The document discusses health care technology and privacy risks and regulations. It outlines how electronic health records and computer networks expose private patient information to risks of data breaches and identity theft. It summarizes the Red Flags Rule, which requires health care providers to develop programs to identify potential identity theft. Finally, it recommends risk reduction strategies and offers risk transfer solutions like technology privacy liability insurance.
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Medical Identity Theft and Its Serious Offshootsmosmedicalreview
Healthcare providers handling patient medical records and attorneys performing medical record review have to ensure that the records are safe from data breach.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Health care providers have become prime targets of cyber criminals, since they hold a treasure trove of irresistible data, including Social Security numbers and medical records (think access to prescription painkillers). As cyber criminals become more sophisticated, medical practices are more vulnerable than ever.
In this webinar "Data Breach: It Can Happen To You," hosted by the Cooperative of American Physicians, Inc. (CAP), viewers will learn:
+ What a data breach is
+ Its economic impact
+ Why the threat is growing
+ Steps to take to protect yourself
+ The must-dos in the event of a breach
Watch the webinar here —> https://youtu.be/mqdMA-UZNy0
About Our Presenters:
Melvin Osswald, Vice President Program Underwriting, NAS Insurance — Ms. Osswald joined NAS in 2002 and specializes in health care, cyber liability, employment practice, directors and officers coverage. Ms. Osswald currently supports NAS’ reinsurance programs and oversees the underwriting and product development of Billing Errors and Omissions, Cyber Liability, Employment Practices Liability, and Directors and Officers programs created to address the new exposures facing health care providers. She has been featured as a guest speaker at various industry conferences addressing the evolving professional liability risks in health care, and served on the Steering Committee of the Southern California Chapter of the Professional Liability Underwriting Society.
Chris Reese, Vice President, Director of Underwriting, NAS Insurance — As part of NAS’ key management team, Ms. Reese provides insurance solutions for clients in the health care industry. She has held leadership positions on both the underwriting and retail broker sides of the business, and has worked in the London market for a reinsurance intermediary. Ms. Reese has been involved with cyber risk insurance for the health care industry since 2004, providing coverage to physicians, medical groups, and integrated delivery systems.
MORE SLIDESHARE PRESENTATIONS
http://www.slideshare.net/capphysicians/presentations
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: https://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Youtube: http://youtube.com/CAPphysicians
Google+: http://www.google.com/+Capphysicians
Business Medical Identity Theft faq Health Care Health Plan- Mark - Fullbright
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Medical Identity Theft and Its Serious Offshootsmosmedicalreview
Healthcare providers handling patient medical records and attorneys performing medical record review have to ensure that the records are safe from data breach.
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Health care providers have become prime targets of cyber criminals, since they hold a treasure trove of irresistible data, including Social Security numbers and medical records (think access to prescription painkillers). As cyber criminals become more sophisticated, medical practices are more vulnerable than ever.
In this webinar "Data Breach: It Can Happen To You," hosted by the Cooperative of American Physicians, Inc. (CAP), viewers will learn:
+ What a data breach is
+ Its economic impact
+ Why the threat is growing
+ Steps to take to protect yourself
+ The must-dos in the event of a breach
Watch the webinar here —> https://youtu.be/mqdMA-UZNy0
About Our Presenters:
Melvin Osswald, Vice President Program Underwriting, NAS Insurance — Ms. Osswald joined NAS in 2002 and specializes in health care, cyber liability, employment practice, directors and officers coverage. Ms. Osswald currently supports NAS’ reinsurance programs and oversees the underwriting and product development of Billing Errors and Omissions, Cyber Liability, Employment Practices Liability, and Directors and Officers programs created to address the new exposures facing health care providers. She has been featured as a guest speaker at various industry conferences addressing the evolving professional liability risks in health care, and served on the Steering Committee of the Southern California Chapter of the Professional Liability Underwriting Society.
Chris Reese, Vice President, Director of Underwriting, NAS Insurance — As part of NAS’ key management team, Ms. Reese provides insurance solutions for clients in the health care industry. She has held leadership positions on both the underwriting and retail broker sides of the business, and has worked in the London market for a reinsurance intermediary. Ms. Reese has been involved with cyber risk insurance for the health care industry since 2004, providing coverage to physicians, medical groups, and integrated delivery systems.
MORE SLIDESHARE PRESENTATIONS
http://www.slideshare.net/capphysicians/presentations
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: https://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Youtube: http://youtube.com/CAPphysicians
Google+: http://www.google.com/+Capphysicians
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...RightPatient®
Read through our podcast summary with Jim Quiggle with the Coalition Against Insurance Fraud to learn more about the topic of medical identity theft and how it affects patients, providers, and the healthcare industry. The summary covers the causes and repercussions of medical identity theft, including what can be done to prevent it and what stp patients and doctors can take immediately after discovering they have been victimized.
Sampling of training program material for health care fraud, abuse and compliance training for health care providers. contact Chiropractic Compliance Consultants for more at 913-369-9000, or visit our website at cccpfc.com
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. - Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light
The issue of fraud in health care has become a serious problem that every participant in the health delivery system must remain aware of in terms of potential and consequences. Managers in the health care system are tasked with ensuring that their staff members know the various fraud schemes as well as making sure that providers are not committing fraud themselves. A key way to accomplish this task is through education and training for fraud detection and prevention by and of health care stakeholders. The stakeholders in health care include providers, patients, organizations and institutions, the government, and the public. Also included are non-health care entities that may steal patient data for fraudulent claims and billing. Managers, therefore, are strongly advised to seek the services of health care compliance agencies to train staff, including doctors and nurses, on how to detect fraud and prevent fraud themselves. These agencies are also adept at helping to improve billing and payment functions to mitigate the risk of lost revenue through fraud and avoidance of criminal liability for the actions of providers and patients. The well-coordinated efforts of all stakeholders of health care assist in preserving the integrity of the system and make available quality services at reasonable prices for all.
Potential factor of rising health care cost. Presentation will drive around introduction,facts, statistics, tactics and solutions regarding fraud & abuse. I would like to thank Imran Bhai for his suggestions
Medical Identity Theft – Causes, Consequences, and Cures with Jim Quiggle, Di...RightPatient®
Read through our podcast summary with Jim Quiggle with the Coalition Against Insurance Fraud to learn more about the topic of medical identity theft and how it affects patients, providers, and the healthcare industry. The summary covers the causes and repercussions of medical identity theft, including what can be done to prevent it and what stp patients and doctors can take immediately after discovering they have been victimized.
Sampling of training program material for health care fraud, abuse and compliance training for health care providers. contact Chiropractic Compliance Consultants for more at 913-369-9000, or visit our website at cccpfc.com
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only. - Medical identity theft has existed in various forms for decades, but it was in 2006 that World Privacy Forum published the first major report about the crime. The report called for medical data breach notification laws and more research about medical identity theft and its impacts. Since that time, medical data breach notification laws have been enacted, and other progress has been made, particularly in the quality of consumer complaint datasets gathered around identity theft, including medical forms of the crime. This report uses new data arising from consumer medical identity theft complaint reporting and medical data breach reporting to analyze and document the geography of medical identity theft and its growth patterns. The report also discusses new aspects of consumer harm resulting from the crime that the data has brought to light
The issue of fraud in health care has become a serious problem that every participant in the health delivery system must remain aware of in terms of potential and consequences. Managers in the health care system are tasked with ensuring that their staff members know the various fraud schemes as well as making sure that providers are not committing fraud themselves. A key way to accomplish this task is through education and training for fraud detection and prevention by and of health care stakeholders. The stakeholders in health care include providers, patients, organizations and institutions, the government, and the public. Also included are non-health care entities that may steal patient data for fraudulent claims and billing. Managers, therefore, are strongly advised to seek the services of health care compliance agencies to train staff, including doctors and nurses, on how to detect fraud and prevent fraud themselves. These agencies are also adept at helping to improve billing and payment functions to mitigate the risk of lost revenue through fraud and avoidance of criminal liability for the actions of providers and patients. The well-coordinated efforts of all stakeholders of health care assist in preserving the integrity of the system and make available quality services at reasonable prices for all.
Potential factor of rising health care cost. Presentation will drive around introduction,facts, statistics, tactics and solutions regarding fraud & abuse. I would like to thank Imran Bhai for his suggestions
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
How to Protect Your Healthcare Facility From Medical Identity TheftThe Identity Advocate
Albany Medical Center was working hard to take care of its patients and bring a higher level of healthcare to the community. According to most patients, the facility was doing a good job of it. Unfortunately, the medical center’s reputation was recently damaged when one of its own nurses was caught stealing patient identities. With the help of her boyfriend, a nurse stole over 50 patient identities and applied for hundreds of credit cards in their names. The two identity thieves were eventually caught red-handed with a collection of patients’ names, home addresses, Social Security numbers, credit cards, and gift cards.
Sadly, this is just one of numerous cases in which nurses swiped patient identities for personal financial gain. As a medical facility or administrator, it’s your duty to protect your patients from identity theft. After all, more importantly than harming your reputation as a trusted healthcare provider, medical identity theft puts your patients’ lives at risk. Here’s how to safeguard your facility.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxkarlhennesey
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy ...
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxhoney690131
Page 9 of 15
Capstone Project
Yaima Ortiz
IDS-4934
March 1st, 2020
Abstract
Topic:
Privacy- What medical information should be confidential? Who, if anybody, should have access to medical records?
Thesis Statement
In healthcare centers and overall privacy is the right of every US citizen that should be protected in all its forms by the healthcare organization.
Rationale
1. The purpose of this paper is to identify why security measures are necessary to protect one’s privacy in the medical industry.
2. There are numerous laws, policies and healthcare organizational rules and regulations and statistics that would be helpful for conducting this research.
3. Privacy of a person whether this is me or you, is important then everything. I want to talk on this topic because I think most of us do not know what is happening to us.
4. I have selected textual analysis of books and available internet sources. The reason of this limited research methodology is that I cannot perform field study because of shortage of time.
Rough Draft Ideas
Identity theft in healthcare industry become a common practice and leads to information leakage that may destroy someone’s life. We can eliminate this human right violation by enforcing effective and practical laws. Healthcare organizations should understand their responsibilities and tighten security to protect information of patients.
Table of Contents
Introduction 3
Overview of Privacy Protections with Respect to Medical Records 4
Data Breaches in the Healthcare Industry 5
Healthcare is the biggest Target for Cyber Attack 7
Penalties and Punishments for Hacking Personal Information 9
Penalties 9
Devastating Consequences of Healthcare Data Breaches 10
Conclusion 10
Recommendations 11
Bibliography 12
Introduction
While operating in healthcare organizations need to gather patient’s information that is mostly personal information. It is the moral and legal responsibility of health care organizations to protect the information of their patients and do not share it with people outside of the organization without the patient’s consent. Protecting patient’s information is a crucial element of respect and essential for patients' autonomy and trust in the organization — the US healthcare industry currently facing patient mistrust that is caused because of a lack of trust. When patients experience a lack of confidence they do not share their information with a healthcare professional that causes ineffective treatment. In a 2018 study, Levy, Scherer, Zikmund-Fisher, Larkin, Barnes, & Fagerlin concluded that approximately 81.1% of people withheld medically relevant information from their health-care providers. Patients fail to disclose medically relevant information in front of their clinicians undermine their health and cause patient harm (Levy, 2018).
There are numerous components of patient privacy in healthcare that are personal space, religious and cultural affiliations, physical privacy.
This white paper discusses the various cyber threats targeting healthcare organizations and the challenges security professionals face in securing access to protected health information.
A slide show that I compiled for my post master's certificate program, through Northcentral University, in Business Administration, with a specialization on Advanced Accounting. This is assignment 5 Consumer Fraud Prevention.
Page 1 Executive Summary Policy makers are looking.docxsmile790243
Page 1
Executive Summary
Policy makers are looking carefully at the best ways to improve our healthcare system with much
emphasis being placed on the need for electronic health records for every American. This effort also
includes creating an infrastructure to allow the exchange of these records at the regional, state and
national levels. With the passing of the American Recovery and Reinvestment Act of 2009 (ARRA), the
federal government is poised to invest over $19 billion in healthcare information technology (HITECH
Act).1 This investment will provide significant incentives for healthcare providers to implement electronic
medical record (EMR) systems over the next five years. This action has the potential to dramatically
change the landscape of modern medicine and is generally seen as a tremendous step forward; however,
we must ensure that this course achieves the ultimate goals of this initiative.
If we are to improve healthcare information management, we must start with the accurate identification of
each person receiving or providing healthcare services, and anyone accessing or using this information.
As we move away from paper-based medical records that are controlled by physical access to buildings,
rooms, and files, we need to have an infrastructure that supports strong identity and security controls.
The issues with establishing identity are compounded as electronic medical records are used by many
different organizations at the regional, state, and national levels. There must be a way to uniquely and
securely authenticate each person across the healthcare infrastructure, whether that interaction is in
person or over the Internet.
Until now, there has been a slow and uncoordinated transition toward electronic medical records. There
are a myriad of systems on the market today, each with its own methods for handling patient and record
identification and each with varying levels of security and privacy controls. Many systems rely on simple
usernames and passwords to identify and control access. Far fewer implement strong multi-factor
authentication (such as smart cards). It is critical that a set of standards be established for identifying the
patient, the medical provider, and all others handling electronic records so that information across
different locations can be shared easily and securely and so that patient privacy is maintained. Accurate
identification and authentication seem like capabilities that should already exist in healthcare; however,
identification and authentication are currently uncontrolled and not standardized among medical systems,
locations, and organizations within the healthcare community.
This paper introduces the current challenges and explains why identity management in healthcare is an
essential and foundational element that must be made a priority by policy makers in order to achieve the
goals of widespread use of electronic health records to support t.
The Financial Impact Of Medical Identity Fraud On Patients: A Guide By Healt...Health 2Conf
This presentation by the Health 2.0 Conference reviews the financial loss patients face due to medical identity fraud. Not only that, but the presentation also provides seamless methods you can opt to fight other scams and spam prevalent in the industry.
1. HEALTH CARE TECHNOLOGY AND PRIVACY
By Scott Fikes, Vice President at InLight Risk Management, LLC
Today, physicians and healthcare organizations rely on electronic data, computers and networks to support
their operations. Health Care Technology and Privacy provides a summary of the exposures, regulations
and recommendations to assist health care providers in managing this risk.
EXPOSURE
Do you store data, including private information on computers; use e-mail; process patient payments;
access, upload or download patient health records? If so, then you are at risk. Is your medical billing
outsourced? Does your physicians or staff access records on a laptop at home or away from the office?
The following is a sample of privacy and security breaches in the health care industry:
A major online health product vendor inadvertently revealed detailed information – including bank
account and credit card information – of thousands of customers on its web site.
University researchers accidentally revealed the names of deceased organ donors to 410 patients
who received kidneys from the deceased donors.
A hacker downloaded medical records, health information, and social security numbers of more than
5,000 patients at a major university.
A West Coast managed care organization mistakenly sent email responses to the wrong recipients,
exposing sensitive patient information.
A patient sued a major East Coast hospital when an email error revealed his HIV-positive status to
his coworkers.
A Fortune 1000 pharmaceutical firm inadvertently revealed over 600 patient email addresses when it
sent a collective message to every individual registered to receive reminders about taking a certain
medication.
Insider attacks are also a worry.
Tenet Healthcare, which owns more than 50 hospitals in twelve states, disclosed a security breach involving
a former billing center employee in Texas who pled guilty to stealing patient personal information. He got
nine months in jail.
In an identity fraud case in Sarasota, Fla. last month, an office cleaner who gained access to the patient files
of an anesthesiologist who rented an office pled guilty to fraud for ordering credit cards on the Internet with
stolen patient personal information. He got two years jail time.
Lost and stolen laptops have also been a problem, with disclosure of missing personal information related to
patients or employees at Duluth, Minn.-based Memorial Blood Center; Mountain View, Calif.-based Health
Net; Sutter Lakeside Hospital at Lakeside, Calif.; and the West Penn Allegheny Health System revealed just
within three months of each other.
The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New
Requirements for Fighting Identity Theft
by Steven Toporoff, attorney with the FTCʼs Division of Privacy & Identity Protection.
As many as nine million Americans have their identities stolen each year. The crime takes many forms. But
when identity theft involves health care, the consequences can be particularly severe.
Medical identity theft happens when a person seeks health care using someone elseʼs name or insurance
information. A survey conducted by the Federal Trade Commission (FTC) found that close to 5% of identity
theft victims have experienced some form of medical identity theft. Victims may find their benefits exhausted
or face potentially life-threatening consequences due to inaccuracies in their medical records. The cost to
health care providers — left with unpaid bills racked up by scam artists — can be staggering, too.
1
2.
The Red Flags Rule, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and
organizations — including many doctorsʼ offices, hospitals, and other health care providers — to develop a
written program to spot the warning signs — or “red flags” — of identity theft.
Does the Red Flags Rule cover your practice? If so, have you developed your Identity Theft Prevention
Program to detect, prevent, and minimize the damage that could result from identity theft?
WHO MUST COMPLY
Every health care organization and practice must review its billing and payment procedures to determine if
the Red Flags Rule covers it. Whether the law applies to you isnʼt based on your status as a health care
provider, but rather on whether your activities fall within the lawʼs definition of two key terms: “creditor” and
“covered account.”
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your
practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to
include any entity that regularly defers payments for goods or services or arranges for the extension of
credit. For example, you are a creditor if you regularly bill patients after the completion of services, including
for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who
regularly allow patients to set up payment plans after services have been rendered are creditors under the
Rule. Health care providers are also considered creditors if they help patients get credit from other sources
— for example, if they distribute and process applications for credit accounts tailored to the health care
industry.
On the other hand, health care providers who require payment before or at the time of service are not
creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar
programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit
cards as a form of payment at the time of service does not make you a creditor under the Rule.
The second key term — “covered account” — is defined as a consumer account that allows multiple
payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The
accounts you open and maintain for your patients are generally “covered accounts” under the law. If your
organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft
Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.
SPOTTING RED FLAGS
The Red Flags Rule gives health care providers flexibility to implement a program that best suits the
operation of their organization or practice, as long as it conforms to the Ruleʼs requirements. Your office may
already have a fraud prevention or security program in place that you can use as a starting point.
If youʼre covered by the Rule, your program must:
1. Identify the kinds of red flags that are relevant to your practice;
2. Explain your process for detecting them;
3. Describe how youʼll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how youʼll keep your program current.
What red flags signal identity theft? Thereʼs no standard checklist. Supplement A to the Red Flags Rule —
available at ftc.gov/redflagsrule — sets out some examples, but here are a few warning signs that may be
relevant to health care providers:
• Suspicious documents. Has a new patient given you identification documents that look altered or
forged? Is the photograph or physical description on the ID inconsistent with what the patient looks
like? Did the patient give you other documentation inconsistent with what he or she has told you —
for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere?
Under the Red Flags Rule, you may need to ask for additional information from that patient.
• Suspicious personally identifying information. If a patient gives you information that doesnʼt match
what youʼve learned from other sources, it may be a red flag of identity theft. For example, if the
patient gives you a home address, birth date, or Social Security number that doesnʼt match
information on file or from the insurer, fraud could be afoot.
• Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still
shows up for appointments? Does a patient complain about receiving a bill for a service that he or
2
3. she didnʼt get? Is there an inconsistency between a physical examination or medical history
reported by the patient and the treatment records? These questionable activities may be red flags
of identity theft.
• Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting
possible identity theft. Have you received word about identity theft from another source?
Cooperation is key. Heed warnings from others that identity theft may be ongoing.
SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM
Once youʼve identified the red flags that are relevant to your practice, your program should include the
procedures youʼve put in place to detect them in your day-to-day operations. Your program also should
describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red
flags of identity theft? For example, if the patient provides a photo ID that appears forged or altered, will you
request additional documentation? If youʼre notified that an identity thief has run up medical bills using
another personʼs information, how will you ensure that the medical records are not commingled and that the
debt is not charged to the victim? Of course, your response will vary depending on the circumstances and
the need to accommodate other legal and ethical obligations — for example, laws and professional
responsibilities regarding the provision of routine medical and emergency care services. Finally, your
program must consider how youʼll keep it current to address new risks and trends.
No matter how good your program looks on paper, the true test is how it works. According to the Red Flags
Rule, your program must be approved by your Board of Directors, or if your organization or practice doesnʼt
have a Board, by a senior employee. The Board or senior employee may oversee the administration of the
program, including approving any important changes, or designate a senior employee to take on these
duties. Your program should include information about training your staff and provide a way for you to
monitor the work of your service providers — for example, those who manage your patient billing or debt
collection operations. The key is to make sure that all members of your staff are familiar with the Rule and
your new compliance procedures.
WHATʼS AT STAKE?
Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to
financial penalties. But even more important, compliance with the Red Flags Rule assures your patients that
youʼre doing your part to fight identity theft.
RISK REDUCTION RECOMMENDATIONS
Anti-virus – Utilize anti-virus software on all computing devices – Automatically update anti-virus
software at least daily – Automatically scan and filter e-mail attachments and downloads before
opening files
Automatically receive virus and threat notifications from the United States Computer Emergency
Readiness Team (US-CERT), SANS Institute or a similar provider
Securely configure firewalls using other than a default configuration
Configure networks using multiple firewalls (or equivalent) to separate back-office operations from
Internet-facing operations
Promulgate a security policy to all employees and contractors
Have a tested disaster recovery plan that includes recovery from data center disasters
Have a tested security incident response plan that addresses both direct (e.g., hacking) and indirect
(e.g., virus) attacks upon network
Back up network data and configuration files daily
Store back-up files in a protected location
Allow remote access to network only if it is via a VPN or equivalent system
Monitor network platform vendors at least daily for availability of security patches and upgrades
Test and install security patches and upgrades within 30 days of availability, preferably within seven
days
Always lock server rooms or otherwise limit access only to authorized personnel
3
4.
RISK TRANSFER SOLUTIONS
InLight Risk Management provides multiple risk transfer solutions designed to meet your specific needs.
This critical liability coverage is necessary for any organization that uses computers to manage information.
What does it cover?
All network information is covered, enterprise-wide and not just information on Web sites
Covers claims related to identity theft
Covers damage due to viruses, denial of service and security breaches
Includes theft of othersʼ trade secrets, proprietary or confidential information from the insured's
network
Privacy Injury and Identity Theft
Unauthorized disclosure of private information
Regulatory expense
Private actions arising from unauthorized disclosure of othersʼ private information in violation
of: Any applicable privacy law, e.g., HIPAA, GLBA, COPPA and EU Data Protection Act
Insuredʼs published privacy policy
Any security breach notice law
All network information is covered, enterprise-wide and not just information on Web sites
Covers any current or future applicable privacy laws worldwide
Covers claims related to identity theft resulting from unauthorized disclosure of private
information
Insuredʼs cost to notify others if they suspect a security breach or compromise of their private
information
Insuredʼs cost to comply with any applicable privacy law or regulation if a regulatory authority
notifies them that they may be noncompliant
Regulatory expense covers first-dollar loss, with no deductibles or co-insurance
.
Network Damage to information residing on insuredʼs network, including:
Insuredʼs own information, upon which others rely, residing on a network
Othersʼ information on insuredʼs network
Damage to othersʼ information on insuredʼs network if damage caused by insured
Network interruption or customers inability to access or use insuredʼs network or their network
if interruption is caused by insured
Theft or unauthorized disclosure of othersʼ information on insuredʼs network
All network information is covered, enterprise-wide and not just information on Web sites
Covers damage due to viruses, denial of service and security breaches
Includes outsourced network services for which insured is liable
Includes theft of othersʼ trade secrets, proprietary or confidential information in insuredʼs care
What does it cost?
Premiums are determined by underwriting criteria specific to your company. It stands to reason that the
exposure for a solo physician practice has a reduced number of exposures than a hospital located in a
highly populated city.
For this reason, premiums begin as low as $500 annually. Protect your organization from a significant,
unexpected financial loss by purchasing technology/privacy liability coverage.
Scott L. Fikes
Vice President
InLight Risk Management, LLC
101 Park Avenue, Suite 1100
Oklahoma City, OK 73102
(O) 405.443.2024
(F) 405.443.2001
sfikes@inlightrm.com
www.InLightRM.com
4