / disenrollment)820 (Health Plan premium payment)275 (Proposed)
9
Administrative Simplification
Standard Code SetsICD-9-CM (diagnosis and procedures)NDC (national drug codes)CPT-4 (physician procedures)HCPCS (ancillary services/procedures)CDT (dental terminology)
No more local codes
10
Administrative Simplification
Standard IdentifiersEmployer Identification Number (EIN)National Provider Identifier (NPI)Health Plan (Payer) Identifier (forthcoming)
Claims Attachment Standards (forthcoming)
11
837 (Institutional & Professional)Requires
Billing provider employer identification number (EIN) or Social Security number (SSN).Pay-to provider EIN or SSN. Rendering provider EIN or SSN. Many physicians are refusing to give out this information where they are not the billing or pay-to providers; i.e they are performing a service for a hospital.
Hospitals have been substituting their own EIN where they can't get the physicians.Medicare is allowing a "dummy" EIN for the second reference whenthe Physician EIN/SSN is unknown -- can substitute 999999999 for the valid value
12
Enforcement Approach
Centers for Medicare & Medicaid Services (CMS) is responsible for enforcing the electronic transactions and code sets provisions of the law. CMS will focus on obtaining voluntary compliance and use a complaint-driven approach for enforcement of HIPAA’s electronic transactions and code sets provisions. When CMS receives a complaint about a covered entity, it will notify the entity in writing that a complaint has been filed.
13
Enforcement Approach
Following notification from CMS, the entity will have the opportunity to:
demonstrate compliancedocument its good faith efforts to comply with the standards, and/orsubmit a corrective action plan.
14
Demonstrating Compliance
Covered entities will be given an opportunity to demonstrate to CMS that they submitted compliant transactions.
15
Good Faith Policy
CMS recognizes that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. CMS intends to look at both covered entities’ good faith efforts to come into compliance with the standards in determining, on a case-by-case basis, whether reasonable cause for the noncompliance exists and, if so, the extent to which the time for curing the noncompliance should be extended.
16
Good Faith Policy
CMS will not impose penalties on covered entities that deploy contingencies (in order to ensure the smooth flow of payments) if they have made reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners. Specifically, as long as a health plan can demonstrate to CMS its active outreach/testing efforts, it can continue processing payments to providers. In determining whether a good faith effort has been made, CMS will place a strong emphasis on sustained actions and demonstrable progress.
17
Examples of Good Faith
• Increased external testing with trading partners. • Lack of availability of, or refusal by, the trading partner(s) prior to October 16, 2003 to test the transaction(s) with the covered entity whose compliance is at issue. • In the case of a health plan, concerted efforts in advance of the October 16, 2003 and continued efforts afterwards to conduct outreach and make testing opportunities available to its provider community.
18
CMS Complaint Form
Complaint TypeNon-Compliant Data ReceivedCompliant Data Sent and RejectedInvalid Companion GuidePrivacy ViolationOther, HIPAA Administrative Simplification Act ViolationOther
19
National Provider Identification (NPI)
Health plans assign identification numbers to health care providers -- individuals, groups, or organizations that provide medical or other health services or supplies. The result is that providers who do business with multiple health plans have multiple identification numbers. The NPI is a unique identification number for health care providers that will be used by all health plans.
Final rule - January 23, 2004 Effective date – May 23, 2005Compliance date – May 23, 2007Small health plans – May 23, 2008
20
National Provider Identifier (NPI)
The NPI is a 10-position numeric identifier with a check digit in the last position to help detect keying errors.
21
Uses of the NPI
The NPI must be used in connection with the electronic transactions identified in HIPAA. The NPI may be used in several other ways:
(1) by health care providers to identify themselves in health care transactions identified in HIPAA or on related correspondence; (2) by health care providers to identify other health care providers in health care transactions or on related correspondence; (3) by health care providers on prescriptions (however, the NPI could not replace requirements for the Drug Enforcement Administration number or State license number); (4) by health plans in their internal provider files to process transactions and communicate with health care providers;
22
Uses of the NPI
(5) by health plans to coordinate benefits with other health plans; (6) by health care clearinghouses in their internal files to create and process standard transactions and to communicate with health care providers and health plans; (7) by electronic patient record systems to identify treating health care providers in patient medical records; (8) by the Department of Health and Human Services to cross reference health care providers in fraud and abuse files and other program integrity files; (9) for any other lawful activity requiring individual identification of health care providers, including activities related to the Debt Collection Improvement Act of 1996 and the Balanced Budget Act of 1997.
23
Questions & Answers
24
What health care transactions are required to use the standards under this regulation?
1. Health claims and equivalent encounter information.
2. Enrollment and disenrollment in a health plan. 3. Eligibility for a health plan. 4. Health care payment and remittance advice. 5. Health plan premium payments. 6. Health claim status. 7. Referral certification and authorization. 8. Coordination of benefits.
25
Who is required to use the standards?
All private sector health plans (including managed care organizations and ERISA plans, and government health plans (including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service programs), all health care clearinghouses, and all health care providers that choose to submit or receive these transactions electronically are required to use these standards.
26
Do I have to use standard transactions when conducting business inside my
corporate boundaries?
The decision on when a standard must be used does not depend on whether the transaction is being sent inside or outside corporate boundaries. Instead, a simple two part test, in question form, can be used to determine whether the standards are required.
27
Question 1: Is the transaction initiated by a covered entity or its business associate? If no, the standard need not be used.
Question 2: Is the transaction one for which the Secretary had adopted a standard? If yes, the standard must be used. If no, the standard need not be used.
Two Part Test
28
What is the effect on State law?
Section 1178 of the Social Security Act provides that standards for the transactions will supercede any State law that is contrary to them, but allows for an exception process.
29
Does the law require physicians to buy computers?
No, there is no such requirement. However, more physicians may want to use computers for submitting and receiving transactions such as health care claims and remittances/payments electronically.Remember that submission of paper claims to Medicare may result in slower payment.
30
How will the standards affect data stored in my system?
The transaction standards will apply only to electronic data interchange (EDI) -- when data are transmitted electronically between health care providers and health plans as part of a standard transaction. Data may be stored in any format as long as it can be translated into the standard transaction when required.Security standards, on the other hand, will apply to electronic protected health information.
31
Privacy Standards
I said to shred the document not the
person reading it!
32
What’s protected?
All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally.
33
HIPAA IdentifiersA) Names;(B) Street address, city, county, precinct, zip code, and equivalent geo-codes(C) All elements of dates (except year) for dates directly related to an individual and all ages over 89(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan ID numbers;(J) Account numbers;
(K) Certificate/license numbers;(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers/serial numbers;(N) Web addresses (URLs);(O) Internet IP addresses;
(P) Biometric identifiers, incl. finger and voice prints;(Q) Full face photographic images and any comparable images; and(R) Any other unique identifying number, characteristic, or code.
34
Covered Entities
Health PlansHealth Care ClearinghousesHealth Care Providers
35
PHI
Uses & Disclosures for TPO
Authorization
Uses & Disclosures inthe public interest
Uses & Disclosuresw/an opportunityto object
36
How can a covered entity use and disclose PHI?
Treatment, Payment & Healthcare Operations (TPO)Without an authorization if statutorily exceptedAfter the patient has been given an opportunity to objectOnly with the patient’s explicit permission
37
U & Ds without the patient’s explicit permission.
Treatment, Payment & Health Care Operations. 164.506As required by law. 164.512Marketing & fundraising (pursuant to strict limitations)
38
U & Ds for TPO
Examples:A healthcare provider can discuss the patient’s case with her colleagues to determine the best course of treatmentA health plan can share information with the nursing home regarding payment for servicesA compliance office can obtain charts for compliance audits
39
U & Ds that do not require an authorization
Mandatory disclosures:HIPAA only mandates disclosures in two instances. 164.502(a)
To the patient with some exceptionsTo the Secretary of DHHS to investigate an alleged privacy violation
40
U & Ds for Other Purposes
Permissive disclosures 164.512
Specialized Gov. FunctionsAvert Serious ThreatWorkers’ Compensation
ResearchOrgan & Tissue Donation
Information about Decedents
Law EnforcementLegal ProceedingsHealth Oversight ActivitiesReport Abuse & NeglectPublic Health Activities
41
Public Health Activities
Prevent or control disease, injury or disabilityVital statistics, birth & deathsPublic health surveillancePublic health investigationsReport child abuse or neglectFDA reporting Alert individual of possible exposure to communicable diseaseEmployers under limited circumstances
42
Report Abuse or Neglect
Report to authorities authorized by law to receive information about victims of abuse, neglect or domestic violence
Based on reasonable beliefCE must inform the individual of the disclosure unless
There is a reasonable belief this would place the individual at risk for serious harm orIt would mean informing a personal representative who is believed to be responsible for the abuse or neglect
43
Health Oversight Activities
Disclosures may be made to entities authorized by law to oversee:
The health care systemGovernment benefit programs for which health information is relevant to beneficiary eligibilityEntities subject to government regulatory programsEntities subject to civil rights laws
44
Health Oversight Activities (cont.)
This does not include investigations where the individual is the subject of the investigation if it is not directly related to:
The receipt of health careA claim for public benefits related to health orQualification or receipt of public benefit or service if health is integral to the claim
45
Legal Proceedings
Court ordersLimited to the PHI expressly authorized
Subpoenas, discovery requests or other lawful process if satisfactory assurances is received that either:
Subject of information has been notified & given a chance to objectA qualified protective order has been requestedThe CE notifies the individual or seeks a protective order
46
Law Enforcement
If pursuant to process or otherwise required by lawIdentification and locationVictims of a crimeDecedents – if suspicion that death was result of criminal conductCrime on the premisesReport crime in an emergency
47
Information about Decedents
Coroners & Medical examinersDetermine cause of deathIdentificationOther duties authorized by law
Funeral DirectorsInformation necessary to carry out their duties
48
Organ and Tissue Donation
May disclose information necessary to facilitate organ, eye, or tissue donation
49
Research
Waiver or alteration of authorization approved by privacy board or IRBReviews preparatory to researchResearch on decedents informationDe-identified dataLimited data set used
50
De-identified data?A) Names;(B) Street address, city, county, precinct, zip code, and equivalent geo-codes(C) All elements of dates (except year) for dates directly related to an individual and all ages over 89(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan ID numbers;(J) Account numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers/serial numbers;(N) Web addresses (URLs);(O) Internet IP addresses;
(P) Biometric identifiers, incl. finger and voice prints;(Q) Full face photographic images and any comparable images; and(R) Any other unique identifying number, characteristic, or code.
51
Avert a Serious Threat
May disclose PHI consistent with applicable law & standards of ethical conduct if
Good faith believes the disclosures is necessary to avert a serious & imminent threat to
The publicAn individual
May not make the disclosure if the information is learned under certain conditions
52
Specialized Governmental Functions
Military & veteran activitiesNational securityProtection of the President & othersMedical suitability determinationsCorrectional institutionsCE that are governmental entities providing public benefits
53
Workers’ Compensation
May disclose to the extent necessary to comply with workers’ compensation laws or other similar programs
54
U & Ds that require an opportunity to object. 164.510
Facility DirectoriesFamily, Friends and others
Involved in the patient’s careInvolved in payment for the patient’s care
Notification
55
U & Ds Requiring an Authorization
All uses and disclosures of PHI that are not explicitly required or allowed under the regulations may only be done with an authorization.
MarketingFundraising
56
Patient’s Rights Under HIPAA
Access and copy information 164.524Request restriction of use for TPO or under 164.510(b)Request confidential communicationAn account of disclosuresReceive a copy of the notice of privacy practicesRequest amendments
57
Request Restrictions
45 CFR 164.522(a)Only applies to PHI used or disclosed for TPO or pursuant to 164.510(b)A covered entity is not required to agreeIf the CE agrees, it is bound by the restriction
58
Request Confidential Communications
45 CFR 164.522(b)Providers
Must accommodate reasonable requestsHealth Plan
Must accommodate if the individual clearly states that the disclosure or all or part of the information could endanger the individual
59
Access and Copy Information
45 CFR 164.524Individuals have a right to access the PHI about them in a DRS except
Psychotherapy notesPrepared in reasonable anticipation of litigationInformation to comply with CLIA if CLIA prohibits access
60
Access and Copy Information
Denial of access is non-reviewable ifPHI is excepted from right to accessIndividual is an inmate and access would jeopardize the facilityResearch information – if explained in research authorizationInformation is subject to the Privacy ActInformation obtained with promise of confidentiality from someone other than a health care provider
61
Access and Copy Information
Reviewable grounds for denialLicensed health care professional believes access would endanger the individual or another personInformation was received from another person and access could cause substantial harm to that individualRequest is made by a personal representative and access could cause substantial harm to the individual
62
Access and Copy Information
Must have process for reviewRequests for access must be acted upon within 30 or 60 daysCan get one 30-day extensionCan charge for copies
63
Request an Amendment
Individual may have information in the DRS amendedCE may deny the request if
Determines the information is correctCE did not create the informationInformation is not part of the DRSIndividual would not have the right to access under 164.524
CE must respond to request in 60 days
64
Accounting of Disclosures
45 CFR 164.528CE must account for all disclosures of PHI unless the disclosure was made
For TPOWith an authorizationIn a LDSAs an incidental disclosureTo the subject of the informationFor national security purposesPursuant to 164.510Prior to 4/14/03To correctional institution
65
Receipt of Notice of Privacy Practices
45 CFR 164.520Individual has a right to receive the notice of privacy practices at their first encounter after 4/14/03 or upon request
66
Other HIPAA Issues Minimal NecessaryOrganizational Arrangements
Organized Health Care ArrangementsAffiliated Covered EntitiesHybrid Covered Entities
Business AssociatesGroup Health PlansMiscellaneous issues
Psychotherapy notesVerification processes
Preemption of state law
67
Minimal Necessity
Role based accessAssure that individuals only have access to the information needed to do their job
DisclosuresDisclose on the minimal necessary for the purpose of the disclosureDoes not apply to disclosures made
With an authorizationTo a provider for treatmentTo the subject of the informationTo the Secretary of DHHSAs required by lawAs required to comply with the regulations
68
Organizational Arrangements
Organized Health Care Arrangements (OHCA)
Clinically integratedMore than one CE participates
Affiliated Covered Entities (ACE)Legally separate CEs that are affiliated by common ownership or control
Hybrid Covered Entity (HCE)Single covered entity with non-health care components
69
Business Associates
Business associates are entities that perform services for or on behalf of a CE involving PHI.Must have a business associate agreementA CE can be the business associate of another CE
70
Group Health Plans
Group health plans are covered entities under HIPAAThe employer is not the covered entityA GHP’s notice of privacy practices requires a statement regarding the use and disclosure for plan administrative functions
71
Miscellaneous Issues
Psychotherapy notesPart of the DRSRequire an authorization for uses and disclosures even for TPO
Verification processMust verify that individuals to whom you are disclosing information are really who they say they are
72
Administrative Requirements
Designate a privacy officialTrain members of the workforce on privacy requirementsSafeguard PHIDevelop sanctions for violations of the privacy policies and proceduresEstablish a means for individuals to complain about privacy violations
73
Individual Protection
North Carolina residentPositive review & raise3 weeks later diagnosed with genetic disorder Self-insured employerFired to avoid projected expenses
The Washington Post - December 2, 2000 p. A1
74
HIPAA Security and Privacy Incidents
California – UC Davis BA & surveyWashington – Criminal conviction of clinic employeeCalifornia – UC San DiegoKentucky – Nursing home records found in streetWashington DC – Washington Hospital Center patient records and payroll information found behind National Auboretum Washington Post 6/25/04
75
Kaiser Permanente – prospective member saw information from another prospective member’s applicationPennsylvania – women suing Pinnacle Health over use of med record in commercial for breast cancer awareness
76
Security of Information
Drug company inadvertently revealed 600 patient e-mail addresses used to remind patients to take their Prozac. At the end of the reminder service the list was sent to all participants.
The Washington Post - July 4, 2001 p. E1
77
Marketing
Medical marketing service advertised a database available to pharmaceutical marketers. 4.3 million people with allergies923,000 people with bladder control problems
See www.mmslists.com
78
Researchers
Office of protection from research risks suspends more than 1,000 studiesFailure to gain patient consent of research subjectsFailure to safeguard data
The Washington Post - January 12, 2000 p. B7
79
Health Privacy Project
Institute For Health Care Research and Policy
Georgetown University
www.healthprivacy.org
80
Questions & Answers
81
Security Standards
Compliance Date:April 20, 2005
(except small health plans – 2006)
(Page 8376)
82
Security Standards
Proposed: August 12, 1998
Published: February 20, 2003
Volume 68, No. 34, pp 8334 - 8381
Effective Date: April 21, 2003
Document can be located at: www.cms.hhs.gov/hipaa/hipaa2
83
Scope
All electronic PHI (ePHI) In motion AND at rest (created, received, maintained or transmitted) To ensure confidentiality, integrity, and availabilityTo protect against reasonably anticipated threats or hazards, and improper use or disclosure
(Page 8376)
84
Definitions
ConfidentialityOnly the right people see it
IntegrityOnly the right people change it
AvailabilityAccessible and usable upon demand
Reasonably Your guess is as good as mine!
85
Who must comply?
A Covered Entity(Same definition as T&Cs & Privacy)
A health planA health care clearinghouseA health care provider*
*who transmits ePHI in a format covered by the EDI component of HIPAA
(Page 8374)
86
Security vs. Privacy
Closely linked
Security enables Privacy
Security scope – addresses electronic PHI
Privacy scope – addresses electronic, paper and oral PHI
87
Security Threats
Active, evolving, never static
Goal: Controlling threats, by reasonable measures
people oriented hackers, viruses, insiders, disgruntled personsmust be actively managed by IT professionals
88
Standards
Standards are general requirementsPermits standards to be interpreted and implemented appropriately from the smallest provider to the largest planAdministrative, physical and technical standards (APT)
Technology NeutralTwo overarching standards (APT)
Policies and procedures, documentation
89
Policies and ProceduresCorporate
Information SecurityPolicy1.0.0
User Security
3.0.0
Incident Handling
4.0.0
Information SecurityAdministration
7.0.0
Contingency Planning
6.0.0
Record Processing
2.0.0
Technical SecurityManagement
8.0.0
Physical SafeguardsFor
Information Assets5.0.0
Bio-Med InfoAsset Control
9.0.0
(See handout)
90
Implementation Specifications
Are more specific measures that pertain to a standard (Page 8380)
Required (R) – Covered entity MUSTimplement the specification in order to successfully implement the standardAddressable (A) – Covered entity must:
Consider the specification, and implement if appropriateIf not appropriate, document reason why not, and what WAS done in its place to implement the standard
91Physical Technical
Safeguards
Administrative
92
Administrative Safeguards45 CFR 164.308
Security Management Process - 164.308(a)(1)Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)
Assigned Security Responsibility - 164.308(a)(2) (R)
Workforce Security – 164.308(a)(3)Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)
(Page 8377-8378)
93
Administrative Safeguards, cont.
Information Access Management - 164.308(a)(4) Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)
Security Awareness and Training - 164.308(a)(5) Security Reminders (A)Protection from Malicious Software (A)Log-In Monitoring (A)Password Management (A)
94
Security Standards Training
Awareness training for all employees & staffVulnerabilities of the health information in the entities possessionPolicies/procedures that must be followed to ensure the protection of that informationPeriodic security remindersEducation concerning computer virusesEducation in login procedures and password management
95
Administrative Safeguards, cont.
Security Incident Procedures – (164.308(a)(6)Response and Reporting (R)
Contingency Plan - 164.308(a)(7)Data Backup Plan (R)Disaster Recovery Plan (R)Emergency mode Operation Plan (R)Testing and Revision Procedure (A)Application and Data Criticality Analysis (A)
Evaluation - 164.308(a)(8) (R)
Business Associate Contracts and Other Arrangements - 164.308(b)(1)
Written Contract or Other Arrangement (R)
96
Physical Safeguards45 CFR 164.310
Facility Access Controls - 164.310(a)(1)Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)
(Page 8378)
97
Physical Safeguards, cont.
Workstation Use - 164.310(b) (R)
Workstation Security – 164.310(c) (R)
98
Physical Safeguards, cont.
Device and Media Controls - 164.310(d)(1)Disposal (R)Media Re-Use (R)Accountability (A)Data Backup and Storage (A)
99
Technical Safeguards45 CFR 164.312
Access Controls - 164.312(a)(1)Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)
Audit Controls - 164.312(b) (R)
Integrity - 164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A)
100
Technical Safeguards, cont.
Person or Entity Authentication -164.312(d) (R)
Transmission Security - 164.312(e)(1)Integrity Controls (A)Encryption (A)
101
Bottom Line…
Consideration MUST be given to implementing all standardsUsing a combination of required and addressable implementation specifications and other security measuresNeed to document choicesThis arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks
102
Other Laws (State/Federal)
State privacy laws have security implications:
CA SB1386 – requires notification of individuals if information contained in an electronic format MAY have been breached UNLESS the data is encrypted.
Sarbanes/Oxley (SOX)
103
Real Life Issues
Ongoing training and monitoringBusiness AssociatesPhysicians and Physician Staff
Keeping up with both privacy and security rules and laws
Keeping in compliance without shutting down operations
104
Recent Breaches
Posted on Thu, Oct. 21, 2004UC hacking may have gotten data on 600,000SECURITY BREACH NOT REPORTED FOR WEEKSMercury News
Hacker breaches T-Mobile systems, reads US Secret Service emailBy Kelly Martin, SecurityFocusPublished Wednesday 12th January 2005 09:47 GMT
Company Warns Customers About Possible Identity TheftIdentity Thieves Reportedly Steal Computers Filled With Customer InformationPOSTED: 8:16 am CDT April 8, 2004
8 Million Credit Accounts ExposedFBI to Investigate Hacking of DatabaseBy Jonathan KrimWashington Post Staff Writer
Wednesday, February 19, 2003; Page E01
Credit agency reports security breach News Story by Carly SuppaMARCH 17, 2004
Oops! Firm accidentally eBays customer databaseBy John LeydenPublished Monday 7th June 2004 20:51 GMT
105
Questions & Answers
106
Contact InformationMarti Arvin, JD, CHCPrivacy OfficerUniversity of LouisvillePhone (502) 852-3803e-mail [email protected]
Connie Emery, CPA, CIA, CISA, CISSP, CIPPInformation Privacy/Security OfficerTenet HealthSystemPhone (469) 893-6709e-mail [email protected]
John C. Falcetano, MA, CHC, CIAChief Audit & Compliance OfficerUniversity Health Systems of Eastern CarolinaPhone (252) 847-0125e-mail [email protected]