OCR Boosting Security Enforcement

The health care industry can soon expect a greater emphasis on enforcing the HIPAA security rule than in years past.

That’s the message that Susan McAndrew, deputy director for privacy at the Department of Health and Human Services’ Office for Civil Rights, delivered May 11 at the Safeguarding Health Information conference in Washington. OCR sponsored the conference with the National Institute of Standards and Technology.

Federal enforcement of the security rule transitioned in 2009 from the Centers for Medicare and Medicaid Services to the OCR. The office continues to build expertise on the security rule, but much of the transition work is done, McAndrew says. “Transitions are always longer than you expect.”

To boost enforcement of the security rule, OCR has added investigators in 10 regional offices, McAndrew notes. “We’re hoping that with additional feet on the ground, we’ll be able to do many more security cases as the year moves forward.”

The HITECH Act links privacy and security–and enforcement of both HIPAA rules–enabling regulators to look at these issues from a more holistic viewpoint, McAndrew says. As the electronic world moves into the clinical side, the health care industry increasingly will find that privacy and security issues collide, she contends. “Without a sound security policy, privacy will just be a principle.”

Consequently, 2010 is when the industry will really start to see a realization of HITECH’s privacy and security initiatives enacted in 2009, McAndrew says. “We’re hoping to move security to the forefront and make it a real partner with privacy in our enforcement.”

View original source here

Patient Data Dump Nets Urgent Care Center $50,000 Fine

Here’s another egregious example of a health care provider being nothing less than reckless with patient data.

Last August a Greensboro, NC resident was looking for cans when he found boxes and boxes of unshredded patient data stuffed in a dumpster. The files belonged to a local urgent care center named Prompt Med. According to the North Carolina Attorney General’s office about 600 files were recovered that held personal information on 757 people. Some of the information within the records included names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, and insurance account numbers, as well as personal health information.

The Greensboro resident took a sampling of the medical files to a local television station, and after their reporting, the state attorney general’s office launched an investigation and announced a settlement and a fine against Prompt Med. From the North Carolina Department of Justice press statement on the imposed fine:

Under the settlement, Prompt Med is permanently barred from improperly disposing of patient records and has paid $50,000, including $26,650 in civil penalties that will go to public schools. The remaining $23,350 will go to fund consumer protection education and enforcement efforts, and to cover the costs of the Attorney General’s investigation into the company. In addition, Prompt Med also paid an additional $50 for proper destruction of the illegally dumped records.

At the request of the Attorney General’s office, Prompt Med previously reported the incident as a security breach and notified consumers whose information was placed at risk. A security breach happens when records containing personal information are lost, stolen or inappropriately displayed.

Unfortunately, we’re seeing way too many similar incidents around the country. Make informed decisions about immediate and long-term security needs. Even more unfortunate: we’re not seeing nearly enough similar fines levied. Let’s hope the North Carolina Attorney General’s Office sets a new tone going forward.

View original source here

Police Investigating What Woman Found While Dumpster Diving

Authorities in Middle Township are investigating what township resident Carla Carpenter found in her most recent inspection of the townships trash.

On Friday, June 11, Carpenter called NBC 40 to the Middle Township Recycling Center where she was waiting with documents she had picked out of the trash the night before. According to Carpenter these records included, police reports, tax records, and other materials, that listed names, social security numbers, addresses and telephone numbers.

Carpenter said in her TV interview “It makes me think that my information is not safe,”—- “I don’t trust the government because of it. The government should know, you shred and they’re not shredding. They’re putting out information that anyone can use.”

After her interview, Township Administrator Mark Mallett came to the recycling center to check out what was found. Mallett said he would look into the type of reports that were discarded. “What I can do is continue to reinforce the importance of needed to shred this type of information,” said Mallett.

According to police this was not the first time Carpenter had sifted through the Townships garbage. More then a week ago the Township was contacted by Carpenter, reporting personal information was found.

Police department spokesperson Lt. John Edwards said detectives were called to the scene to conduct an internal inquiry into what was found and not a criminal investigation. Edwards said some of the documents found were public information and some were not.

View original source here

County improperly disposed of documents, told no one

When a mound of Middletown city documents containing people’s private information was found in a public dumpster this spring, it wasn’t the first — or largest — such security breach by a local government.

An investigation by this newspaper has found that Butler County’s Department of Job and Family Services learned in 2008 that confidential records from that agency were being “periodically” improperly disposed of in a public bin.

An internal analysis by the agency found that 10,600 people could have been affected.

This is the number of people who used the JFS office at 4122 Tonya Trail in Fairfield Twp., where the documents originated. They included case notes and verification forms dealing with the Ohio Works First, food stamps, Medicaid and child care programs.

Though the records were supposed to be shredded using a document disposal company, county officials found that office had been simply throwing the records in a recycling bin.

That’s where they were found by a member of the public on July 18, 2008.

The county took action to make sure the records were disposed of properly, and considered notifying the people who may have had information compromised.

Officials drafted a letter suggesting people could use a free Internet service to guard against identity theft.

But they never sent the notice out.

Instead, they decided to “wait and see if there is any response from clients,” according to internal memos.

Two years later, those clients still have no knowledge their information could have been compromised.

“They should have told us from the very beginning,” said Christina Cruz, who used the JFS office during that time.

County held back on response to a records breach

When Jerome Kearns first saw the pile of confidential records from his office in a Dumpster by Butler Tech, he thought they were stolen.

It was July 18, 2008. County records lay out in detail what happened next: what county officials did — and didn’t — do.

There were piles of papers — files from Butler County Job and Family Services, where Kearns is assistant director, and from LifeSpan, the county engineer’s office, Children Services, and Butler County Child Support Enforcement Agency.

Some of the records contained confidential information, such as case notes and eligibility verifications for food stamps, Ohio Works First, subsidized child care and Medicaid programs.

Kearns estimates there were about 10 60-gallon trash bags of records. He called co-worker Adam Jones because Jones had a pickup truck.

“They weren’t going to fit in my Elantra,” Kearns said. “There was a significant number of records there.”

The records had been found by a member of the public.

“Some member of the community was throwing their stuff in there, and picked one up and thought they were important,” Kearns said.

Kearns took the records back to where they presumably came from, the JFS office at 4122 Tonya Trail, off Liberty Fairfield Road in Fairfield Twp.

Documents pitched ‘periodically’

It didn’t take long to solve the mystery.

The next day, Kearns asked Kim Gay, manager of that office, where the bins were that she used for confidential information. In other county offices, special bins were periodically picked up by the company Royal Document Destruction for shredding.

The Fairfield Twp. office, which had been open since January 2007, had no such bins. Staffers there had been throwing records in the recycling bins. Believing that there was no confidential information involved, a worker for Butler County Environmental Services, which handles recycling for county offices, “had dumped these bins at community sites periodically over the last six months,” Kearns wrote later.

County officials went into action.

They brought new, secure bins to the Tonya Trail office. They pulled records and found 10,600 people who had used that office in the prior 12 months. They researched a company that provides protection for people at risk of identify theft, and what it would cost to cover all those people.

They put together a list of addresses, and drafted a letter notifying people who may have been affected.

“Although we consider the risk to you to be relatively low, the fact is that we failed to adequately protect your confidentiality, and we want to rectify that now,” the letter said.

Then, they did nothing. The letter never went out.

“I asked Tim (Williams, then county administrator) for direction regarding our records that were found in a (D)umpster,” says a Aug. 19, 2008, memo from Kearns. “Tim indicated that (county) commissioners would like to wait and see if there is any response from clients.”

“Tim does not want us to send a letter out notifying clients that their records might have been compromised,” the memo says.

Two commissioners said they were satisfied there was no proof that anyone had their information misused, and that the risk of that happening was low.

“There was nothing to lead us to believe there was more (records dumped in public bins),” said Commissioner Donald Dixon. “We were advised the risk was not sufficient to warrant any other action at that time.”

Dixon said his concern was that making the situation public might make someone more likely to look for the records.

Commission President Gregory Jolivette said notifying the public was also an expensive prospect.

“From my recollection, it was going to cost a lot of money to go another route,” he said.

Commissioner Charles Furmon declined comment for this story.

‘No affirmative obligation’

County officials consulted with the prosecutor’s office and the Ohio Department of Job and Family Services. They came to the conclusion that a state law requiring agencies to tell the public about security breaches didn’t apply to them.

“Final discussion with (Ohio JFS attorney Ramesh Thambuswamy) on Aug. 6, 2008, concluded that there was no requirement to contact client(s) about a potential breach,” reads a memo from Roger Clark, Butler County JFS legal supervisor. “Ramesh also restated that he does not think (the law above) should be used as guidelines for our county.”

The attorney recommended they take corrective action and document everything in writing, which they did.

“There was no affirmative obligation … ( for JFS) to contact anybody,” said Bruce Jewett, interim county administrator.

“We thought the likelihood of any of that information being used was extremely low, and I’d say that was a position that developed over time,” Jewett said. “That’s not to say I didn’t treat the matter with the appropriate level of concern.”

Jewett is and was director of Butler County JFS, and is currently president of the county’s records commission.

“Ultimately, I was comfortable with the decision that was made,” he said.

Kearns said it was unlikely any of the records they found were compromised because they didn’t sit in the Dumpster very long.

But no one knows how often or how many times such records were tossed in a public bin since the office opened in 2007. That makes it unclear exactly what kinds of records were improperly disposed of over that year.

“We have no proof there was confidential information put in those Dumpsters,” Kearns said. “I have no way of knowing that number was 10,600.”

Kearns said no one was disciplined because the person who opened the Tonya Trail office, and so was deemed responsible for not providing the proper bins, left the county. That office closed in April of this year.

Part of the reason the risk of identity theft was deemed low was because those affected were low-income, Kearns and Jewett said.

“Our clients typically don’t have assets,” Kearns said.

‘That’s messed up’

“That’s messed up,” said Christina Cruz, 30, one of the people who used that office during that time period. “They should have told us from the very beginning,”

Cruz, who lives in Hamilton, collected Ohio Works First money when she was pregnant with her daughter, now 2. She said all someone would need is her Social Security number to steal her benefits.

Constance Iredale said when her daughter Christa, now 26, applied for Medicaid, food stamps and child care benefits at the Tonya Trail office during that time, she provided all kinds of confidential information.

“It’s household income, everybody in the household … my Social Security number, my cell number, my work number, copies of check stubs, all that information is on there,” she said.

“We were never informed that any of this happened,” said Iredale, a Liberty Twp. resident. “Hopeful, thank God, knock on wood, none of my stuff has been compromised,” she said.

View original source here