Archive for June, 2011
Compliance officers—and privacy and security officers alike—should be auditing and monitoring social media.
"Look to make sure that employees are not posting confidential information on these sites," says F. Lisa Murtha, a partner at SNR Denton in Washington, D.C. "A good strategy is to run periodic Google or other searches against employee names."
Change throws people off—the advent of the telephone probably caused some consternation as well, says Roy Snell, CHC, CCEP-F, CEO of HCCA.
But social media, just like the phone, is a valuable tool. "People just need to learn to use it professionally," Snell says.
This tip was adapted from the July 2011 issue of Strategies for Health Care Compliance. More information about Strategies for Health Care Compliance is available at the HCMarketplace.
Cheryl Clark, for HealthLeaders Media
For the second time in just over six months, California public health officials late Friday acknowledged a major breach of sensitive health and personal information from within their own agency, this time affecting 9,000 current and former state employees.
The information “was improperly copied to a private hard drive and removed from state offices,” said Ron Chapman, MD, director of the California Department of Public Health. There is, as yet, no indication that the information has been misused or further disclosed, he said.
The agency said the state’s security detection system noticed “unusual activity” on April 5, and prompted CDPH to investigate. The agency “discovered the unauthorized removal of information from state premises by an employee” who is currently on administrative leave until the investigation is complete, according to an agency press release sent out on Friday.
“We regret that the personal information of our employees was compromised,” said Chapman. “We take the breach of any secure documents very seriously and are committed to taking steps to minimize any impact of this action and further strengthen our security policy.”
Asked why the breach took three months to announce, CDPH spokesman Al Lundeen said in a telephone interview Friday that the incident required a lengthy investigation and during that time, the employee involved was barred from having access to sensitive information. The data that was copied was related to Human Resources records and some of it contained information dealing with workmen’s compensation claims.
“This was not accidental. It appears to be an intentional act by one individual,” said Lundeen, who added that state officials are now working with police on the matter.
Last December the same agency was forced to announce that a magnetic tape containing sensitive personal and medical information for up to 2,550 residents and employees of 600 Southern California skilled nursing facilities had gone missing in the mail.
That breach was described by Kevin Reilly, CDPH chief deputy director for policy and programs, “as a big and unusual event for us.” It involved a protocol violation at the agency’s West Covina office. Instead of using a private courier to transmit the tape, someone sent the tape through the U.S. Postal Service and it never arrived to its destination.
While individual employees have lost laptops containing small amounts of information, Reilly said at the time, “This is definitely the largest breach of confidential and private information we’ve had at the Department of Public Health.”
The tape contained e-mail addresses, investigative reports and background information on healthcare workers, names of health care facility residents, some medical diagnoses and social security numbers of CDPH employees, facility residents and healthcare workers dating from 2003, state officials said.
Chapman said the breach announced on Friday “impacts most current CDPH and California Department of Health Care Services (DHCS) employees, as well as nearly 3,000 employees of the former Department of Health Services,” which has been divided into two agencies.
The information contained individual names and addresses in conjunction with varying combinations of social security numbers, ethnicity, birth dates, next of kin and the addresses of those individuals listed as next of kin, and/or information from workers’ compensation documents.
Both incidents are ironic because the agency is charged with imposing fines against health providers from which sensitive health and personal data might go missing or become misused.
California has perhaps the strictest laws with monetary penalties against hospitals that allow breach of sensitive medical information, amounting to $25,000 for the first offense and $17,500 for the second and subsequent breaches to a maximum of $250,000. However state law precludes the agency from assessing a monetary penalty against itself.
In a phone interview, Lundeen said his agency regrets the incident and will work to prevent its recurrence. “This is a challenge. This employee had access to the information. But we will undertake some internal safeguards and see what we can do about putting policies or practices in place to prevent such incidents again.”
CDPH will offer credit monitoring services to affected individuals as well as a toll free line to answer questions from current and former employees.
A Baltimore woman pleaded guilty June 22 to bank fraud and aggravated identity theft after facing charges she stole the personal identifying information of residents and employees at assisted living facilities where she was employed and used that information to open fraudulent accounts, according to a press release from the U.S Department of Justice.
According to the plea agreement, for five years, Phyllis Wilson, 39:
- Used her positions at four assisted living facilities in the Baltimore area to steal credit cards, checkbooks, personnel records, and other documents with personal identifying information (such as names, addresses, and Social Security numbers) of patients and employees
- Used the information to open new, fraudulent accounts in the names of the victims, and to take over existing accounts of the victims for her own benefit without intending to pay for the purchases
Wilson faces a maximum penalty of 30 years in prison for bank fraud, and a mandatory sentence of two years in prison, consecutive to any other sentence imposed.
A federal grand jury indicted Richard Alan Kaye, 62, of Suffolk, Va., for what authorities say was the wrongful disclosure of individually identifiable health information under HIPAA, according to a June 21 press release from the office of the U.S. attorney of Virginia.
Kaye is licensed to practice osteopathic medicine in Virginia and is the medical director of the Psychiatric Care Center at Sentara Obici Hospital in Suffolk, Va. According to the press release, Kaye disclosed without authorization on three occasions information on a patient’s mental health treatment to the patient’s employer.
Kaye made the unauthorized disclosures under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not, according to the indictment.
Q: Is it considered a breach if a covered entity requests that an individual send protected health information (PHI) via e-mail but does not provide instructions for how to do so securely? Shouldn't the covered entity recommend that the individual encrypt the e-mail to protect the PHI from interception?
A: It is not considered a breach if a covered entity requests that an individual send PHI via e-mail. However, it may be a violation of the HIPAA Security Rule technical safeguards if the covered entity requests the information but does not provide the individual with a way to encrypt the PHI.
If the unencrypted e-mail containing the PHI is intercepted by an unauthorized party, it would be considered a breach. Appropriate practice (and a way to reduce legal risk) would be to ask an individual not to send PHI unencrypted over the Internet.
This tip was adapted from the July issue of Briefings on HIPAA. More information about Briefings on HIPAA is available at the HCMarketplace.