The National Health Care Anti-Fraud Association (NHCAA) estimates that 3% of all healthcare spending - about $68 billion - is lost to fraud each year in the United States. The FBI / CDC estimate that figure could be as high as 10%, or $226 billion.

In the past, we’ve talked a great deal about the impact that fraud has on businesses and on consumers, including those affected by medical fraud. But we have yet to talk about the cost - the billions of dollars - this fraud is costing all of us in other ways.

Whether you have employer-sponsored health insurance or you purchase your own insurance policy, health care fraud inevitably translates into higher premiums and out-of-pocket expenses for consumers, as well as reduced benefits or coverage. For employers—private and government alike—health care fraud increases the cost of providing insurance benefits to employees and, in turn, increases the overall cost of doing business.

The NHCAA estimated in 2007 that $2.26 trillion was spent on health care and the 4 billion health insurance claims processed in the US. They conservatively estimated that $68 billion of this was lost to fraud, quite an astounding figure. The majority of health care fraud was found to be committed by a small number of dishonest health care providers submitting false claims to insurers and to public programs. Other types of provider-initiated fraud can be found here.

This abuse of claims can have damaging effects on patients who may find themselves victims of medical identity theft, with their insurance benefits affected by misuse. In addition to providers, organized criminal groups and individuals also perpetrate health care fraud. The report includes examples of crime rings that shifted from illegal drug trafficking to medical fraud schemes, resulting in millions of dollars in fraud.

If you want to learn more about health care fraud, read here.

Hat tip to I’ve been mugged ; Via dotmed ; Image: clipart

Absolute Software has released a list of the Top Five Healthcare Practices for Keeping Data Secure. These best practices will be valuable as healthcare moves forward with technology, particularly since the American Recovery and REinvestment Act (ARRA) was signed in February.

1. Know the consequences of a data breach
2. Assess your organization’s situation
3. Implement a comprehensive data security plan
4. Secure data on mobile computers
5. Create a data breach policy

Learn more about these 5 steps and ARRA here.

Considering the most recent hospital data breach in Miami has affected 200,000, and that data breaches in healthcare data breaches are more costly than breaches in other sectors, it’s a good idea to take all the steps you can to protect the data of your patients, clients and employees in this sector. A data breach is costly in any sector, but it’s important you understand how a data breach can impact, and be prevented, in yours.

Image: clipart

Dartmouth College’s Center for Digital Strategies recently released a study about “Data Hemorrhages in the Health-Care Sector“. The study examines the consequences of data breaches, from privacy violations to medical fraud to identity theft (financial and medical). The analysis demonstrates substantial vulnerability for the healthcare sector.

The report indicates that data breaches are coming from all sides of the healthcare sector: hospitals, physicians, laboratories, and outsourced service providers. The paper looks in particular at medical identity theft, a dangerous outcome we’ve discussed previously.

The report pays special attention to inadvertent data losses over peer-to-peer (P2P) networks. The analysis uncovered thousands of files containing medical information on publicly available file sharing networks. That data may have gotten there inadvertently - from malware or from a bad filesystem that had confidential files with music files.

“We found multiple files from major health-care firms that contained private employee and patient information for literally tens of thousands of individuals, including addresses, Social Security Numbers, birth dates, and treatment billing information. Disturbingly, we also found private patient information including medical diagnoses and psychiatric evaluations.”

The report indicates that the risk of patient information disclosures on P2P networks is higher than if a laptop or data device is lost. The report found that tracking and stopping medical data breaches is more complex given the fragmented nature of the US healthcare system.

This report reminds us of the importance of a strong data access policy. Who can access what data and where - can data be transfered to other devices? Computrace can help in that, with our Secure Asset Tracking® telling you where your devices are and what software/hardware is installed on them. Like with other aspects of data security, choose a layered process containing the right technology, processes and policies to help protect confidential information.

Hat tip to the privacy commissioner, SC Magazine ; Image: Clipart

A group of over 60 companies in the health care industry have came together last year to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The Health Information Trust Alliance (HITRUST) consortium this week released a Common Security Framework (CSF) “for industry in commitment to greater electronic health information protection and growing regulatory compliance.”

“Until now, the lack of widely accepted information security standards has kept many providers on the health care IT sidelines, and has been a source of apprehension for many patients when it came to electronically sharing their medical information… the HITRUST framework should help accelerate the adoption of technologies that will dramatically improve the safety and efficiency of America’s health care system.” - Randall N. Spratt, Chief Information Officer and Executive Vice President, McKesson

The CSF is a certifiable framework that will provide organizations with structure and clarity related to information security for the healthcare industry, something more and more important as health information moves online and as data becomes more portable.

The framework is based upon recognized standards such as COBIT, NIST and ISO 270001. The framework is meant to scale according to the type, size and complexity of the organization and follows a risk-based approach that can evolve based on needs and changes in the industry and regulatory environment.

The stimulus bill that was passed in January in the U.S. called for the computerization of health care records within 5 years. The legislation contained stringent privacy and security controls above and beyond HIPAA, just like the new HITRUST CSF does.

Via SC Magazine

Health Care Compliance Strategies (HCCS) announced this week three new versions of its online compliance courses.

HCCS is a provider of online healthcare compliance and competency training. The three courses they provide are:

• HCCS Professional Compliance
• Corporate Compliance
• HIPAA for Health Plans

The courses are aimed at physicians, billing staff and other employees. They teach fraud awareness, coding and documentation, risk areas, how to build a compliance program, provider relationships, HIPAA awareness, electronic transactions and enforcement.

The courses change whenever rules, regulations, laws or other information is updated. Given that employees form one of the largest “issues” in any security program, online and interactive courses are a great way to enhance your training program. Also visit Absolute Software’s website to learn how we can help with healthcare computer security.

—-

And in other news, Absolute Software has added another conference to its schedule - the ASIS 2008 conference in Atlanta, Georgia.

Meet Absolute at the Booth

Location: Booth 2425
Dates: Monday - Wednesday, September 15-17, 2008
Time: 9:00 am - 4:30 pm

A group of over 60 voting companies in the health care industry have come together to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The new consortium that will create these best practices is called the Health Information Trust Alliance (HITRUST).

The HIPAA standards are aimed to protect the privacy of personal health information by giving patients more control over their information and setting boundaries on the use and release of health records. HIPAA requires that companies adopt privacy procedures and to ensure they’re followed, but many in the health care industry feel that more can be done to secure the privacy of patient information.

According to a survey HITRUST commissioned earlier this year, 96% of health information technology executives think it’s important to have a uniform way to verify the security of sensitive healthcare information. 85% of those surveyed think the health industry should pull together to create the comprehensive framework, which is exactly what HITRUST is now doing.

The new consortium, HITRUST, aims to develop a Common Security Framework (CSF) - a set of tools to aid organizations in protecting information and managing the risks, costs and complexities in managing these assets. They have published an overview of the framework and its components here [PDF].

The issues surrounding the protection of health information are complex and diverse but critical to the broad adoption, utilization of and confidence in health information systems, medical technologies and electronic exchanges.

Standardizing a higher level of information security will build greater trust and efficiencies in the electronic flow of information through the healthcare system and will instill confidence within regulators, business partners and consumers.

The document outlines challenges faced in protecting electronic health information including: risk and liability from data breaches, confusion about implementation and baseline security controls, complexities involved with inconsistent standards and varying interpretations, and outside scrutiny from regulators, auditors, partners and customers.

The HITRUST CSF is aimed to help organizations that create, store, access or exchange electronic health information. The CSF framework includes three parts: an Information Security Implementation Manual, a Standards and Regulations Cross-Reference Matrix and a Readiness Assessment Toolkit. You can view a sample of the Security Implementation Manual, one part of CSF, here [PDF]. The CSF is expected to be released January 2009.

Via information week Tags: hitrust, hipaa, health information, health industry, health privacy, healthcare, private information, csf, common security framework, security framework, data security

Tech News World has done a 2-part series about HIPAA. Part 1: Privacy vs. Portability and Part 2: Seeking Balance. It’s a very well-done examination of the state of the Health Insurance Portability and Accountability Act (HIPAA), some of which I will synthesize below. Given that HIPAA is often misunderstood in basics and in application, it’s a great refresher series.

HIPAA Concerns:

• There is a push for health information to become more liquid, but the privacy and security framework does not exist yet
• The technologies being designed now will have a huge impact on how health information is accessed, stored and shared
• Post-HIPAA privacy and security protections need to be adopted in law and in best practices
• HIPAA compliance was a heavy burden at initial inception, but there has been no proof that HIPAA has in any way had negative effects on patient care
• Staff training and education must be ongoing for new, and old, employees
• Continue reading about the concerns here.

HIPAA Myths:

• That it weakened, rather than strengthened, rights to health information privacy
• HIPAA is all we need in the digital age
• HIPAA “covered entities” cover every use of personal health information
• Check out the full examination of these myths here.

Logo: ; Tags: hipaa, health privacy, privacy information, health information, information, legislation, law, security

The Office of the Information & Privacy Commissioner (OIPC) of British Columbia published an investigation report concerning the Ministry of Health earlier this month.

On October 3, 2007 an employee of X-Wave, a contractor for health insurance billing in New Brunswick, packaged four unencrypted computer tapes into an envelope. The tapes, which contained personal information of residents of British Columbia and New Brunswick, were being sent to Health Insurance BC (HIBC). These tapes did not arrive.

The investigation reveals that this method of transferring personal information did not meet the security measures required under the Freedom of Information and Protection of Privacy Act. In addition to this, the existing policies at the Ministry of Health delayed the timely detection of the lost data tapes. Notification to affected individuals and to the OIPC was also delayed by nearly two months.

OIPC reports that the Ministry breached the Act in the following ways:

• Sending data on unencrypted magnetic tapes
• Not requiring the sender to notify the receiver of when the package would be received
• Not requiring the sender to use a courier with a tracking service
• Not instructing the sender to refrain from sending more unencrypted tapes while the issue was under investigation
• Taking 41 days to notify affected individuals of the breach

New Ministry procedures are aimed to counter these issues, and to ensure that personal information is no longer transferred in this way. You can read more here.

Via Dan Michaluk image: wikipedia ; Tags: data breach, data tape, magnetic data tape, oipc, bc, british columbia, ministry of health

Google Health, which gives users instant electronic access to their health histories, launched this week. The service allows users to link information from pharmacies and care providers, with plans for more health information access.

Partnerships with Google Health have already been announced with Walgreen’s, CVS, Longs Drugs Stores, AllScripts, Quest Diagnostics, and the Cleveland Clinic.

Users sign up to allow Google Health access to health information, giving users opportunities to customize their profile with information on prescriptions and doctors. Users can also search for doctors from within the system. Google has been receiving millions of search requests from people trying to find information about injuries, illnesses and treatments, and Google Health was their solution.

In general, privacy watchdogs feel Google already has access to too much information about its users, and this merely adds to that. Google Health services are not covered by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires that anyone seeking your medical records subpoena you and give you a chance to deny access.

By providing access to your health records to Google Health, HIPAA rules no longer apply. The Google privacy policy may not be enough to protect your medical records as strongly as it should be. Google representatives say that health information is stored on the most secure computers at Google, but the Google TOS gives some pause. Unless you actively disable it, you are giving Google access to give your data to third parties:

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

The privacy policy says that a copy of your data may still be retained after you disable such access:

If you share your information with others, you can view a list of who has access to your information and you can revoke sharing privileges at any time. When you revoke someone’s ability to read your health information, that party will no longer be able to read your information, but may have already seen or may retain a copy of the information.

Google explains the difference between their policies and HIPAA in this blog post and in this very handy comparison chart. It does help to answer questions about security, although I still think the “access by default” approach is a dangerous one. In the end, you must decide if you trust Google enough to have access to your information. And you must take an active role in determining what third parties, if any, you wish to access that information.

What do you think of Google Health? Will you sign up?

Via ZDNet, AP, Technology Review Tags: google health, hipaa, medical information, data security, medical data, personal records, privacy, medical identity theft, google, google services

The Genetic Information Nondiscrimination Act of 2008 (HR 493), recently passed by Congress, has inadvertently legalized the sharing of genetic information without patient consent.

Sue Blevins, President of the Institute for Health Freedom, notes that the new bill applies the Health Insurance Portability and Accountability Act (HIPAA) regulations to genetic data. HIPAA regulations permit data sharing without consent with in connection with treatment, payment, or oversight of health-care operations.

The intent of the HIPAA regulations is to protect medical records in the digital age, but many HIPAA critics argue that it opens up privacy issues as a result of the routine sharing of personal health information. Regardless of the validity of this argument, qualifying genetic test results as health information can be problematic. Genetic information can be used to determine rates for health plans, and as the new bill provides this data to health care companies, it could be cause for discrimination.

This is a controversial topic, to say the least. HIPAA has its critics, though its intentions are great. Health information, in and of itself, is controversial, and in particular genetic information is about as personal as information gets. Some advocates are fighting for personal ownership of genetic information, in order to avoid genetic privacy issues such as those presented here.

Via FOX Business ; Image: clarita @ morguefile Tags: genetic, genetic privacy, genes, genetic testing, privacy, health privacy, health information, genetic information