CEO SUMMARY: It’s a crime that can strike anyone anywhere— and usually without warning. In fact, identity theft is the July 4 cover story in Newsweek Magazine. However, clients of THE DARK REPORT got the lab industry’s first warnings on this fast-growing crime months ago. To help labs prepare to deal with this threat, Attorneys John R. Christiansen and Thomas Bartrum offer nine specific recommendations.
FOR HEALTHCARE PROVIDERS, including laboratories, identity theft is already a reality. That was one of the unexpected dimensions of the audio conference conducted on June 24, 2005 by THE DARK REPORT.
Another new development is a just- issued directive by the Department of Justice (DOJ) which sets new policy on enforcement of HIPAA (Health Insurance Portability and Accountability Act). During the audio conference, both expert presenters stressed the point that patient identity theft is already an established and major threat to providers.
“Is patient identity theft a real problem that warrants use of limited resources at this time?” queried Thomas E. Bartrum, attorney with Waller Lansden Dortch & Davis in Nashville, Tennessee. “Institutions like Yale Medical School, University of Chicago Hospitals, and Seattle Cancer Care Alliance have already been in the headlines for such incidents. Smaller, rural hospitals are particularly vulnerable to this crime. In fact, it is the growing number of such episodes over the past 12 months that’s teaching us how vulnerable personal information has become.”
Also stressing the “here and now” of patient identity theft was lawyer John R. Christiansen, J.D., of Christiansen IT Law in Seattle, Washington. He is a national expert on privacy laws and is personally familiar with the case of phlebotomist Richard Gibson, who was criminally convicted of patient identity theft under the HIPAA statute last year.
New DOJ Memorandum
Christianson explained that, on June 1, 2005, the U.S. Department of Justice (DOJ) issued a memorandum limiting the scope of liability under the statute to “covered entities.” This reverses the basis for Gibson’s conviction under the HIPAA statute.
“My concern about this new DOJ policy,” stated Bartrum, “is that, if prosecutors will not go after the individuals, will they instead prosecute the ‘covered entities’—the providers? THE DARK REPORT has disclosed how, in the Gibson case, the patient insisted that the hospital not be targeted for investigation.
“That patient’s benign attitude toward the hospital and the hospital’s existing policies and procedures were important factors,” added Bartrum. “Those were reasons federal prosecutors exercised their discretion not to take action against the provider, in this case, a major hospital in Seattle.”
Penalties for breaches of patient privacy involving identity theft can mount up fast. What may appear a trivial amount for a single incident can be catastrophic where multiple records are compromised. The two lawyers had nine key recommendations for laboratories and other providers.
“The first point is that HIPAA penalties only apply to ‘covered entities’,” said Christiansen. “Corporate entities can only act through their authorized officers, employees, and agents. For this reason, I recommend that laboratories and all providers have clear policies which define scope of authority.
“This is important because corporate authority is ultimately defined by how your organization does business, along with its compliance policy documentation and oversight, training and monitoring, and consistent policy enforcement,” he continued. “If an employee was acting within his scope of authority when he committed a crime, the provider is liable. If outside the scope of authority, it’s not. If the provider does a good job on policy infrastructure and enforcement, it has taken important steps to reduce its exposure to liability.
“The second point is to use care whenever the provider is part of a business association, group or affiliation,” Christiansen warned. “Management should review how these relationships are governed. Know whether liability would extend to all members of the group or affiliated organization.
“Third party business associates would only be liable for their violations if they are ‘covered entities’,” stated Christiansen. “But your organization may become liable if it failed to take action to deal with a business pattern or practice of which it was aware. Look closely at how third party business associates are managing information from your organization.”
“Three, don’t forget that many states already have laws which cover identity theft,” advised Bartrum. “States are enacting a raft of new security breach notification laws. California is at the forefront, having enacted legislation requiring encryption of sensitive data and notification of customers in the event of a breach.”
“Some states passed legislation requiring police to take a statement in a claim of identity theft. Some identity theft victims are seeking to create ‘fear factor’ class action cases, alleging that they have fear that their information will be used and therefore are entitled to damages. Every provider should prepare policies and educate staff on how to respond appropriately to these types of issues,” added Christiansen.
“Protecting your organization against patient identity theft and shielding yourself from liability in the event it does occur really boils down to your policies and procedures,” observed Christiansen. “It’s about making sure your IT and business processes are in compliance with the various privacy and security laws. The goal is to implement security measures sufficient to reduce risks and vulnerabilities to a ‘reasonable and appropriate’ level.
“Four, don’t publish policies that say ‘It is contrary to our policy to do these things in violation of HIPAA and then fail to communicate those policies, train people, and monitor compliance,” warned Christiansen. “Not only does the staff need to be educated about these policies, but the provider must actively monitor how its employees are following these policies.
“Fifth is to prepare for a crisis in advance. If lightning does strike your organization and a privacy violation occurs,” advises Christiansen, “you want your staff to respond responsibly and confidently to the situation. That is why they must be trained before such incidents happen. It is important to have an effective identity theft response program already developed and ready—before it is needed.
Security Against ID Theft
“Start by re-evaluating your existing security measures against the threats of identity theft,” he explained. “Does everyone understand the organization’s vulnerability? Can you identify the weakest link and strengthen it? Are Social Security numbers still used as identifiers? Which employee positions are highest risk? The time to fix these things is before anything happens.
“Sixth, determine in advance who will investigate should a claim of identity theft become known. Train them on what points they should investigate and how they should respond to the patient. Know which agencies should be alerted to this incident and which should get the results of your investigation. Do any security breach notification laws apply in your state?”
Seven, when an event occurs, do a root cause analysis,” Christiansen recommended. “How did it happen? What information was taken? What steps can your organization take to remedy the situation? What actions can you take to prevent this from happening again?
“Seven, establish procedures for handling any employees suspected of involvement in the complaint.” noted Christiansen. “Should they be fired immediately? Will they be suspended or reassigned? If they are left in their current duties, are they monitored as part of an effort to build a better case? These are reasons why such policies should be developed now and disciplinary procedures put into place. The rights of employees should be factored into these policies.”
“Eight, don’t overlook the potential of whistleblower suits,” cautioned Christiansen. “Providers should be ready for such a development. When such lawsuits become public knowledge, the provider is judged as much in the court of public opinion as in a court of law. Carefully document your investigation with an eye toward litigation. Frame your responses and actions from the perspective of moving toward judicial review.
“Respond in a serious way to all complaints,” noted Bartrum. “A proactive response plan might include helping the victim file reports with police and credit bureaus. Be sure your response team cooperates fully with investigators. Be a good citizen. Anticipate what will happen if and when the news hits the media.”
Always A “People Problem”
“Nine, we both want to emphasize that the real problem is always people,” stated Bartrum. “A provider must balance the burdens of its response strategy against the risk. Doing background checks at hire, particularly in the positions that carry the greatest risk, is becoming an important policy. Don’t forget to include confidentiality agreements with employees.”