privacy and security of phi in the era of meaningful use alison nicklas, mj, rhia, ccs director him,...
TRANSCRIPT
![Page 1: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/1.jpg)
Privacy and Security of PHI
In The Era of Meaningful Use
Alison Nicklas, MJ, RHIA, CCSDirector HIM, Privacy Officer
St. Francis Hospital and Medical Center
![Page 2: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/2.jpg)
Objectives• Understand our role in protecting the privacy
of our patient’s information and ensuring the security of the systems
• Identify the key standard to mitigate a breach• Understand the role of Meaningful Use in
increased breach reports• Understand the legal and financial
repercussions of a breach to both the patient and the covered entity
![Page 3: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/3.jpg)
Agenda• HIPAA Privacy – 2003• HIPAA Security – 2005• HITECH Privacy and Security – 2009• Meaningful Use• Sample Cases - 2013• Reported Breaches – Legal Outcomes
![Page 4: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/4.jpg)
HIPAA Privacy - 2003• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001– 2003 – HIPAA Privacy in effect• Covers the information• Any format – paper, film/fiche, electronic, oral• Compliance date: 4/14/2003
![Page 5: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/5.jpg)
HIPAA Privacy - 2003• Key Documents– The Code of Federal Regulations (C.F.R.)• 45 C.F.R. Parts 1 to 199 – revised October 1,
2007
• Key Definitions– Covered Entity: “health plan, health care
clearinghouse, or a health care provider who transmits any health information in electronic form”
![Page 6: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/6.jpg)
HIPAA Privacy - 2003• Key Definitions (Continued)– Health Care Clearinghouse: “entity that
processes or facilitates the processing of health information received from another entity” or that “processes or facilitates the processing of health information for a receiving entity”
– Business Associate: “performs a function or activity involving the use or disclosure of individually identifiable health informaton” for a covered entity.
![Page 7: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/7.jpg)
HIPAA Privacy - 2003• 45 C.F.R. § 164.502 – Permitted uses and disclosures– With and without authorization– Minimum necessary “to accomplish the
intended purpose of the use, disclosure, or request”
• No need for patient authorization to release for “treatment, payment, or healthcare operations”
![Page 8: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/8.jpg)
HIPAA Privacy - 2003• Accounting of Disclosures– Six years prior (if paper record)– Three years prior (if electronic record)– Exceptions:
• Incidental to a permitted disclosure• Based on valid authorization• National security reasons• Correctional facilities or law enforcement• Limited data set requirements and• For Now…“treatment, payment, or healthcare
operations”
![Page 9: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/9.jpg)
HIPAA Privacy - 2003• Included in an Accounting:– The date of the disclosure– The name of the entity or person who
received the PHI– The addresses of such entity or person (if
known)– Brief description of the PHI– Brief statement of the purpose of the
disclosure
![Page 10: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/10.jpg)
HIPAA Security 2005• 1996 – Health Insurance Portability and
Accountability Act (HIPAA)– HIPAA Privacy and Security outlined• Provided guidance to the Institute of Medicine’s
goal for a paperless record by 2001– 2005 – HIPAA Security in effect• Electronic information “created, received,
retained, or transmitted by the covered entity”• Effective April 20, 2005
![Page 11: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/11.jpg)
HIPAA Security 2005• Specific Security Safeguards – “Required” – the covered entity MUST
implement as written– “Addressable” – the covered entity has the
OPTION to implement as written or assess if there were reasonable• If not deemed “reasonable” – MUST
– Implement an alternate “equivalent” specification AND
– Document why the stated specification was deemed not to be reasonable
![Page 12: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/12.jpg)
HIPAA Security 2005• Four REQUIRED implementation
specifications– Security Risk Assessment: • Identify any risks and vulnerabilities to the
confidentiality, integrity, and availability of ePHI• Implement policies and procedures to mitigate
identified risks and vulnerabilities• Focus on those with a “reasonable anticipation
of threat”
![Page 13: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/13.jpg)
HIPAA Security 2005– Assess current security measures• Technical: Access controls – firewalls, audit
controls, and encryption• Non-Technical: Policies and procedures,
standards and guildeines
– Evaluate the potential impact of threat• Risk for that threat (human/environmental
threats)
– Identify security measures to mitigate risk
![Page 14: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/14.jpg)
HITECH - 2009• ARRA: American Recovery and
Reinvestment Act – includes:• HITECH: Health Information Technology
for Economic and Clinical Health (HITECH)
![Page 15: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/15.jpg)
HITECH - 2009• HITECH Act includes:– Improved guidance for the Security Rule – Increased penalties for a breach
• Technical Safeguards include:– Encryption (Note – this is only an addressable
standard – not required)• Defined: making ePHI “unusable, unreadable,
or indecipherable”– Destruction (applies to unsecured data such as
paper, film, fiche…
![Page 16: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/16.jpg)
HITECH - 2009• Encryption: Addressable – Firewall may be an alternative -
“reasonable and appropriate safeguard”• RISK: Breach of the firewall considered a
reportable incident to the Office of Civil Rights as the information was not made “unusable, unreadable, or indecipherable”
![Page 17: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/17.jpg)
HITECH - 2009• New Penalties– Prior to HITECH – no monetary penalty if the
covered entity “did not know or could not have reasonably known of the breach”
– HITECH: • Minimum $100 - $50,000
– Did Not Know $100 - $50,000– Reasonable Cause $1,000 - $50,000– Willful Neglect – Corrected $10,000 - $50,000– Willful Neglect – Not Corrected $50,000
• Maximum $1,500,000
![Page 18: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/18.jpg)
Meaningful Use• HITECH – Meaningful Use– “Voluntary”– Failure results in penalties• 1% Medicare payment reduction in 2015• 2% Medicare payment reduction in 2016• 3% Medicare payment reduction 2017 +
![Page 19: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/19.jpg)
Meaningful Use• Defined: Using certified electronic
health record (EHR) technology to:– Improve quality, safety, efficiency, and
reduce health disparities– Engage patients and family– Improve care coordination, and population
and public health– Maintain privacy and security of patient
health information
![Page 20: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/20.jpg)
Meaningful Use• Objectives: meaningful use compliance
will result in:– Better clinical outcomes– Improved population health outcomes– Increased transparency and efficiency– Empowered individuals– More robust research data on health
systems
![Page 21: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/21.jpg)
Meaningful Use• Eligible Hospitals and Critical Access
Hospitals– Can apply for Medicare AND Medicaid
financial incentives
• Eligible Professionals– Can apply for Medicare OR Medicaid
financial incentives
![Page 22: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/22.jpg)
Meaningful Use• Eligible Hospital – Medicare Incentive– Start value: $2,000,000– Add
• $200 per discharged patient (no payment for first 1,150) to a maximum of 23,000 patients
– Multiplied by both:• Medicare Share – Based on number of inpatient Part
A bed days + number of inpatient Part C days x (total charges – charges related to charity care)
• Transition Factor – Based on the year the hospital first attests to meaningful Use
![Page 23: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/23.jpg)
Meaningful Use• Certified technology must be used• Meet Core and Menu Set Objectives– INCLUDES PRIVACY AND SECURITY OF DATA
• Electronic Data Security– Encryption – only an “addressable”
standard– Firewalls – “reasonable and appropriate”
but FAILS to meet “breach” standards
![Page 24: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/24.jpg)
Outcome of “Voluntary” EHR• HHS Secretary – Kathleen Sebelius– May 22, 2013:– “Doctors and hospitals’ use of health IT
more than doubled since 2012”
• Data from the Office of Civil Rights has demonstrated that more than 29,000,000 patient records have been breached since 2009 (only includes breaches of 500 or more!)
![Page 25: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/25.jpg)
Sample Cases - 2013• Advocate Medical Group– Largest Chicago physician group – more than
1,000 doctors, 200 locations– Administrative building broken into– 4 unencrypted personal computers stolen July 15,
2013– Over 4 million patient records stored – 2nd largest
ever reported to HHS
![Page 26: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/26.jpg)
Sample Cases - 2013– Only password protected – a “first line of defense”
– it is NOT encryption– Data:
• SSN, DOB, patient names, addresses
– NOT the FIRST breach reported by Advocate• 2009 – employee reported theft of a personal
laptop with 812 patient records - unencrypted
![Page 27: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/27.jpg)
Sample Cases - 2013• AHMC Healthcare– Administrative Office Break-in– Two password protected laptops stolen
October 12, 2013• SSN, name, MCR/Ins. ID number, dx/proc
codes, Ins./Patient payments
– 729,000 Patient Records– Will now expedite the encryption policy for
laptops
![Page 28: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/28.jpg)
Sample Cases - 2013• Horizon Blue Cross and Blue Shield of NJ– Headquarters Break-in– Two password protected and cable-locked laptops
stolen November 4, 2013• Data: SSN, Names, Addresses, DOB, Clinical
Information– 840,000 Patient Records– Plan: Review staff education, policies and
encryption– Not the first breach – 2008 lost laptop with
300,000 individuals notified
![Page 29: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/29.jpg)
Sample Cases - 2013• 5.5 million patient records included in just
3 breach reports for 2013• All included SSNs and patient names• All involved unencrypted devices – even
with two organizations already having had similar breach reports in the past
• Since 2009 – 29,000,000 million patient records have been compromised through breaches
![Page 30: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/30.jpg)
Breach Outcomes• Lawsuits– HIPAA “Breach” not a cause of action for
individuals– March 8, 2013 – Polanco v. Omnicell• Laptop stolen from employee vehicle• Not encrypted• Vendor managed medications for several
healthcare organizations• Mother of patient sued – “Omnicall violated her
privacy” – information included her insurance
![Page 31: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/31.jpg)
Breach Outcomes• Polanco v. Omnicell– Omnicell had policies requiring encryption –
but employee only had password protection security
– Case dismissed: Polanco “failed to demonstrate and injury”• Loss of confidence of patients• Cost of defending lawsuit• Failure to REQUIRE encryption as a security
measure
![Page 32: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/32.jpg)
Breach Outcomes• Historically– Failure to file suit under HIPAA Privacy and
Security – no “private right of action”– HHS – can directly enforce and impose
penalties (maximum of $1.5 million)– Penalties – paid to HHS – NOT TO
PATIENT(s)
![Page 33: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/33.jpg)
Breach Outcomes• Recent Case – May Set Precedence– Curry v. AvMed • AvMed (Health Plan): Two unencrypted laptops
stolen December 2009 from a locked conference room• 1.2 million patient records compromised• Juana Curry and William Moore – victims of
identify theft
![Page 34: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/34.jpg)
Breach Outcomes• Curry v. Avmed– Lawsuit:• Avmed failed to “adequately secure and
encrypt the laptops” and it was “negligent and failed to discharge its obligation to protect sensitive personal information of its customers”
– Dismissed in July 2011 – “with prejudice”– Appealed in August 2011
![Page 35: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/35.jpg)
Breach Outcomes• Curry v. AvMed– Affirmed Dismissals of:• “Negligence per se” and• “Breach of implied covenant of good faith and
fair dealing”
![Page 36: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/36.jpg)
Breach Outcomes– Reversed Dissmissals of remaining 5 counts:
• Negligence, Breach of Contract, Breach of Implied Contract, Breach of Fiduciary Duty, and Restitution/Unjust Enrichment
• Negligence: Failure to encrypt• Unjust enrichment: AvMed received
remuneration for the purpose of securing PHI
– Meet and Confer: Reviewed allegations and engaged in preliminary settlement discussions – resolved through private mediation
![Page 37: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/37.jpg)
Breach Outcomes• AvMed:– Denies any wrongdoing or liability– Each and all claims– Concluded further defense would be “risky,
burdensome, and expensive”– Agreed to terms and conditions of
settlement
![Page 38: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/38.jpg)
Breach Outcomes• Plaintiffs– Believe claims asserted have merit– Recognize and acknowledge risk of delays
and that they might not prevail– Concluded that the terms and conditions
are fail and reasonable
![Page 39: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/39.jpg)
Breach Outcomes• Settlement– Identity Theft Settlement
• Submitted timely, actual, documented, unreimbursed losses accompanied by proof
– Premium Overpayment Claim• Submitted timely, number of years for which the
Defendant was paid for insurance premiums• Maximum of $30 per person• $3,000,000 minimum payment to be covered by
AvMed (Additional for Identify Theft Coverage)
![Page 40: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/40.jpg)
Breach Outcomes• Advocate – July, 2013 Breach– 3 Class Action Lawsuits filed– Compromise of over 4,000,000 patient
records• Compare with AvMed of 1,200,000 patient
records - $3,000,000 minimum cost
![Page 41: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/41.jpg)
Identity Theft v. Medical Identity Theft
• January 2014 Survey– Medical-related identity theft accounted for
43% of all identity thefts reported in 2013• Far greater than Banking and Finance,
Government and Military, or Education
– U.S. Dept. of Health and Human Services• Medical Records of between 27.8 and 67.7
million people have been breached since 2009
![Page 42: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/42.jpg)
Identity Theft v. Medical Identity Theft
• Medical Identity Theft– “The fraudulent acquisition of someone’s
personal information – name, SSN, Health Insurance Number – for the purpose of illegally obtaiing medical services or devices, insurance reimbursements or prescription drugs.”
![Page 43: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/43.jpg)
Identity Theft v. Medical Identity Theft
• Medical Identity Theft– Victims • Little to no recourse for recovery• Financial repercussions• Erroneous information added to personal
medical files
![Page 44: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/44.jpg)
Identity Theft v. Medical Identity Theft
• Edward Snowden, the former National Security Agency contractor who has disclosed the agency’s activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.
![Page 45: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/45.jpg)
Use of Medical Information• Psychiatrist in MA: False diagnoses –
submit medical insurance claims for psychiatric sessions that never occurred
• Identity Thief in MO: False Driver’s License to obtain Medical Records and a prescription belonging to another woman
• Dental Office in OH: Obtain prescription drugs
![Page 46: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/46.jpg)
Use of Medical Information• Methods Used to Obtain Information– Stealing laptops / electronic device – more
than 50% of medical-related breaches– Hacking into computer networks (St. Joseph’s
Hospital in Texas – 429,000 patient records) – 14% of breaches
– Gaining unauthorized Access – 20% of breaches
• Lucrative - $10 to $20 for each bit of information
![Page 47: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/47.jpg)
Medical Identity Theft• Discovery – does not correct the
“mischief” done– Corrected information may be placed in file
BUT difficult to get information removed – fear of medical liability
– Information from the “theif” gets mixed with the information of the real patient – very difficult to segregate especially in the electronic environment
![Page 48: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/48.jpg)
Medical Identity Theft• Can result in patient death– Inaccurate medication allergies– Inaccurate medication lists –
interactions/failure of medications being prescribed
– Delays in treatment• Appendicitis following Appendectomy?
![Page 49: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/49.jpg)
Electronic Health Records• Compromised by Medical Identity Theft– Difficult to make corrections– Difficult to address insurance fraud• Deductibles• Maximum coverage exceeded
![Page 50: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/50.jpg)
Prevention• ENCRYPT– Laptops– Personal Computers– Portable Electronic Devices• iPhones / Smart Phones• iPads / Notepads
– Use software tracking that allows remote erasing of portable device if stolen
![Page 51: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/51.jpg)
Prevention
• ENCRYPT–Financial Impact•HHS Fines•Credit Monitor Protection• Loss of Patients (and their
confidence)• Loss of Business
![Page 52: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/52.jpg)
Prevention
•ENCRYPT– There is no other real option• Firewalls do not protect the data• Passwords do not protect the data• Secure Servers do not protect the data
![Page 53: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/53.jpg)
Prevention• Personal Steps to Prevent Medical Identity
Theft– Do not carry your insurance card– Beware of “Free” services when required to
provide insurance information– Request health provider ask for you ID– Check statement of benefits– Request an annual / semiannual summary of
benefits – compare with actual visits– Check credit reports for unpaid medical bills
![Page 54: Privacy and Security of PHI In The Era of Meaningful Use Alison Nicklas, MJ, RHIA, CCS Director HIM, Privacy Officer St. Francis Hospital and Medical Center](https://reader035.vdocument.in/reader035/viewer/2022062517/56649ee85503460f94bf9b7f/html5/thumbnails/54.jpg)
Open Discussion• Who has experienced a breach?• What steps were taken following that
incident?• Do you think that your organization has
secured its PHI?• Do you think that your patients are
confident in the security of their PHI?