Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds.
THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
Open Up Dentists – and Physicians, Too!
[By D. Kellus Pruitt DDS]
If I tell you that your patients’ insurance identities can be sold for $50 each, how much will you trust your employees on Monday, Doc?
The Experts Speak
According to a panel of cyber-security experts at a recent Digital Health Conference, medical identity theft has become one of the most lucrative forms of identity theft. “DHC: EHR Data Target for Identity Thieves” by MedPage Today Associate Staff Writer Cole Petrochko, was posted last week
http://www.medpagetoday.com/PracticeManagement/InformationTechnology/30074
“Presentations at the Digital Health Conference here indicated that a single patient’s electronic health records can fetch $50 on the black market — a much fatter target than more familiar forms of identity theft, such as Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother’s maiden name ($6).”
eMRs Not Like Credit-Cards
“And, unlike a credit card number, patients’ healthcare records cannot be cancelled or changed to prevent stolen data from being used by criminals”, said John DeLuca, of EMC Corp., an information technology company.
The Street Value of eDRs
What do you want to bet that medical identities downloaded from dentists’ computers bring $50; as well. I’d like to share a special, visceral sentiment with my shy, HIPAA covered colleagues:
I warned you, damn it! And, I assume, just like virtually all other silent dentists in the nation, you’ve done NOTHING to safeguard your patients’ identities. Even if you don’t like truth served bluntly, this dentist has your reputation in mind when I warn that if your practice experiences a reportable data breach of over 500 records, and your patients’ identities aren’t encrypted, those who choose to remain with your practice will never trust you as much as they do today – even if you properly report the breach. Of the estimated 20% who will never return, many will probably look for a gentle dentist who doesn’t store patients’ Protected Health Information (PHI) on computers …. Like me. (Yea, that was a sales pitch. As one might expect, I certainly welcome discussion of it with anyone).
ADA Laggards
After 5 years of awaiting responses from unaccountable leaders inside and outside the American Dental Association concerning HIPAA and EDRs, It feels really good to aggravate 9 out of 10 dentists still reading this – challenging those who normally take offense with professional stoicism to loosen up and share their feelings with everyone for once … God help me, I do love this so.
More About the Black Market
The black market price for EHRs has increased ten-fold in the last 5 years. In 2006, I warned in a guest column on WTN that it only takes one dishonest employee needing a couple of thousand quick dollars to potentially bankrupt a practice almost without risk of being caught. Back then, the black market price for a stolen medical identity was estimated at only $5 (See: “Careful with that electronic health record, Mr. Leavitt,” WTN News, October 18, 2006).
http://wtnnews.com/articles/3407/
It’s no secret that reticent ADA officials like President-elect Dr. Robert Faiella have suspiciously failed in their duty to be transparent with dues-paying members about the liabilities of the EHRs – even as they continue to recklessly promote paperless practices. The result: Almost all dentists in theUSstill maintain patients’ unencrypted medical identities on their office computers – often guarded by a flimsy password that is still cute a decade later. (Did I hear a gasp?).
Consider This!
Consider this, Doc! If a practice has 3000 active patients with identities worth $150,000, all one dishonest employee needs for dreams to come true is a flash drive and private time with your computer.
Assessment
Show me a dentist who thinks the benefits of EHRs to dental patients still outweigh the liabilities and I’ll show you a dangerously naive healthcare provider who probably doesn’t know about KPMG Auditors. Let’s face the facts bravely, Doc. Now would be a terrible time to invest in an EDR system – even cloud based. The proven, avoidable danger EDRs bring to American dental patients is unacceptable and only getting worse. Give it a year or so.
Channel Surfing the ME-P
Have you visited our other topic channels? Established to facilitate idea exchange and link our community together, the value of these topics is dependent upon your input. Please take a minute to visit. And, to prevent that annoying spam, we ask that you register. It is fast, free and secure.
Conclusion
Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.
Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com
OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:
- PRACTICES: www.BusinessofMedicalPractice.com
- HOSPITALS: http://www.crcpress.com/product/isbn/9781466558731
- CLINICS: http://www.crcpress.com/product/isbn/9781439879900
- ADVISORS: www.CertifiedMedicalPlanner.org
- FINANCE: Financial Planning for Physicians and Advisors
- INSURANCE: Risk Management and Insurance Strategies for Physicians and Advisors
- Dictionary of Health Economics and Finance
- Dictionary of Health Information Technology and Security
- Dictionary of Health Insurance and Managed Care
Share this:
Filed under: Information Technology, Pruitt's Platform, Risk Management | Tagged: ADA, Cole Petrochko, Darrell Pruitt DDS, Digital Health Conference, Dr. Robert Faiella, eDRs, EMRs, HIPAA, John DeLuca, Medical Identity Theft on the Rise, protected health information |
The Leading Business Education Network for Doctors, Financial Advisors and Health Industry Consultants 
Update on failure of the ADA
The continuing silence from unaccountable ADA leaders concerning the increasing liability of electronic dental records reveals the embarrassing failure of yet another half-baked ADA grab for power – revealing once again the not-for-profit’s abandonment of members’ interests in favor of non-dues income to help feed the cancerous, bureaucratic growth.
Don’t believe me? Other than shame, what else could possibly make current ADA officials so universally unresponsive to the increasing damage caused by data breaches? Renegade ADA leaders who are responsible for the harm – including the shy President-elect Dr. Robert Faiella who is also Chair of the ADA EHR workgroup – can’t blame their silence on the Hippocratic Oath any more than they can blame it on professionalism.
Today, “Physician’s computers were stolen,” by Patrick Danner, was posted on MySanAntonio.com.
http://www.mysanantonio.com/business/article/Computers-containing-medical-info-stolen-2429542.php
According to Ponemon Institute studies, the San Antonio physician who lost 3,000 patients’ identities when computers were stolen in a burglary can expect the disaster to cost him over half million dollars even before the HIPAA fines are assessed and lawsuits are filed by angry patients, and perhaps even the Texas Attorney General. And just think. The physician did the right thing by reporting the loss.
What’s more, since the San Antonio physician fumbled more than 500 individuals’ unencrypted Protected Health Information (PHI), federal law demands that his name appear on the HHS Wall of Shame forever. Because of a burglary of his office, the poor guy is guilty for life in every state in the nation. Yet self-serving ADA leaders continue to encourage trusting dentists to quickly adopt paperless practices.
Since EHRs can bring $50 each from identity thieves in the black market, I wonder if the burglar yet knows the computers are worth $150,000.
If by notifying every patient whose identity is put at risk because of a stolen computer, a dentist knows he or she faces certain bankruptcy, how many computers that are stolen from dental offices do you think go unreported? I imagine there are already thousands of dentists in the nation who for the rest of their lives will privately fear that one day their patients will suddenly become the focus of an identity theft investigation. And for some of the unfortunate dentists, their fears will come true. Did I mention that identities stolen from dental offices are selling for $50 each.
That’s a heavy penalty to pay for the rest of a dentist’s life, just for following the very bad advice of selfish, unaccountable, stakeholder-friendly ADA leaders. What’s more, with the growing national anger over the increasing number of identity thefts from providers’ offices, any dentist found guilty of not reporting a major data breach within 60 days won’t find sympathy anywhere – not even from ADA officials like Dr. Faiella who still recklessly push ADA members into going paperless.
D. Kellus Pruitt DDS
LikeLike
Healthcare accounts for 3 of the 6 worst data breaches in 2011
Data security breaches occur in every industry, but those in healthcare were particularly significant in 2011.
Three of the six worst security breaches in the U.S. were in healthcare this year, according to the Privacy Rights Clearinghouse (PRC), a nonprofit consumer protection organization.
http://www.fiercehealthit.com/story/report-healthcare-accounts-3-6-worst-data-breaches-2011/2011-12-22
Mary
LikeLike
Is your computer infected?
Do you know how dentists can tell if their office computer is infected with a nasty Estonian worm they call DNSChanger Trojan? You’ll lose internet access on March 8th, 2012.
(See “FBI Could Pull the Plug On Millions of Internet Users March 8” by Steve Huff).
http://digg.com/newsbar/story/fbi_could_pull_the_plug_on_millions_of_internet_users_march_8th
It’s aggravations like that which make my office staff and I happy we have paper dental records.
D. Kellus Pruitt DDS
LikeLike
Tickling the Huff
“Knowing What’s Right Could Help Improve Patient-Centered Outcomes” was posted on the HuffingtonPost.com today.
http://www.huffingtonpost.com/doug-peddicord/knowing-whats-right-could_b_1297538.html
Do you consider medical identity theft a patient-centered outcome? I asked Doug Peddicord, Ph.D., what he thinks in a comment following his article.
———
Dear Doug Peddicord
Executive Director of the Association of Clinical Research Organizations
Washington, DC.,
Of the five broad categories of research listed in your article that the Patient-Centered Outcomes Research Institute (PCORI) said it may conduct, communication and dissemination is one of them.
It’s pretty obvious to those of us in the dental profession that Washington lawmakers know nothing about the profession’s worsening problems with HIPAA/HITECH mandates that simply don’t fit. But that’s not the data dissemination problem the nation is concerned about. What if a study concerning the safety of Health Information Technology (HIT) in dentistry was conducted and it was discovered that overwhelmingly, dental patients are more likely to be harmed by electronic dental records than paper dental records? Would evidence-based proof that EDRs cause more harm than good make any difference to bipartisan lawmakers who want EHRs in even dental offices in the worse way?
After all, breaches of patients’ medical identities from healthcare organizations are said to be reaching “epidemic proportions” with the frequency doubling every year… Yet EHRs in dentistry do nothing to improve patient care. What’s more, they cost more than paper dental records. As anyone can see, the business of dentistry is simple compared to whole body medicine. Intricate, careful handwork in sensitive mouths cannot be speeded by computerization, so those of us who are careful will always maintain ten times fewer patients’ charts than physicians. In fact, about 10% of dentists still run successful businesses using pegboards, ledger cards and the US Mail. If one is only pulling and later filing away a dozen or so charts a day, it’s hardly worth turning on the computer and entering a password that must be changed regularly for security.
What’s more, the cost of HIPAA compliancy, which adds to the cost of dental care, is not controlled by a competitive free market, and complications only increase stakeholder profits. As one might expect, the resulting tedious, ineffective regulations and punitive, bankruptcy-level liabilities are only going to get more expensive for HIPAA covered dentists. Who couldn’t see that coming? It’s a mandate for crying out loud!
One would think someone following dentistry for The Huffington Post would already be all over this story. I’m sure they are waiting until just the right moment to break the news to clueless, vulnerable Americans whose identities are being needlessly disseminated from dentists’ offices more than ever before.
Thanks, Dr. Peddicord, for bringing the PCORI to my attention.
D. Kellus Pruitt DDS
LikeLike
HHS SETTLES HIPAA CASE FOR $1.5 MILLION
[1ST ENFORCEMENT ACTION RESULTING FROM BREACH REPORT]
The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”) announced on March 13, 2012 that it settled with Blue Cross Blue Shield of Tennessee (“BCBS”) for $1.5 million as a result of a breach reported under the HITECH breach notification rule.
BCBS timely reported a breach to OCR on November 3, 2009 after 57 unencrypted hard drives were stolen from a network data closet on or about October 2, 2009. These hard drives contained audio and video recordings of customer service calls which included protected health information of over 1 million insurance plan members, including their names, insurance member numbers, dates of birth, and social security numbers. The network closet was secured by biometric and keycard scan security with a magnetic lock and additional door with a keyed lock. Although BCBS received an alert on October 2, 2009 that the server at the network closet was unresponsive, it wasn’t until Monday, October 5, 2009 that the theft was identified.
OCR determined that BCBS failed to implement appropriate physical safeguards by not having adequate facility access controls, despite the security measures in place at the network closet. OCR also found BCBS lacked administrative safeguards by not performing the required security evaluations. As part of the settlement, BCBS agreed to a 15 month corrective action plan which requires BCBS to update their HIPAA security policies, conduct training to employees with access to patient information, and to conduct monitor reviews to ensure compliance. For more information see the resolution agreement here.
This settlement sends a strong message that OCR expects covered entities to have a well designed and implemented HIPAA compliance program.
Source: Garfunkel Wild, P.
LikeLike
Another “I told you so”
“Report: PHI security is MIA” by Taylor Armerding was posted today on ComputerWorld.
http://www.computerworld.com/s/article/9225843/Report_PHI_security_is_MIA
Daniel W. Berger, president and CEO of IT security firm Redspin, tells ComputerWorld, “Electronic health records provide the largest efficiency gain per dollar spent, but ensuring their security is the only way to realize that gain. Otherwise data breach costs will undermine the economics and erode patient confidence.”
Darrell
LikeLike
ETHICAL CUDOS from the ME-P
OR Podiatrist Reports Unauthorized Disclosure of Patients’ Information
Nancy Shepherd of Cottage Grove said her parents, both of whom are in their late 70s, received a troubling notice from the office of Dr. Rex Smith, a podiatrist. Dr. Smith, a Eugene podiatrist with a practice on Chambers Street, sent the letter to Shepherd’s parents. The first paragraph said, “… my staff and I have discovered an unauthorized disclosure of your personal and health information, which may compromise the privacy and security of that information.”
Eugene police confirmed that on Feb. 19th, someone broke into Dr. Smith’s office and stole medication and a computer.
According to Dr. Smith’s letter, the computer contained personal information for many patients including names, birth dates, and social security numbers.
Source: Ty Steele, KVAL [4/19/12]
via PMNews #4,443
LikeLike
Identity Theft Takes $11 Billion From IRS
At a May 8th Congressional hearing, Treasury Inspector General for Tax Administration (TIGTA) Russell George testified on the rapid growth of identity theft and tax refund fraud. TIGTA produced a major report on May 3, 2012 that outlined in detail the problem with identity theft.
In tax year 2010, there were 2.2 million fraudulent returns. About 940,000 returns involved identity theft. There was $6.5 billion in fraudulent tax refunds from this group.
TIGTA auditors also estimated that there are 1.5 million other returns that involve identity theft. These returns included another $5.2 billion in fraudulent refunds. The total tax fraud due to 2010 identity theft was estimated to be $11.7 billion.
George indicated that the investigation showed that 48,357 Social Security numbers were used multiple times. These stolen Social Security numbers enabled identity thieves to file multiple returns for refunds or to claim excessive deductions for non-existent dependents.
George stated, “When the identity thief files the fraudulent tax return, the IRS does not yet know that the individual’s identity will be used more than once. As a result, the tax return is processed and the fraudulent refund is issued. These incidences result in the greatest burden to the legitimate taxpayer.”
After the identity thief obtains the false Social Security number, he or she attempts to file the first return using that number. The legitimate taxpayer then has a delay in obtaining a refund because the same number has been used twice.
A typical strategy for an identity thief involves five steps.
1. Social Security Number – Obtain another individual’s Social Security Number, often from a hospital, doctor’s records or other business source.
2. Debit Card – From a bank or other financial institution, obtain a debit card that can receive the refund.
3. Filing – Attempt to file early be able to use the stolen Social Security number before the legitimate taxpayer.
4. Fictitious Returns – Estimate earnings on the W-2 and other forms on the fictitious return. Frequently, the IRS has sent out the refund before checking the W-2 amounts.
5. Receive the Refund – In many cases the fraudulent refund is credited to the debit card.
IRS Deputy Commissioner for Services and Enforcement, Steven Miller, also testified at the hearing. He indicated that the budget cuts have resulted in a reduction in staff of 5,000 employees at the IRS. Even with this change in number of employees, he stated that the IRS plans to have 2,500 employees working to combat identity theft by the end of Fiscal Year 2012.
Miller concluded, “I can tell you that we have committed our talents and resources to prevent the issuance of fraudulent returns and have developed processes to minimize the pain felt by those who have been victimized.”
Source: Children’s Home Society of Florida Foundation
LikeLike
Congress Calls for Identity Theft Protection
At the Joint Hearing of the House Ways and Means Oversight Subcommittee and the Social Security Subcommittee, leaders from both parties agreed that Congress and the IRS must take significant steps to reduce tax-related identity fraud. The Joint Subcommittee meeting was called by Chairman Charles Boustany, Jr. (R-LA).
He indicated that the federal government must “better protect taxpayer dollars.” Boustany continued, “Identity theft allows criminals to file false tax returns and claim thousands of dollars in refundable tax credits. In a recent case in Florida, identity thieves that allegedly obtained $30 million in fraudulent refunds and nearly obtained $100 million more before being caught. They spent the money on expensive cars and homes.” Boustany suggested that substantial steps are needed to protect taxpayers from “unprecedented levels” of identity theft.
The ranking member on the Ways and Means Oversight Subcommittee is John Lewis (D-GA). Lewis acknowledged that tax fraud and identity theft are serious problems and the IRS must do more. He noted that the budget cuts and the 5,000 member reduction in staff cause challenges for the IRS in opposing identity theft and tax fraud. The IRS identity theft budget for this year is approximately $330 million. Lewis noted, “We need to provide the IRS with more tools to combat identity theft today.”
The Social Security Subcommittee Chairman is Sam Johnson (R-TX). He observed that the Social Security Administration continues to publish the Death Master File. This record of all Americans who have passed away each year is used by many government and financial service companies to ensure that benefits are correctly paid. However, Johnson discussed the case of Alexis Agin, daughter of Mr. and Mrs. Jonathan Agin. Alexis passed away at the age of four. Not only did the Agin family endure the grief of losing a child, but by the end of the year another taxpayer was using her Social Security number to claim a dependent deduction.
Johnson recommends that the Death Master File be subject to restrictions on use. He introduced the “Keeping IDs Safe Act of 2011” to limit the public distribution of the Death Master File.
The fourth leader to speak on the topic was Ranking Member of the Social Security Subcommittee Xavier Becerra (D-CA). He noted that the IRS must process 140 million tax returns in a few months. In his view, it is important to find the “right balance between the use of the Death Master File (DMF) and the efforts of the IRS in opposing identity theft.” Becerra stated, “The DMF is helpful in administering benefits and in combating fraud, at both government agencies and in the private sector.” He acknowledged that the use of the DMF should be made more restrictive in order to minimize the level of ongoing identity theft.
Source: Children’s Home Society of Florida Foundation
LikeLike
As Patients’ Records Go Digital, Theft And Hacking Problems Grow
As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials. Keeping records secure is a challenge that doctors, public health officials, and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.
On May 14, federal prosecutors charged one of the hospital’s medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period, Laurie Napper used her position at the hospital to gain access to patients’ names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper’s attorney declined comment.
Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients’ files onto a personal laptop, which was stolen from the contractor’s car.
Source: David Schultz, Kaiser Health News and the Washington Post [6/3/12]
LikeLike
BAs call for de-ID
[Careless Business Associates call for de-identification of EDRs]
Doc, how well do you trust your HIPAA Business Associates to protect your patients’ welfare? Would you bet your reputation on them? Have you even asked about their security?
“HIPAA Modifications: How to Prepare – Attorney Advises Focusing on Business Associates” by Marianne Kolbasuk McGee was posted on HealthcareInfoSecurity today.
http://www.healthcareinfosecurity.com/interviews/hipaa-modifications-how-to-prepare-i-1734?rf=2012-12-14-eh&elq=d9ab2120299a451396ddfcaf45160470&elqCampaignId=5336
Attorney Lisa Sotto, who heads the global privacy and data security practice of law firm Hunton & Williams, told McGee, “Healthcare organizations need to more closely monitor how their business associates protect the security of patient information and step up risk assessments as they prepare to comply with looming HIPAA modifications.”
Dentists are now held accountable for 3rd party carelessness with patients’ Protected Health Information (PHI). How did it come to this? According to a June 7, 2012 report from the Office of Civil Rights (OCR) titled, “Breach Notification for HIPAA Covered Entities and Business Associates,” the number and impact of breaches by BAs indicated “significant failures” in safeguarding patients’ identities. Specifically, BAs were found to be responsible for 22% of breaches involving more than 500 individuals. What’s more, the BAs’ breaches have affected 60% of those whose PHI were disclosed. This means 3rd parties, such as consultants and cloud providers, are responsible for more dental patients’ identities being lost than dentists.
Click to access day2-4_dholtzman_ocr-hitech-breach-notifcation-rule.pdf
When a 3rd party fumbles PHI, the patients must be notified within 60 days of its discovery. Should a BA lose control of more than 500 dental patients’ identities, the dentist’s community must also be alerted with a press release. Though a dentist may not be at fault for such a breach, Americans hate breach notifications, and angry patients will reflexively blame the dentist. Ponemon Institute studies show that more than 20% of patients who are notified of a breach never return. The cost for providers has been estimated at over $200 per lost record – $50 for notification and $150 for lost business. Ponemon estimates that 94% of healthcare organizations have suffered at least one reportable data breach in the last 2 years. It’s no longer “if” a paperless dentist will suffer a data breach, but “when,” and how many times?
For colleagues who recall the simple life with safe, paper dental records – who now realize how huge a hassle and liability EDRs have become – I should take this opportunity to suggest that breach risks in dentistry could be minimized simply by de-identifying EDRs. In April, I predicted tangible advancement of the idea before the end of the year. On December 3, the ADA News posted its first article about de-identification: “Guidance offered on PHI de-identification” by Craig Palmer.
http://www.ada.org/news/8003.aspx
Palmer writes: “Under the HIPAA privacy rule, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe that it can be used to identify an individual.” Though Palmer addresses de-identification of EDRs for the secondary purpose of safe research data rather than for dentists’ primary records, the progress towards acceptance is undeniably tangible. The common sense solution is only a half-step away. Due to the less complex nature of dental records compared to medical records, safe interoperability will also be far less complicated to establish.
For a more in-depth, well-presented description of the topic, see “Perspectives on Health Data De-identification” by Dr. Khaled El Emam.
Click to access Perspectives.pdf
D. Kellus Pruitt DDS
LikeLike
More on Medical Identity Theft
“Protect Yourself Against Medical Identity Theft” by Gerri Willis, Fox Business, May 21, 2013
http://www.foxbusiness.com/on-air/willis-report/blog/2013/05/21/protect-yourself-against-medical-identity-theft
“The World Privacy Forum’s Pam Dixon says the FBI concedes that drug dealers have switched careers to medical fraudsters because the risk of being caught is so low.”
Darrell
LikeLike