PrivacyAnalyicsEdition2-2012

EDITION 2 2012

CONTACT USwwwprivacyanalyticsca | 6133694313

infoprivacyanalyticsca800 King Edward Drive Suite 3042Ottawa Ontario Canada K1N 6N51

THE PRIVACY ANALYTICS NEWSLETTER

Table of Contents

1 Anatomy of a Data Breach This first in a three-part seriesbull Part1DataPrivacyRegulationsPenaltiesandStatistics

bull ByJamesJGiszczakandDominicAPaluzziMcDonaldHopkinsLawFirm

bull Page2

2 Trust The Prescription for a Long and Healthy Relationship

bull ByJayInnes

bull PAGE5

3 Medical Identity Theft Seven Years On

bull ByJayInnes

bull PAGE7

4 The First Wave of OCR Audits for HIPAA and HITECH Compliance Key Results Summary

bull ByMikeHumasonDirectorofHealthcareSystemsMicroSolutions

bull PAGE8

5 Patient Recruiting Innovation Emerges from Personal Experience

bull ByJayInnes

bull Page10

6 Privacy Analytics update PARAT software upgrades and recent news

bull Page11

bull If you have not already subscribed please signup to receive the monthly Risky Business newsletter httpwwwprivacyanalyticscaregisternlasp

bull Follow us on privacyanalytic

bull Look for the Privacy Analytics company site on

bull All comments and story ideas welcome Contact Jay Innes at jinnesprivacyanalyticsca

Trust PARAT for re-identification risk assessment and de-identification

Privacy Analytics The developers of the only commercially available integrated data masking and de-identification tool

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2 2012

800 King Edward Drive Suite 3042Ottawa Ontario Canada K1N 6N52

wwwprivacyanalyticsca | 6133694313infoprivacyanalyticsca

Anatomy of a Data Breach A 3-Part Series Part 1 Data Privacy Regulations Penalties and StatisticsBY JAMES J GISZCZAK AND DOMINIC A PALUZZI MCDONALD HOPKINS LAW FIRM

INTRODUCTIONIn todayrsquos electronic age with personal and financial information and protected health information stored on computers on laptops on the internet and on other miniature media devices and with the rise of identity theft individuals are more concerned than ever about protecting their personal information and protected health information Increasingly companies have become targets for people both internally and externally misappropriating this information for improper purposes

ldquoAnatomy of a Data Breachrdquo is a 3-part series of articles that will discuss data privacy and the rapidly-changing laws that entities must adhere to and the challenges they face through the compliance process This first article will address the general concepts of data security stunning statistics critical privacy laws and penalties for non-compliance The second article will feature proactive measures and requirements to minimize the risk of a data breach in your organization Finally the third article will address the immediate and appropriate actions to take once a breach occurs

What is most important in the data privacy arena is for your organization to partner with vendors that have significant experience advising clients on best practices security and storage policies dealing with data breaches and complying with state and international data security laws Itrsquos important to find a balance between the information requirements of your organization and the individual rights of your employees customers and third parties This area of law is rapidly changing and itrsquos critical that the complex privacy laws are both understood and followed

QUESTIONS TO CONSIDER bull Does your company have a Written Information Security

Program bull Have you established clear data security proceduresbull Does your company have an Incident Response Planbull Are you aware of the myriad of state federal and international

laws that require data breach notificationbull Do you have appropriate IT and electronic policies concerning

personal or other sensitive information whether it is in hard copy or stored on laptops or other portable devices

bull Does your company properly protect its personal information with confidentiality agreements for its employees vendors and visitors

bull Does your company properly train its employees on its data security program and policies

If you just read these questions and are asking yourself ldquowhat is an Incident Response Planrdquo or ldquowhat is a Written Information Security Programrdquo you are not alone Letrsquos discuss why we even need to be talking about data privacy in the first place

WHAT DATA IS PROTECTED AND WHO IS IMPACTEDBy state and federal statute personal information (ldquoPIrdquo) or personally identifiable information (ldquoPIIrdquo) refers to unique identifiers such as an individualrsquos Social Security number driverrsquos license number credit card numbers credit report history passport number tax information and banking records Protected Health Information (ldquoPHIrdquo) refers to medical records health status provision of healthcare and payment for healthcare

Every industry is at risk when it comes to data privacy but some are more critical such as billing companies education insurance staffing healthcare retail manufacturing accounting financial services legal pharmaceuticals and governmentmilitary These industries are most at risk due to the amount of sensitive PI and PHI that they either own license or otherwise have access to andor control of

STARTLING STATISTICSOver 544664595 data breaches have been reported since 2005 (Privacy Rights Clearinghouse) Of course many have gone unreported so this figure is more than likely 3 times higher or 1633993785 A Ponemon Study has recently found that the average cost of a data breach is $214 per compromised record which is broken down as follows

Activity Percent DollarInvestigation amp Forensics 11 $23

Audit amp Consulting Services 10 $21

Outbound Contact 5 $10

Inbound Contact 6 $13

Public RelationsCommunications 1 $2

Legal Services - Defense 14 $30

Legal Services - Compliance 2 $4

Free or Discounted Services 1 $2

Identity Protection Services 2 $4

Lost Customer Business 39 $83

Customer Acquisition Cost 9 $19

Total 100 $214Source httpwwwponemonorgindexphp




Of the attacks 85 are not even considered difficult and 96 are avoidable through simple or intermediate controls (Verizon Data Breach Investigations Report)

So what is the incentive for a criminal to have access to your PI through either a low-tech breach or via hacking into a computer network The value of your stolen data on the black market is quite surprising

CRITICAL PRIVACY LAWS amp STANDARDSAs a result of the increased frequency of data thefts and breaches of PI and PHI the data privacy regulations are voluminous and onerous There are at least 35 federal laws with data protection or privacy protections Forty-six states the District of Columbia Puerto Rico the Virgin Islands and numerous foreign countries have enacted legislation requiring notification of security breaches involving PI andor PHI Relative to the 46 state statutes it is the residence of the affected individual which determines the applicable notice law regardless of whether or not the entity has a business physically located in that state There are at least six recently proposed federal bills which if enacted may supersede the 46 state laws currently in effect A highlight of some of the critical privacy laws and standards can be found below

bull HealthInsurancePortabilityampAccountabilityActofrsquo96(HIPAA)o Requires healthcare providers to ensure the confidentiality

of all protected health information (PHI)

bull HealthInformationTechnologyforEconomicampClinicalHealthAct(HITECH)o Imposes new notification requirements on covered entities

business associates amp vendors if a breach of unsecured PHI occurs

bull Gramm-Leach-BlileyAct(GLBA)o Requires financial institutions to safeguard security

of customer informationrecords and protect against unauthorized access of same

bull FederalTradeCommission(FTC)RedFlagsRuleo Requires financial institutions and creditors to implement

written identity theft programs to identify theft prevent crime and anticipate damages

bull IdentityTheftEnforcementandRestitutionAct(ITERA)o Victims of identity theft allowed to recover an amount equal

to value of time spent by victim to remediate the intended or actual harm incurred

bull PaymentCardIndustryDataSecurityStandards(PCIDSS)o Requires organizations handling bank cards to conform

to numerous security standards regulated by Visa and MasterCard

COST OF NON-COMPLIANCEAs if the requirements in the statutes themselves were not burdensome enough many of the regulations include significant penalties for failing to comply with the data privacy statutes A few of the legal penalties include

bull Up to $750000 in penalties to the company for failure to notify affected individuals

bull $10000 per violation for officersdirectors personally (Gramm-Leach-Bliley Act)

bull Up to $50000 per violation for consumer health information retained on a hard drive (Health Insurance Portability and Accountability Act [HIPAA])

bull Officersdirectors can serve up to five years in prisonbull Banks can lose FDIC insurancebull Bank officers can be barred from industry under Gramm-

Leach-Bliley Actbull State privacy statutes provide for private civil actions for

instances of non-compliance including punitive damages and attorneysrsquo fees

bull Under HIPAA failure to properly erase consumer health information can carry a minimum prison term of one year

CONCLUSIONA comprehensive approach to data privacy and network security is the most effective means to avoid a data breach and is the best way to be prepared to respond to a breach when necessary It is important for organizations to recognize the need to be proactive Complying

Overall Rank Item Percentage 2010 Price Ranges

2010 2009 2010 2009

1 1 Credit Card Information

22 19 $007-$100

2 2 Bank Account Credentials

16 19 $10-$900

3 3 Email Accounts

10 7 $1-$18

4 13 Attack Tools 7 2 $5-$650

5 4 Email Addresses

5 7 $1MB-$20MB

6 7 Credit Card Dumps

5 5 $050-$120

7 6 Full Identities 5 5 $050-$20

8 14 Scam Hosting 4 2 $10-$150

9 5 Shell Scripts 4 6 $2-$7

10 9 Cash-out Services

3 4 $200-$500 or 50-70 or Total Value

(SOURCE HTTPWWWSYMANTECCOMTHREATREPORT)




with the latest data security laws through a comprehensive approach will provide benefits in the immediate future reducing the likelihood of a data breach and minimizing the loss when such an event occurs

Part two in this series will feature various proactive steps organizations should take to be compliant with data privacy laws and regulations including drafting and implementing appropriate data privacy policies and procedures and ongoing training of employees on the importance of data security The article will also

include a discussion of cyber insurance coverage available to help insureds mitigate the cost of a breach and protect an organizationrsquos balance sheet The third part in the series will discuss the data breach response process and appropriate notifications to affected individuals and state attorneys general in addition to media notice when necessary public relations management and credit monitoring to help mitigate damages incurred

iTunes AnnouncementAVAILABLE NOW Subscribe to the free iTunes podcasts co-sponsored by Privacy Analytics providing a comprehensive webinar series addressing the topics of de-identification data breaches data protection consent ethics privacy regulations and data sharing

James J Giszczak a Member with McDonald Hopkins litigates matters involving data security and data privacy and advises clients regarding data security measures and responding to security breaches Jim also works with clients in a myriad of industries to assess and implement appropriate data security safeguards and continues to works with federal state and local authorities as well as third party vendors

Jim can be reached at jgiszczakmcdonaldhopkinscom

An Associate with McDonald Hopkins in Detroit Michigan Dominic A Paluzzi advises clients regarding data privacy and network security measures drafts information security programs and incident response plans and responds to data security breaches Dominic coaches clients who have experienced a data breach ensuring compliance and minimizing exposure

Dominic can be reached at dpaluzzimcdonaldhopkinscom




The Secret to a Long and Healthy Relationship With Your Healthcare ProviderBY JAY INNES

Ottawa ON Canada Two recent patient surveys indicate that it is not just the rich and famous who worry about the security and confidentiality of personal health records patients are starting to ask questions about the migration to Electronic Health Records (EHRs) and the questions may have an impact on the sacred doctor-patient relationship

In 2011 the National Partnership for Woman and Families and Alan Westin Professor Emeritus Columbia University conducted a survey of more than 1900 American adults to produce Making It Meaningful How Consumers Value and Trust Health IT The survey revealed that more than 80 per cent of respondents do not feel they are adequately informed of the ways in which their medical information is collected and used The study concludes that the onus falls on the physicians as the frontline caregivers to provide crucial guidance and that the physicians should ldquocultivate trust in EHRsrdquo

In a recent webinar co-sponsored by Privacy Analytics healthcare lawyer Ken Rashbaum reminded the attendees of the recent quote from Leon Rodriguez when the director of the Office for Civil Rights (OCR) connected trust and healthcare ldquoIf people lose trust in the healthcare system they will not get the care they needrdquo Rodriguez went on to tell the Detroit Free Press that ldquoenforcement promotes compliancerdquo

Rashbaum who was providing information on the HIPAA spot audits now underway in the US and advising on breach prevention strategies acknowledges that this is an exciting but unsettled time for healthcare sectors As healthcare providers in many countries move from paper to digital records encouraged by government incentives patients are seeing the elevation of the roles of data stewards and IT departments

ldquoFor the first time in medical history

information has become a tool of care because we have the ability to coordinate and consolidate information from so many different sourcesrdquo says the New York attorney who has more than 25 yearsrsquo experience in the healthcare and pharmaceutical industries

The report from the National Partnership for Woman and Families goes on to highlight the fact that consumer education is needed to enhance the understanding of the link between the care process and the records systems that support care Almost two-thirds of all respondents indicated that widespread adoption of EHRs will lead to the theft or loss of personal information which as Rashbaum indicates strikes at the core of the bond of trust between the doctor and patient

ldquoIf patients lose confidence in the security and the trust in the confidentiality of their information then they are not going to be as forthcoming with their physicians and the information may no longer be reliable from the care point of viewrdquo

Rashbaum is quick to point out that the loss of confidence is less with the physicians than the mutable nature of electronic information (easier to lose than paper) and such concerns are exacerbated by media coverage of information leaks and losses that could potentially undermine the many beneficial uses for the electronic records

ldquoIf the data canrsquot be trusted by the patient then the patient will be reluctant to give full and comprehensive information and then the physician may in turn look with less trust on the informationrdquo warns Rashbaum

The reactions of patients who are concerned about the security of their records and the impact on trust were revealed in a recent four country survey conducted for the Florida company FairWarning The results measured patient expectations actions

Jules Polonetsky the Co-Chair and Director at the Future of Privacy Forum followed up a recent webinar co-sponsored by Privacy Analytics by predicting the evolution of public attitudes toward the privacy and sharing of healthcare records

ldquoItrsquos clear that on their own privacy and security measures protecting health data wonrsquot address consumer concerns Consumers will need to feel confident that data collected is being used on their behalf not simply for the benefit of third partiesrdquo

To access Julesrsquo webinar addressing the most central privacy issues of the future including data use innovation and de-identification follow this link httpswwwehealthinformationcasurveywebinarjan122012aspx




and reactions to concerns over the security of personal health records signaling an increase in public awareness The surveys of patients in the US UK France and Canada indicate that patients will alter behavior if trust is compromised and in some instances withhold information from healthcare providers which could be detrimental to future care strategies and treatments The decision to withhold information from a care provider resulting in an inaccurate or incomplete health record may seriously harm the patient and diminish faith in the system two reasons explaining the increased focus on enforcement

In the survey summary of all four countries more than 90 per cent of patients responded that care providers have an ethical and legal obligation to protect privacy Further emphasizing the relationship between doctor and patient more than 85 per cent of all respondents indicated that if they had a sensitive medical condition then the care providerrsquos reputation would have an impact on the choice of provider The four country surveys also indicate that patients will seek to impose consequences on the healthcare executives who are responsible for a data breach

ldquoIn every market the patient still has this trust with the care provider but they react very emotionally when things go wrong all the way to the sacking of the executivesrdquo says Kurt Long FairWarning CEO admitting his surprise at the 90 per cent response rate demanding fines or dismissal for executives who fail to act following a breach

ldquoWe conclude that therersquos a lot of trust and a belief that care providers are doing the right things but when it goes wrong boy are they madrdquo adds Long

With time to absorb the survey results and a commitment to use the current surveys to benchmark follow up studies in the four countries Long predicts a blend in openness and privacy in the future

ldquoI think there is going to be this bifurcation and there will be a set of people who are comfortable with an awful lot of information about themselves being public On the other hand I think that therersquos going to be a core set of information including our medical information -- the most sensitive aspects of our medical conditions -- that all of us are going to really value and want to protectrdquo

NOTEWORTHY A recent eight-country study by Accenture provides an overview of the progress achieved in adopting healthcare IT leveraging its benefits and studying the barriers to advancement Making the Case for Connected Health assesses three areas healthcare IT adoption health information exchange implementation and insight driven healthcare including the use of advanced analysis of data to support decision making population health management and innovative care delivery models Interviewing 160 healthcare leaders and more than 3700 doctors and clinicians the report defined the barriers to electronic medical record adoption and the implementation of health information exchanges

The top three barriers as determined in Making the Case for Connected Health

1 ITsystemscannottalktoeachother2 Concernsaboutprivacyandsecurityofdata3 Costtomyorganization

Useful Links

Making It Meaningful How Consumers Value and Trust Health IT National Partnership for Woman and Families and Alan Westin Professor Emeritus Columbia University February 2012 (httpwwwnationalpartnershiporgsiteDocServerHIT_Making_IT_Meaningful_National_Partnership_February_2pdfdocID=9783)

How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes Trust in the confidentiality of medical records influences when where who and what kind of medical treatment is delivered to patients New London Consulting for FairWarning 2012 (httpwwwfairwarningcomsubpagesresourcesasppatientsurveys)

HIPAA Security Spot Audits Begin Chicken Littles and Annual Traditions Webinar by Ken Rashbaum for Privacy Analytics February 2012 (httpswwwehealthinformationcasurveywebinarfeb132012aspx)

Connected Health The Drive to Integrated Healthcare Delivery Accenture 2012 (httpwwwaccenturecomus-enPagesinsight-making-case-connected-healthaspxampampampsf3179485=1)

Privacy Concerns Patient ResponsesFairWarning Four Country Surveys

Patient privacy behavior or belief AverageBelieve care provider has ethical and legal obligation to protect privacy

9625

Patient postpones treatment due to privacy concerns

2975

Patient willing to travel outside of community for care due to privacy concerns

4275

Patient withholds medical information due to privacy concerns

445

(Source httpwww fairwarningcomsubpagesresourcesasppatientsurveys)




Medical Identity Theft Seven Years OnBY JAY INNES

Ottawa ON Canada In 2005 the National Committee on Vital and Health Statistics (NCVHS) Subcommittee on Privacy and Confidentiality approached Pam Dixon and asked her to appear and answering the question ldquoWhat are the risks of electronic healthcare recordsrdquo

When Dixon the Executive Director and Founder of World Privacy Forum was unable to find a single academic or mainstream publication addressing the issue of medical identity theft she focused on Justice Department files and worked to compile stories for her testimony

ldquoAfter the appearance the chair approached me and said lsquoNone of us has ever heard about this before and I donrsquot care if you donrsquot have funding for this or not you have got to do more work on thisrsquordquo Dixon recalls from her California office

Spurred on Pam Dixon and World Privacy Forum released Medical Identity Theft The Information Crime that Can Kill You on May 3 2006 the most comprehensive report to date on medical identity theft and medical identity fraud The report helped to define the term ldquomedical identity theftrdquo and provided real-life crime stories and accompanying statistics The media gravitated to the report and helped to raise public awareness

ldquoThe purpose of the report was to prove that medical identity theft existed and we expected some push backrdquo says Dixon

ldquoBut it was like a stack of dominoes like an avalanche it was definitely the cracking open of a very new Pandorarsquos Boxrdquo she says recalling the thousands of emails she received from providers and patients who shared their stories

Dixon is proud that her home state adopted the recommendation that data breach notifications be mandatory for consumers and that Washington soon followed

In the years that have passed since the report was released Dixon seems frustrated that the public continues to hear stories about data breaches caused by the loss or theft of unencrypted USB sticks and unencrypted laptops As a privacy expert serving many industries she says that these simple mistakes would just not happen in the financial sector or to a bank employee ldquobecause there is a culture of securityrdquo

She explains the differences between the financial and healthcare sectors and although she holds out hope for progress in the healthcare field she realizes that the two sectors are vastly different

ldquoOne of the reasons is that the healthcare sector is dealing with people -- patients -- and there is a need to access information quickly so the security structures have to be a lot more complex and a lot more thoughtfulrdquo she says

ldquoIt can be done but itrsquos just a matter of shifting a very old culture into a very new age where security is essentialrdquo

Looking ahead Dixon predicts that the healthcare world will continue to attract the attention of organized crime and in the coming months the World Privacy Forum will complete a two-year project on criminal operations in the healthcare field that will plot the geographical locations of the criminal activity in the US

Useful Link

Medical Identity Theft The Information Crime that Can Kill You World Privacy Forum 2006 (httpwwwworldprivacyforumorgmedicalidentitythefthtml)

Top Locations of Breaches Involving Unauthorized Access or Disclosure of PHI

As of Feb 17 2012 of Breaches Location

40 Paper

9 Network Server

6 Other

5 Email

3 Electronic Medical Record

1 Desktop Computer(Analysis of OCR data Jan 17 ndash Feb 17 2012 by Health Information PrivacySecurity

Alertrsquos HIPAA amp Breach Enforcement Statistics (httpwwwmelamediacomHIPAAStatshomehtml)

Privacy Analyticsrsquo News 1) Hospital News article on integrating maternal-child data for

all births in Ontario httpwwwhospitalnewscom integrating-maternal-child-data-for-all-births-in-ontario

2) Tracking Superbugs in Ontario Long-Term Care Facilities httpwwwcanhealthcomcurrent20issuehtml12marstory5




The First Wave of OCR Audits for HIPAA and HITECH Compliance Key Results SummaryBY MIKE HUMASON DIRECTOR OF HEALTHCARE SYSTEMS MICRO SOLUTIONS

Thousand Oaks California USA Since the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) part of 2009rsquos ARRA those who watch the news to see what government regulators are doing to enforce the many provisions of HIPAA and HITECH plus various state regulations in addition Changes to enforcement structure and doctrine have indicated that sweeping changes are underway leading to a far more proactive effort to audit investigate and where indicated to mandate corrective actions on the part of healthcare providers in the areas of patient records privacy and security Subject matter experts and legal experts have speculated at length over if and when a major wave of audit activities might commence A pilot project was initiated late last year initial information on which is just becoming available

BACKGROUND In 2011 The US Department of Health and Human Services (HHS) announced that its Office of Civil Rights (OCR) would begin HIPAA audits of covered entities and business associates in November and that its contracted auditor KPMG would audit up to 150 entities by the end of 2012 HHSrsquos website provides detailed information regarding when the audits will begin who may be audited how the audit program will work what the general timeline will be for an audit and generally what will happen after an audit is completed In addition HHSrsquos sample Audit Letter indicates that KPMG will focus on discovering vulnerabilities in privacy and security compliance programs and that certain ldquoinformationrdquo and ldquodocumentsrdquo will be requested in connection with the audit However no additional details are given regarding what covered entities and business associates may be asked to produce Covered Entities (CErsquos) and Business Associates (BArsquos) are in line to be audited in the near future and no CE is exempt Audit programs are meant to supplement not replace current investigation and enforcement activities

More recent information reveals the following

bull An initial ldquopilotrdquo phase will audit 20 CErsquos including o 1 State Medicaid program o 1 State SCHIP program o 3 group health plans o 3 health insurance companies o 3 physician practices o 3 hospitals o 1 laboratory o 1 dentist o 1 long term care facility o 1 pharmacy

bull Audit targets are selected using random samples from a database of CErsquos created by OCR contractor Booz Allen Hamilton Four categories were created

Level1 large payersproviders (revenues gt $1 Billion)

Level2regional insurersregional hospital systems ($300M to $1Billion)

Level3 community hospitals outpatient surgery centers regional pharmacies self-insured plans ($50M to $300M)

Level4 small providers community or rural pharmacies (less than $50M)

bull The formal audit program will begin in May 2012 bull OCR announced that the number of previous contacts with a CE

would have a bearing on who to audit

There is a definite process to the audits

bull KPMG will notify CErsquos preceding an audit and will send a list of required documents with the notification

bull CErsquos must respond to the document request within 10 business days

bull CErsquos will be notified 30 to 90 days prior to an onsite audit bull Audits may last several weeks bull Following the onsite audit CErsquos will receive a preliminary written

report bull CErsquos have 10 business days to supply additional documentation

and to comment in response to findings bull Within 30 days following the CE comment period the auditor

will send a final report to OCR bull If the final report indicates any serious compliance issue OCR

may initiate a compliance review ndash this will be similar to a formal investigation as is usually in response to a formal complaint or a large PHI breach

If a compliance review happens it could result in

bull Technical assistance provided by OCR bull Loss of eligibility to receive ldquoMeaningful Userdquo funds bull Corrective action plan for the CE which may include mandatory

third-party compliance review for 3 to 5 years bull Civil monetary penalties bull If the compliance review indicates ldquowillful neglectrdquo OCR will

impose formal corrective action bull Penalties may be up to $50000 per incident and up to $15

million per calendar year for the same type of violation




bull Higher penalties may be assessed at the discretion of OCR

The 10-day response requirement in the event of an audit notification means that CErsquos which do not have a considerable amount of preparation already done will find themselves under great pressure and possibly unable to comply A comprehensive compliance plan done in advance provides insurance against failure and possible dire consequences

Recommendations include

bull A proactive thorough risk analysis done by an established subject-matter expert

bull Centralized compliance documentation including but not limited too Policies and procedures and a written trail of workforce

training and implementation o Documentation of continued ongoing workforce trainingo Risk analysis report findings and written record of

remediation of all gaps identified o A regular periodic and annual audit program o Written Disaster recovery and Emergency operation plans

plus policy for regular review and updates o Incident response and breach notification documentation o Documentation that electronic PHI is being encrypted with

an industry-standard solution o Evidence of control over access to PHI o Evidence of compliant data backup and recovery o Remote access management o Plan to address governmentregulatory investigations and

auditso Documentation concerning release of PHI for treatment

payment and operations not requiring patient authorization

A dedicated workforce team should be developed and trained to enact all of the above ndash they should meet on a regularly-scheduled basis to ensure that compliance efforts are ongoing and current Their findings recommendations and actions should be properly documented and should be available to investigators and auditors along with all of the above items Compliance efforts must be proactive ongoing and should never be considered a one-time event It should be borne in mind that CErsquos bear the burden of proof in demonstrating compliance

CONCLUSION It is clear that the mandates of HITECH mean far more than just the adoption of electronic health records systems Complimentary compliance efforts in the areas of Privacy and Security including risk analyses and audits will be a standard part of any healthcare providerrsquos responsibility going forward failure to address these issues in advance may prove enormously costly not just in terms of fines but also in time taken to respond to an audit notice with no prior preparation and in the costs of corrective action Compliance efforts must be continuous and ongoing overseen by a dedicated team and all activities must be properly documented and readily available

Getting outside help is a smart solution ndash it canrsquot be denied that you donrsquot know what you donrsquot know ndash and most healthcare staff are fully occupied by the demands of patient care Donrsquot be afraid to ask for help

Mike Humason Director of Healthcare Systems at Micro Solutions (httpwwwmicro-solcom ) in Thousand Oaks CAUSA brings a 35+ year experience in the healthcare field to his current role as a consultant specializing in the areas of Electronic Health Records (EHR) adoption and aiding clients in compliance with the many regulatory standards of HIPAA and HITECH Micro Solutions conducts assessments and audits from simple and small to highly penetrative and granular which result in a comprehensive compliance and security client profile accompanied by recommendations to cure gaps We serve physicians outpatient centers long-term care facilities and hospitals as well as business associates such as law offices which bear a significant compliance burden




Patient Recruiting Innovation Emerges from Personal ExperienceBY JAY INNES

Ottawa ON Canada In 2008 sitting waiting at yet another doctor consult to determine the best method to treat a large birthmark on his baby daughterrsquos right leg Tom Dorsett decided he needed more information if he was to become an active and engaged advocate for his family As a health IT consultant Dorsett went in search of all relevant information from treatment options to clinical trial updates His efforts supported his daughterrsquos treatment while his frustrations led to the creation of ePatientFinder a patient recruiting process providing pre-screened candidates for clinical research ePatientFinder matches technology and physicians in primary care and in-patient environments with the information that allows them to identify ideal candidates for clinical trials through data analytics

ldquoI realized that it would be very powerful not only for the research organizations but especially for the patients because awareness is still statistically very low regarding clinical trials and patients with specific ailmentsrdquo said Dorsett in a recent interview from his Texas office

In contrast to the long held inefficient and expensive strategy of recruiting candidates through mass media this regionally-based and laser-focused process is conducted at the point-of-care offering physicians the added benefit of enhancing communications with patients

ldquoWith our model we are actually able to run analytics on the database in real time so that as patients come in theyrsquore being screened If therersquos a match wersquore able to reach them while theyrsquore checked into the hospital which greatly increases the likelihood of patient participationrdquo adds Dorsett

During a turbulent phase for the healthcare industry led by government incented EHREMR subsidies buffeted by challenging economic times and balancing the demands of citizens seeking immediate answers while requiring privacy protections Dorsett realized that collaboration was the first step to success Along with his executive team Dorsett worked with Health Information Exchanges (HIEs) Regional Health Information Organizations (RHIOs) and Electronic Health Record (EHR) vendors to create a growing health IT

oriented referral network to capitalize on the rapid expansion of the pool of individual longitudinal records

ldquoWersquore very excited that finally the longitudinal data exists because there has been a slow transition from the existence of only claims data to a more highly developed clinical data-setrdquo says Dorsett recognizing the current data revolution

ldquoHistorically itrsquos been claims data which is of minimal value to what we do because wersquore looking to locate very specific patients So the more detailed the data the more longitudinal the record then the more effective our servicerdquo

The ePatientFinder concept was validated in November with the announcement that five drug makers teamed up to gather health data from 13 New York hospital systems to assist in attracting patients to clinical trials The Bloomberg News story stated that the hospitals systems stand to make $75 million per year while pharmaceutical companies benefit from reducing the drug trial times and cutting costs

ldquoWe allow hospitals health information exchanges and physicians to gain new revenue from sources they never really would have thought about because we help them bring in revenue from the research community just by getting them involved in the recruiting processrdquo says Dorsett

ldquoTherersquos a lot of interest in what to do with this data either from a straight analytics play to where organizations hospitals and on down to the larger ambulatory clinics that are able to analyze their data

In the ePatientFinder model information is not shared with the drug companies instead the model is focused on working inside a hospitalrsquos firewall The onus is on the individual organization to decide whether to opt-in the referring physician to deliver the study information to their patient The patient then decides whether to apply for the study

ldquoIt creates a unique opportunity and if the hospital isnrsquot ready to take the plunge and start running clinical trials itself then we have the ability to bring revenue in from the research and development sector into those organizations just by getting them involved in these programsrdquo says Dorsett

Still in the development stages ePatientFinder is now building its data network and pilot projects are currently in design to go live with a top ten pharmaceutical company this spring As for Tomrsquos daughter she has received treatment for her birthmark and it has faded considerably

ldquothe more detailed the data the more longitudinal

the record then the more effective our servicerdquo

Tom Dorsett




PARAT 25 ReleaseIn March Privacy Analytics Inc will release PARAT 25 featuring the addition of a masking tool to support the effective de-identification of healthcare data sets to provide privacy guarantees for safe handling and sharing

The Privacy Analytics Risk Assessment tool is the only commercially available integrated data masking and de-identification tool on the market today and the only tool for handling longitudinal data sets

New features include

1) New Batch Processing Batch process a complete de-identified dataset includes SQL Scripts data importexport masking and de-identification

2) New Longitudinal Suppression Algorithm Significantly faster while lowering the amount of required suppression

3) New Longitudinal Attack Simulator Simulating re-identification attacks on a longitudinal dataset

4) New Improved Masking Toolset Now featuring advanced masking masking propagation and compound pseudonyms

5) Improved Import Capabilities PARAT Import from CSV and Microsoft Access more robust to handle large datasets

6) Automatic Import Type Detection PARAT CSV will detect field data types and date formats automatically

7) New Task Manager View the currently running tasks and end long-running tasks

To find out more and book a demo click here (wwwprivacyanalyticsca)




Anatomy of a Data Breach A 3-Part Series Part 1 Data Privacy Regulations Penalties and StatisticsBY JAMES J GISZCZAK AND DOMINIC A PALUZZI MCDONALD HOPKINS LAW FIRM

INTRODUCTIONIn todayrsquos electronic age with personal and financial information and protected health information stored on computers on laptops on the internet and on other miniature media devices and with the rise of identity theft individuals are more concerned than ever about protecting their personal information and protected health information Increasingly companies have become targets for people both internally and externally misappropriating this information for improper purposes

ldquoAnatomy of a Data Breachrdquo is a 3-part series of articles that will discuss data privacy and the rapidly-changing laws that entities must adhere to and the challenges they face through the compliance process This first article will address the general concepts of data security stunning statistics critical privacy laws and penalties for non-compliance The second article will feature proactive measures and requirements to minimize the risk of a data breach in your organization Finally the third article will address the immediate and appropriate actions to take once a breach occurs

What is most important in the data privacy arena is for your organization to partner with vendors that have significant experience advising clients on best practices security and storage policies dealing with data breaches and complying with state and international data security laws Itrsquos important to find a balance between the information requirements of your organization and the individual rights of your employees customers and third parties This area of law is rapidly changing and itrsquos critical that the complex privacy laws are both understood and followed

QUESTIONS TO CONSIDER bull Does your company have a Written Information Security

Program bull Have you established clear data security proceduresbull Does your company have an Incident Response Planbull Are you aware of the myriad of state federal and international

laws that require data breach notificationbull Do you have appropriate IT and electronic policies concerning

personal or other sensitive information whether it is in hard copy or stored on laptops or other portable devices

bull Does your company properly protect its personal information with confidentiality agreements for its employees vendors and visitors

bull Does your company properly train its employees on its data security program and policies

If you just read these questions and are asking yourself ldquowhat is an Incident Response Planrdquo or ldquowhat is a Written Information Security Programrdquo you are not alone Letrsquos discuss why we even need to be talking about data privacy in the first place

WHAT DATA IS PROTECTED AND WHO IS IMPACTEDBy state and federal statute personal information (ldquoPIrdquo) or personally identifiable information (ldquoPIIrdquo) refers to unique identifiers such as an individualrsquos Social Security number driverrsquos license number credit card numbers credit report history passport number tax information and banking records Protected Health Information (ldquoPHIrdquo) refers to medical records health status provision of healthcare and payment for healthcare

Every industry is at risk when it comes to data privacy but some are more critical such as billing companies education insurance staffing healthcare retail manufacturing accounting financial services legal pharmaceuticals and governmentmilitary These industries are most at risk due to the amount of sensitive PI and PHI that they either own license or otherwise have access to andor control of

STARTLING STATISTICSOver 544664595 data breaches have been reported since 2005 (Privacy Rights Clearinghouse) Of course many have gone unreported so this figure is more than likely 3 times higher or 1633993785 A Ponemon Study has recently found that the average cost of a data breach is $214 per compromised record which is broken down as follows

Activity Percent DollarInvestigation amp Forensics 11 $23

Audit amp Consulting Services 10 $21

Outbound Contact 5 $10

Inbound Contact 6 $13

Public RelationsCommunications 1 $2

Legal Services - Defense 14 $30

Legal Services - Compliance 2 $4

Free or Discounted Services 1 $2

Identity Protection Services 2 $4

Lost Customer Business 39 $83

Customer Acquisition Cost 9 $19

Total 100 $214Source httpwwwponemonorgindexphp





























2010 2009 2010 2009


22 19 $007-$100


16 19 $10-$900

3 3 Email Accounts

10 7 $1-$18

4 13 Attack Tools 7 2 $5-$650

5 4 Email Addresses

5 7 $1MB-$20MB


5 5 $050-$120


8 14 Scam Hosting 4 2 $10-$150



3 4 $200-$500 or 50-70 or Total Value











































Useful Links







9625


2975


4275


445


















Useful Link




40 Paper

9 Network Server

6 Other

5 Email









































































Tom Dorsett











































2010 2009 2010 2009


22 19 $007-$100


16 19 $10-$900

3 3 Email Accounts

10 7 $1-$18

4 13 Attack Tools 7 2 $5-$650

5 4 Email Addresses

5 7 $1MB-$20MB


5 5 $050-$120


8 14 Scam Hosting 4 2 $10-$150



3 4 $200-$500 or 50-70 or Total Value











































Useful Links







9625


2975


4275


445


















Useful Link




40 Paper

9 Network Server

6 Other

5 Email









































































Tom Dorsett
























































Useful Links







9625


2975


4275


445


















Useful Link




40 Paper

9 Network Server

6 Other

5 Email









































































Tom Dorsett































Useful Link




40 Paper

9 Network Server

6 Other

5 Email









































































Tom Dorsett

















































































Tom Dorsett















PrivacyAnalyicsEdition2-2012

Documents

Transcript of PrivacyAnalyicsEdition2-2012