1 / 15

Project Mission and Scope

Project Mission and Scope. Presented By: Rick Kam President/Co-Founder ID Experts Advisory Committee Meeting March 17, 2011. The Problem. What is the Financial Impact of the Unauthorized Disclosure of PHI/PII?. Man Paid Hospital Employee for Patient Records in Las Vegas Scam.

cole-obrien
Download Presentation

Project Mission and Scope

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project Mission and Scope Presented By: Rick Kam President/Co-Founder ID Experts Advisory Committee Meeting March 17, 2011

  2. The Problem What is the Financial Impact of the Unauthorized Disclosure of PHI/PII?

  3. Man Paid Hospital Employee forPatient Records in Las Vegas Scam • In 2009, Richard Charette paid a University Medical Center supervisor $9,200 for 55 patient record face sheets • Used PHI to solicit business for Las Vegas chiropractors and personal injury lawyers • FBI learned of scam from an “unidentified” chiropractor • On Feb. 1, 2011, Charatte pleaded guilty, and could serve 5 years in prison, pay $250,000 fine • UMC and Charatte named in potential class-action lawsuit for victims • State Bar of Nevada is also investigating

  4. Computer Flash Drive with PHI “Misplaced” • A flash drive with the PHI of 280,000 people, including Medicaid recipients, was reported “missing” from the offices of affiliated insurers Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Pennsylvania • Flash drive had been used at community health fairs • Insurers reported breach to the Penn. Dept. of Welfare; notified affected population • “This is a particularly vulnerable group of people [who] tend to be vulnerable to identity theft, vulnerable to discrimination.” — Dr. Deborah Peel, founder of Patient Privacy Rights1 • No reported misuse of PHI

  5. Failure to Secure PHI and to Notify Costly for Health Net of Connecticut • In 2009, an unencrypted portable disk drive with the PHI and financial information of 1.5 million patients disappeared • Health Net did not notify authorities or affected population for at least six months • In 2010, Connecticut AG sued Health Net • First action by a state AG for violating HIPAA since HITECH • Health Net settled for $250,000 • Created a $500,000 reserve for victim’s claims • Connecticut Insurance Dept. fined Health Net $375,000 • In 2011, Health Net also settled a complaint with the Vermont AG for $55,000

  6. The Rising Cost and Frequency of Healthcare Data Breaches • Ponemon Institute: Data breaches are costing hospitals nearly $6 billion a year1 • Medical-related data breaches listed in Privacy Rights Clearinghouse2: • 116 breaches listed in 2007-2008 • 229 breaches listed in 2009-2010 • 86% of large-hospital employees surveyed believe that the number of data breaches discovered will increase under HITECH3 • The Department of Justice secured “$2.5 billion in health care fraud recoveries—the largest in history,” for the fiscal year ending 9-30-2010.4 1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC. 2- Source: http://www.privacyrights.org/ 3- Source: 2009 HIMSS Analytics Report:“Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?” November 17, 2009. 4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html

  7. Current/Proposed Laws • HITECH ACT – HIPAA 2.0 • State Security Breach Notification • Proposed Legislation • Carper/Bennett: Data Security Act • Pryor/Rockefeller: Data Security and Breach Notification Act

  8. Risk Equation $4,841* Financial Impact Of ID Theft SSN Account Number *Javelin Research: Mean Fraud Amount: 2010 Identity Fraud Survey Report

  9. Risk Equation $20,000* Financial Impact Of “Medical” ID Theft SSN Health Insurance # *Ponemon Institute: National Survey on Medical Identity Theft, Feb 2010

  10. Risk Equation Diagnosis Prescription Specialist Procedure Unknown Financial Impact

  11. CPO @ Notable Health System • “Unless an institution has suffered a major data breach and experienced the attendant costs—fiscal, operational and reputational—it is difficult to get senior management to give a reasonable priority to information security among all of the competing needs.  • The “cost” of the possible misuse of medical information is particularly difficult to conceptualize under the circumstances of any particular data loss event.  • Having more concrete data on the true costs of data breaches can provide a better perspective from which to evaluate those decisions.” 

  12. Project Approach Based on ANSI and SFG prior projects: • Victim’s Bill of Rights (2009) • Financial Impact of Cyber Risk (2008) • Financial Management of Cyber Risk (2010)

  13. Approach • Collaboration of “Experts” from • Government • Industry • Academia • Standards • Facilitated by ANSI and the Santa-Fe-Group

  14. Deliverable White Paper

  15. Possible Deliverables • List of common PHI/PII data elements • Identification of common “high risk” PHI/PII • Use cases of unauthorized disclosure of PHI/PII • Approaches to determine financial impact of unauthorized disclosure of PHI/PII

More Related