Technologies and procedures for HIPAA compliance

1. Technologies and Procedures for HIPAA Compliance Jack L. Shaffer, Jr. CIO – Community Health Network of West Virginia

4. In the News - a.k.a. “data loss du jour” March 11, 2005 Kaiser Permanente (Oakland, CA) A disgruntled employee posted informaton on her blog noting that Kaiser Permanente included private patient information on systems diagrams posted on the Web. UPDATE (6/21/2005): The California Department of Managed Health Care fined Kaiser $200,000 for exposing the confidential health information. Jan. 25, 2006 Providence Home Services (Portland, OR) Stolen backup tapes and disks containing Social Security numbers, clinical and demographic information. In a small number of cases, patient financial data was stolen. UPDATE: (9/26/06) Providence Health System and the Oregon Attorney General have filed a settlement agreement. Providence will provide affected patients with free credit monitoring, offer credit restoration to patients who are victims of identity fraud, and reimburse patients for direct losses that result from the data breach. The company must also enhance its security programs. Feb. 17, 2006 Mount St. Mary's Hospital (1 of 10 hospitals with patient info. stolen) (Lewiston, NY) Two laptops containing date of birth, address and Social Security numbers of patients was stolen in an armed robbery in the New Jersey. Aug. 4, 2006 PSA HealthCare (Norcross, GA) A company laptop was stolen from an employee's vehicle in a public parking lot July 15. It contained names, addresses, SSNs, and medical diagnostic and treatment information used in reimbursement claims. Aug. 7, 2006 U.S. Dept. of Veteran's Affairs through its contractor Unisys Corp. (Reston, VA) Computer at contractor's office was reported missing Aug. 3, containing billing records with names, addresses, SSNs, and dates of birth of veterans at 2 Pennsylvania locations. Aug. 11, 2006 Madrona Medical Group (Bellingham, WA) On Dec. 17, 2005, a former employee accessed and downloaded patient files onto his laptop computer. Files included name, address, SSN, and date of birth. The former employee has since been arrested.

7. “Data loss du jour” October 23, 2007 State info on 200,000 missing A computer tape containing personal information on about 200,000 current and past participants in state insurance programs was lost during shipment, the Public Employees Insurance Agency said Monday. The data file contained full names (including birth names), addresses, phone numbers, Social Security numbers and martial status for 200,000 people insured by the Public Employees Insurance Agency, the Children’s Health Insurance Program and Access West Virginia. The data was reported missing last week while being shipped via United Parcel Service to a data processing center in Pennsylvania, Department of Administration spokeswoman Diane Holley said Monday. She said UPS officials reported on Oct. 16 that the package containing the tape had broken open, and that the tape was missing. However, she said UPS officials believe the tape is somewhere in the distribution center in Louisville, Ky., and asked for time to conduct a search. With the tape still missing as of Monday, PEIA executives decided to send letters to all 200,000 people to notify them of the disappearance of the tape containing their personal data. She said the letters will provide information about identify theft, and will explain to recipients how they can place fraud alerts and security freezes on their credit reporting agency files, in the event their personal data is compromised. A security freeze blocks the credit reporting agencies from releasing information in an individual’s file, which could be used to obtain credit cards or other lines of credit, without that person’s authorization. The tape does not contain any information about individuals’ medical histories, or medical or prescription claims, Holley said. She said that, even if the tape were stolen, it cannot be “read” without access to specialized computer equipment. “It is a specialized computer tape,” she said. “It looks like an eight-track tape.” She said PEIA will operate a call center that people affected can call for updates on the status of the missing tape, or more information about protecting against credit fraud.

36. Questions?