Archive for September, 2011
A military health plan has reported one of the largest breaches on record.
TRICARE, which services active and retired military members and their families, reported a data breach impacting 4.9 million military clinic and hospital patients. The breach was due to the loss of backup tapes containing electronic health records, according to a release from the health plan.
The tapes were used in the military health system (MHS) to capture patient data from 1992 through September 7 of this year.
The data lost may include:
- Social Security numbers
- Addresses and phone numbers
- Personal health data such as clinical notes, laboratory tests and prescriptions
Financial data, such as credit card or bank account information, was not included on the backup tapes, TRICARE said in the release.
The company also indicated that retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.
“The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure,” TRICARE said.
The health plan said it is investigating the incident and reviewing current data protection security policies and procedures to prevent similar breaches in the future.
As for the two-week delay in notifying the affected parties, TRICARE said it did not want to, “raise undue alarm in our beneficiaries and so wanted to determine the degree of risk this data loss represented before making notifications.”
The health plan is urging beneficiaries to monitor their credit and suggested placing a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.
The Office for Civil Rights (OCR) began posting entities with reported breaches of PHI affecting 500 or more individuals in February 2010, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Prior to TRICARE, the largest breach of PHI reported on the OCR website was by HealthNet, Inc. The health insurance giant reported its potential breach affecting the health records of 1.9 million past and current enrollees to OCR in April.
On the Health Net report, the “type of breach” is “unknown,” and the “location of breached info” is listed as “other.”
A fake physician who treated more than 1,000 people in two states, collected approximately $1.2 million for the "care" he provided, and then tried to sell individuals’ health information, pleaded guilty in federal court in Atlanta last week to charges related to the scheme, according to a Department of Justice release.
Matthew Paul Brown, 30, formerly of Atlanta, GA, and Nashville, TN, worked with licensed physicians in both states from November 2009 to April 2011 and used their provider numbers to collect approximately $1.2 million in false claims with Medicare, Medicaid, and private insurance companies, federal prosecutors said.
Brown, who has never held a license to practice medicine, administered care in the physicians' offices and at health fairs, with the physicians agreeing to pay Brown between 50% and 85% of the take. Federal prosecutors found no indication that the physicians who worked with Brown knew he was a fraud.
Brown was indicted in April. He pleaded guilty Tuesday, September 13, in U.S. District Court in Atlanta to charges that include 17 counts of healthcare fraud, each of which carries a maximum sentence of 10 years in prison and a fine of up to $250,000.
Read more on HealthLeaders Media.
Q. An outpatient physical therapy clinic verifies a patient’s benefits prior to his or her first visit. When the patient arrives, front desk staff review the patient’s insurance benefits and out-of-pocket costs. Other patients may sometimes overhear some of the conversation. Is this a HIPAA violation?
A. The HIPAA Privacy Rule defines this as an incidental disclosure, not a violation of the Privacy Rule. Covered entities are required to limit incidental disclosures as much as feasible. When discussing PHI with a patient at the intake desk, providers should establish a buffer zone between the intake desk and the next patient waiting to check in. Providers will often use a sign and ask waiting patients to remain behind the sign until it is their turn to check in.
Most signs found in physician offices and hospitals usually state that the purpose of this practice is to protect the privacy of the patient checking in. This isn’t always feasible because of the office configuration and does not always eliminate incidental disclosure of PHI. However, it is an appropriate practice that limits incidental disclosure. (See 45 CFR 164.530[c][ii].)
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR, answered this question. Apgar has more than 17 years of experience in information technology and specializes in security compliance, assessments, training, and strategic planning. He is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.
Survey: How many direct-reports do you have?
- 10 or more
To submit your response, visit “Quick Poll” at HCPro’s Corporate Compliance Web site.
Editor’s note: The following excerpt from the September Briefings on HIPAA is the fourth in a series of questions about the HITECH-required Office for Civil Rights (OCR) HIPAA compliance audits answered by Susan McAndrew, JD, deputy director of health information privacy for OCR.
Will OCR share audit reports with the public?
The Office for Civil Rights (OCR) has not yet decided whether it will make audit reports public or instead publish a summary of audit results as a "lessons learned" document for the industry. OCR first must evaluate the effectiveness of the audits, McAndrew says.
"No final decisions have been made yet about how to best use the results of the audits to help compliance overall," she notes. "The intention is to develop a compliance tool not just for the particular entity audited but for others to learn and apply best practices in their own environment."