IN APRIL, SEVERAL THOUSAND PRIVACY OFFICERS and HIPAA compliance officers gathered in New Orleans for the Health Care Compliance Association’s (HCCA) “2005 Compliance Institute.”
THE DARK REPORT was in attendance to learn about new issues and concerns for provider compliance with HIPAA (Health Insurance and Accountability Act). There was one notable observation.
Collectively, the healthcare compliance establishment has yet to recognize patient identity theft as the growing threat that it is to labs, hospitals, physician group practices, and other types of healthcare providers. Over the three days of the event, there were no presentations specifically about patient ID theft, but a few speakers included comments about patient ID theft in their speeches.
Conference speaker, attorney Paul Litwak, an expert on information risk management and HIPAA compliance, observed that, “Providers must get out of the HIPAA box. While HIPAA compliance is important, the greater risk to patient and provider interests—and greater legal exposure thus far—has come from the improper accessing and use of personal patient information, such as social security numbers.
To date, there have been no civil penalties for HIPAA violations. But there are a growing number of liability claims based upon organizational failure to safeguard confidential information. “Providers must think risk management and avoid the trap of thinking that security is an IT problem,” cautioned Litwak. “It is important to understand that information security is not a product that can be purchased. It is an ongoing risk management process. While security depends on IT, it is not an IT problem. In fact, the greatest single risk to providers comes from employees and contractors who have access to confidential information! For example, the University of West Virginia was ordered to pay $2.3 million after an employee disclosed confidential psychiatric records.”
Risk From Employee Actions
Litwak’s message was unmistakable. He is telling providers, including laboratories and pathology group practices, that their greatest vulnerability comes from failure to train and supervise employees who have access to confidential information.
This will require a different mindset by laboratory compliance officers. Work flow and access to information in labs and hospitals has been generally developed based on an assumption of employee trust that may no longer be valid. This is particularly true where sensitive patient data is handled, like patient service centers, couriers, data entry, billing/collections, and client services.
THE DARK REPORT has been first in the laboratory industry to identify the still-new threat of patient identity theft. Such early warning allows laboratories and pathology group practices to develop effective protections to prevent such crimes from occurring.
