2017

Spring

ConventionPrivacy Protection

Written Information

Security Plan (WISP)

Layla D’Emilia, Esq.

CEU Credit1

Please scan IN at the start of

class

Please scan OUT at the end of

class

You must attend the entire

session to earn your credit(s) for

this class

Introduction

Layla D’Emilia

Indigo Consulting, Compliance, and Training, LLC

Layla@ICCTLLC.COM617-997-8962

References:

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf

http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf

https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h

Consumer Reports

Background

201 CMR 17.00 sets forth the regulatory scheme of the underlying M.G.L. c.

93H Security Breaches

Each business is required by Massachusetts law to evaluate security risks

and solutions in relation to the size, scope and nature of the business and

the attendant risks of unauthorized access to or use of personal information

This regulation establishes minimum standards to be met in connection with

the safeguarding of personal information contained in both paper and

electronic records.

The objectives of this regulation are to insure the security and confidentiality

of customer information in a manner fully consistent with industry standards;

protect against anticipated threats or hazards to the security or integrity of

such information; and protect against unauthorized access to or use of

such information that may result in substantial harm or inconvenience to

any consumer.

Purpose of a WISP

Ensure the security and confidentiality of personal information;

Protect against any anticipated threats or hazards to the security or

integrity of such information

Protect against unauthorized access to or use of such information in a

manner that creates a substantial risk of identity theft or fraud.

Scope of a WISP

In formulating and implementing the WISP,

(1) identify reasonably foreseeable internal and external risks to the security,

confidentiality, and/or integrity of any electronic, paper or other records

containing personal information;

(2) assess the likelihood and potential damage of these threats, taking into

consideration the sensitivity of the personal information;

(3) evaluate the sufficiency of existing policies, procedures, customer information

systems, and other safeguards in place to control risks;

(4) design and implement a WISP that puts safeguards in place to minimize those

risks, consistent with the requirements of 201 CMR 17.00; and

(5) regularly monitor the effectiveness of those safeguards.

Proper Procedures

In your written security plan designate a ‘data security coordinator’ who will:

Initial implementation of the WISP;

Training employees;

Regular testing of the WISP’s safeguards;

Evaluate the ability of third party service providers to implement and maintain appropriate security measures for the personal information to which you have permitted them access, consistent with 201 CMR 17.00; and requiring such third party service providers by contract to implement and maintain appropriate security measures.

Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in your business practices that may implicate the security or integrity of records containing personal information.

Conduct an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP.

All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm’s requirements for ensuring the protection of personal information.

Combatting Internal Risks

A copy of the WISP MUST be given to each employee who shall acknowledge receipt

If you haven’t done a WISP before and are just distributing a WISP for the first time YOU MUST retrain all employees of the provisions

Any employment contracts should be amended

Amount of personal information (PI) collected shall be limited to those persons reasonably required to know the info to accomplish the legitimate business purpose

Access to records containing PI shall be limited to those reasonably required to know the info

Electronic access to user ID after multiple unsuccessful attempts to gain access must be blocked

Combatting Internal Risks

Security measures must be reviewed annually OR whenever there is a

material change in your business practice that may implicate the security

or integrity of your records containing PI

Terminated employees must return ALL records containing PI, in any form –

stored on laptops, tablets, files etc..

Current ee’s user ID’s and passwords must be changed periodically

Access to PI should be restricted to active users and active accounts only

Ee’s should be encouraged to report any unauthorized or suspicious use of

patient info

Do not let ee’s keep open files on their desks when they are not at their

desks

At the end of the day Files should be secured in a locked cabinet, secure

storage area

Combatting Internal Risks

Access to electronic PI shall be limited to those ee’s having a unique log in

ID and re – log in shall be required when a computer has been inactive for

more than a few mins

Visitors access MUST be restricted to one entry point for each building

where PI is stored and visitors shall be required to show a PHOTO ID, sign in

and wear a visible GUEST badge.

Visitors shall not be permitted to visit unescorted any area within your premises

that contain PI

Paper or electronic records containing PI shall be disposed of only in the

manner it complies with MGL c. 93I (Dispositions and Destruction of records)

Combatting External Risks

Reasonable up to date firewall protection and operating system security patches installed on all systems processing PI

Reasonable up to date versions of system security agent software which MUST include malware protection and up to date patches and virus definitions, installed on all systems processing PI

All PI stored on laptops or other portable devices must be encrypted and all records and files transmitted across public networks or wirelessly MUST be encrypted

All computer systems MUST be monitored for unauthorized use of or access to PI

There MUST be a secure user authentication protocols in place:

Protocols for control over user IDs

Secure method for of selecting passwords or unique identifiers

Control of data security passwords to ensure that passwords are kept in a location

Medical Identity Theft/Breaches

http://www.consumerreports.org/medical-identity-theft/medical-identity-theft/

There were an estimated 481,657 new cases of medical identity theft reported between 2013 and 2014 – An increase of almost 22% (Ponemon Institute)

Detecting Medical Identity Theft is more difficult than financial fraud and easier to hide for longer periods of time

A few ways to talk to your patients so that they are aware and safeguard their medical privacy

Tell them to check their explanation of benefits

Carefully read all health insurer and provider correspondence for accuracy and for bills of service that you don’t recognize

Review credit reports for unfamiliar debts

Don’t post news of upcoming surgeries

Medical Identity Theft/Breaches

Almost half of the medical identity theft occurs when a family member

takes a relatives health insurance card OR another ID – or when people

knowingly share their health info or IDs with someone they know

The Ponemon Institute did a survey and found that 10% of victims of

medical identity theft was the result of a healthcare provider or insurer data

breach

12 % were tricked into giving up personal info via a fake email or phony

website

BUT 47% said their Medical ID theft was perpetrated by a relative or

someone they knew

Some shared willingly and they call this ‘friendly fraud’

Effects of Medical Identity Theft

Costs victims

Time, Money ($$) and Aggravation

A 2016 report from Javelin Strategy & Researh found that an average

identity fraud victim spent only $55 to resolve a financial account problem

in 2015 BUT

65% of the medical identity theft victims surveyed by Ponemon said they

spent an average of $13,500 to pay healthcare bills run up in their name, to

recover their health insurance and to pay lawyer’s fees

It took an average of more than 3 months to even detect the fraud and more

than 200 hours to undo the mess

Detecting Medical Identity Theft

Read your medical and insurance statements regularly and completely

Check the name of the provider, date of service, and service provided

If you see a mistake – call your health plan and report the problem

Other signs of theft include:

A bill for medical services you didn’t receive

A call from a debt collector about a medical debt you don’t owe

Medical collection notices on your credit report

A notice from your health plan saying you reached your benefit limit

A denial of insurance b/c your medical records show a condition you don’t

have

Correcting Mistakes in a medical

record

Get copies of your medical record and check for errors (federal law gives

you right to inspect)

Get accounting disclosures – ask health plan and medical provider for a

copy of the accounting of disclosures (this disclosure should list who got

copies of your records from the provider - law allows for 1 free copy every

12 months)

Accounting disclosure details

what medical info the provider sent

When it sent the info

Who got the info

Why the info was sent

Correcting Mistakes in a medical

record

Ask for corrections

Write to your health and medical providers and explain which info is not accurate

Send copies of docs that support your position

Include a copy of med record and circle disputed items

Ask provider to correct or delete error

Send letter certified mail with return receipt for your records

The health plan or medical provider that made mistake must change info and inform labs, and other health care providers and anyone else that might have gotten wrong info – if the health or medical provider won’t make changes ask to include a statement of your dispute in the record.

Protecting your medical information

Be wary if someone is offering ‘free’ health services or products but requires you to provide your health ID

Medical identity thieves pretend to work for an insurance company, doctor’s office, clinic or pharmacy to try to trick folks into revealing sensitive information

Don’t share medical or insurance info by phone or email unless you initiated the contact and know who you are dealing with

Keep paper and electronic medical records in a safe place

Shred outdated health info forms, prescriptions, and physician statements and labels from prescription bottles before you throw them out

Before anyone provides any PI to a website they should find out why it’s needed, how it will be kept safe, whether it will be shared and with whom

Read the Privacy Policy statements

If you do decide to share look for a lock icon on browser’s status bar OR A URL that begins “https:” the s is for SECURE

Health Care Breaches

Mass Attorney General has indicated that even having a WISP is not enough to comply with the Mass Data Security Regulations

The AG’s message is having a plan on paper isn’t enough alone – you must also have day to day practices that are in compliance

Types of data breaches that have occurred

Lost and Stolen - Emory healthcare in GA revealed that it lost 10 computer disks containing patient social security numbers for about 315K surgical patients

Hacker Attacks - The Utah Dept of Technology published a breach of a server that housed Medicaid claims of 780K patients – suspected hackers out of Eastern Europe were able to circumvent the security system of the server were data was stored

Malicious Insiders - The South Carolina Dept of HHS revealed a major Medicaid data breach affecting the protected health info of > 228K Medicaid beneficiaries – they discovered an employee, since terminated, transferred spreadsheets with PI to a personal email account

Causes of Data Breaches

Mobile Devices – loss of laptops, computers, hard drives, back up tapes or

other portable media containing PI (list some Examples)

Malicious insiders – on the rise and pose a serious security threat to sensitive

information – individuals are abusing their privileges and have caused

security breaches and failures (Examples)

Inadvertent postings at websites and other disclosures- careless handling of

PI particularly of SS #s are often exposed in postal mailings – data may be

posted on websites where it is accessible to those who are not intended to

have access

Cloud computing risks – increased flexibility and efficiency is afforded by

cloud environments – however this also increases risks because it usually a

third party vendor offsite

General Overview of Legal

Requirements

HIPAA Privacy Rule and Security Rule

HITECH – The Federal Data Breach Notification Law

Individual State Data Breach Notification laws – 46 states have all enacted

legislation that require notification of individuals whose PI may have been

affected by a security breach

CA was first state to enact

Mass and Nevada have expanded their notification laws requiring substantial

security measures –

Mass requires any firm conducting business with state residents to develop a comprehensive information security program – encryption, adopt a risk based approach to ensuring security, and protect against data leakage.

Nevada – has taken the additional step of requiring holders of credit card and PI in a acomputer info system to comply with professional standards promulgated by the Payment card industry council – businesses are required to encrypt all transmissions of PI

Questions?

CEU Credits Reminder

Please scan OUT as you

leave

If you are staying in this

classroom for the next

session you must have your

badge scanned OUT for this

session and scanned IN for

the next session

Thank you!

Mark & Paul