71
Copyright Jeffrey Helfand,DO,MS Copyright Jeffrey Helfand,DO,MS (2009) (2009) Identity Theft Are You and Your Practice Protected?

Foma id theft presentation

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Foma id theft presentation

Copyright Jeffrey Helfand,DO,MS (2009)Copyright Jeffrey Helfand,DO,MS (2009)

Identity Theft

Are You and Your Practice Protected?

Page 2: Foma id theft presentation

The laws discussed in this presentation are, like most laws, constantly amended and interpreted through legal and social challenges. You are encouraged to carefully review these laws and draw your own conclusions.

We are not attorneys, and the information provided is not to be construed as legal advice, but merely a teaching tool to familiarize you with the need to put a solid information security and privacy plan in place, and some tips on how you can accomplish that goal. Your security and privacy plan should be carefully reviewed with your attorney before its final implementation.

Page 3: Foma id theft presentation
Page 4: Foma id theft presentation

Objectives

Understand how identity theft can financially damage a medical practice as the result of federal legislation, and why it is important to protect patient and employee personally identifiable information (PII) from identity thieves.

Identify what constitutes identity theft and how personal information is illegally obtained.

Steps you should take to protect patient and employee PII.

How to protect your medical practice from financial ruin resulting from severe federal and state fines and civil damages.

Page 5: Foma id theft presentation

In the last four years, there have been more than 2,000,000 articles and TV news features about a

crime that no one heard of just a few short years ago.

South Florida Sun Sentinel (12/2008) “Identity theft accelerated in 2008, …will worsen in '09” Associated Press/ WKRG –TV: Pensacola (11/2008) “University of Florida discloses patient-record data breach”

The Ledger: Lakeland (5/2008) “Doctor Resigns Over Patient Data Breach”Wall Street Journal (1/2009) “Heartland Card Data Breached, Firm Says: Largest Breach Ever”

PC World ( 1/2009) “Monster.com Reports Theft of User Data” Boston Globe (8/2007) “Credit Card Headaches From TJX Breach Remain”

Page 6: Foma id theft presentation

A 17-Year Nightmare of Identity Theft

In 1985 David B. DahlstromDavid B. Dahlstrom lost his wallet containing his birth

certificate, Social Security card and driver’s license.

For 17 years, Dahlstrom, a locksmith in Salt Lake City, For 17 years, Dahlstrom, a locksmith in Salt Lake City, has been the victim of Yorck A. Rogge, an identity thief, who has been the victim of Yorck A. Rogge, an identity thief, who

was was first arrested in 1990, and again more recently in 1996 while first arrested in 1990, and again more recently in 1996 while using Dahlstrom’s identity to commit a string of crimes. using Dahlstrom’s identity to commit a string of crimes.

Dahlstrom has had difficulty getting credit and has beenDahlstrom has had difficulty getting credit and has beendetained by police officers serving an arrest warrant in detained by police officers serving an arrest warrant in his name. Dahlstrom said the ordeal had left him feeling his name. Dahlstrom said the ordeal had left him feeling ““violated and confused.”violated and confused.”

Dahlstrom wasn’t aware his identity had been stolen until he was denied a credit card. He also learned of insurance claims filed for accidents in which he was not involved.

NY TIMES, Randall C. Archibold, April 13, 2007

Page 7: Foma id theft presentation

Your Name1000’s of aggregators

Fingerprints and DNAFBI, State, and Local DBS

Insurance ClaimsC.L.U.E. DBS, etc

Military RecordDOD DBS

Criminal HistoryNCIC DBS

Real Estate DeedsClerks of Court DBS

Legal HistoryState and Federal Court DBS

Credit HistoryCredit Repositories’ DBS

Birth CertificateChoice Point DBS, State, etc

Phone Number and Tracking Info1000’s of aggregators

Social Security NumberSSA DBS

Address1000’s of DBS

Why You Are At Risk

Driver’s License # & Record DMV DBS

Medical RecordsMIB DBS, etc

Car Registration & InfoDMV, Local Treasurer, On Star, etc

The Databased You

Page 8: Foma id theft presentation
Page 9: Foma id theft presentation
Page 10: Foma id theft presentation

Identity Theft: What Is It?

SOMEONE ILLEGALLY USING YOUR:

Name, address and telephone number Social Security number Driver’s license number Birth certificate Credit cards or bank accounts Other personal identifying information

Page 11: Foma id theft presentation

Major Forms of Identity Theft

FinancialCredit card fraud, filing for death benefits (Social

Security or life insurance), new lines of credit

Identity CloningAssuming your identity to obtain medical care, driver’s

license, immigration documents, employment, housing

CriminalA criminal assumes your identity to commit a crime, tax

evasion or to commit a terrorist activity

MedicalAssuming someone’s identity to collect money,

prescription drugs, goods or to obtain medical services

Page 12: Foma id theft presentation

Types of Financial ID Theft

Page 13: Foma id theft presentation

Medical Identity TheftAssuming someone’s identity to collect money,

prescription drugs, goods or to obtain medical services

Consequences of Medical ID Theft:

Erroneous medical records

Excessive unpaid or uncovered medical bills

Employment denials resulting from poor credit rating secondary to medical issues

Denial of new health, life or disability insurance coverage or rated coverage

Legal issues

In extreme cases, death or physical injury resulting from improper care based on incorrect medical records have been reported

Page 14: Foma id theft presentation

Just the Facts

Fastest growing crime in the U.S.

More than 10 million people in the U.S. victimized in 2008

27,000 people a day, almost 19 every minute

Over $50 billion total in economic losses yearly

Fraud charges average about $93,000 per victim

Average victim spends approximately 600 hours of personal time and an average of $1,400 in out of pocket expenses to resolve their case

FTC report

2008

Page 15: Foma id theft presentation

More Facts…

Usually 6-12 months to discovery

Average of 3-6 months to resolution, if ever resolved

65% of cases are never resolved

638 incidents of lost or stolen personal data in 2008 alone, up from 446 in 2007; from financial and health care institutions, universities, government and military agencies; data, information and other companies with over 60 million persons potentially affected

Many high profile cases in 2007 and 2008 (Monster.com, TJ Maxx, Aetna, University of Florida and the CT Department of Revenue Services)

Page 16: Foma id theft presentation

How Thieves Obtain PII

Stealing bank or credit card statements, pre-approved credit offers, new checks or tax information from your mailbox

Changing your address on credit card or bank statements

“Dumpster Diving” (home and business) Office cleaning services

Page 17: Foma id theft presentation

How Thieves Get Your Information

Posing as a landlord or employer to obtain personal credit information

Online email scams, computer hacking and phishing”emails

“Business Record Theft”: when thieves steal information from businesses where you are a customer, employee, patient or student

Shoulder surfing or eavesdropping at ATM’s, telephone booths, restaurants, airports, etc.

Page 18: Foma id theft presentation
Page 19: Foma id theft presentation

Look at Syntax Carefully

Page 20: Foma id theft presentation

No Name in “To”

Page 21: Foma id theft presentation
Page 22: Foma id theft presentation

How Thieves Use Your Information

Sell your personal information over and over

Open new checking or credit card accounts using your name, date of birth and Social Security number

Establish new phone service in your name

Obtain mortgages, auto loans or leases

File fraudulent health services claims or obtain medical care using your name and insurance info

Page 23: Foma id theft presentation

How Thieves Use Your Information

Obtain a driver’s license with your name and someone else’s photo

Open a business or obtain a job in your name but do not file tax returns

Use your name if arrested or detained by law enforcement

Page 24: Foma id theft presentation

Consequences of Identity Theft

Credit card problems and harassment by collection agencies

Overdrawn accounts and loan rejections Medical and other insurance rejections Interruption of utilities Employment issues Civil suits Criminal investigation, criminal charges

and/or incarceration

Page 25: Foma id theft presentation

How to Reduce Individual Risk

Avoid giving out your Social Security # and drivers license number when possible

Do not carry your Social Security card, birth certificate, PIN numbers, checkbooks, deposit or reorder slips with you

Cross-cut shred any mail or documents that contain personal information

Do not leave outgoing mail in your home mailbox

Opt out from credit card offers 1-888-5-OPT-OUT

Do not give out personal information when responding to emails or unsolicited telephone calls

Page 26: Foma id theft presentation

How to Reduce Individual Risk When going away ask a trusted friend or relative

to pick up your mail & newspapers

Do not use non-bank ATM’s such as in convenience stores, delis or restaurants

Check credit reports with each repository once yearly at four month intervals (www.annualcreditreport.com)

Keep computer anti-virus software up to date

Recycle your old computer and wipe out hard drive (use a trusted computer repair service)

Place passwords on credit card, telephone and bank accounts when possible

Page 27: Foma id theft presentation

How to Reduce Individual Risk

Use a gel ink pen when writing out checks

Do not order checks from online sources or mailers (they frequently sell your information or use spyware)

When ordering checks from your bank, ask for delivery to your branch for pick up

Have your first initial & last name only printed on checks (no address or phone #)

Sign up for an identity theft protection plan that provides comprehensive services (monitoring and restoration by a third party)

Page 28: Foma id theft presentation

If You Become a Victim

1) File a report with your local law enforcement agency

2) Florida Attorney General’s ID Theft Victim kit

http://www.myfloridalegal.com/idkitprintable.pdf

3) Florida Department of Highway Safety and Motor Vehicles

At your request, the Fraud Section of the Florida Department of Highway Safety and Motor Vehicles will place a flag on your Florida Driver’s License if you are a victim of identity

theft (regardless of whether your license has been compromised). If you show your driver’s license to law

enforcement or a Florida court, having a flag will require them to ask for two or more pieces of identification. To reach

the Fraud Section, call (850) 617-2405.

Page 29: Foma id theft presentation
Page 30: Foma id theft presentation

How Security & Privacy Issues Affect Consumer Decisions

85% of Americans are worried about becoming victims of identity theft.

64% of consumers said they decided not to buy a company’s product or services because they did not know how the company would use their personal information.

58% of consumers said if they were confident a business followed their declared security & privacy policies, they would recommend that business to family & friends.

“Security & Privacy- Made Simpler” - Better Business Bureau: survey

Page 31: Foma id theft presentation

How a Security and/or Privacy Breach Can Negatively Affect Your Medical

Practice Damaged Reputation

“If you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers!”*

This will include your patients, vendors and suppliers!!!

*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

Direct Costs

“companies on average spend 1,600 work hours per incident at a cost of $40,000 to $92,000 per victim.”*

Can include system redesign, employment costs, legal expenses, professional fees, and the cost of notifying those affected, ID Theft protection services for those affected and fines. There are additional fines for failure to notify as well as ongoing legal expenses resulting from lawsuits filed by victims of the breach.

*CIO Magazine, The Coming Pandemic, Michael Freidenberg, May 15th, 2006

The TJ Maxx breach initially estimated to cost $25 million, has now cost over $256 million, and the final cost may top $1 billion , more than $100 per record compromised!!!!**

**Boston Blobe , August, 2007

Page 32: Foma id theft presentation

Personally Identifiable Information: Overview

Medical practices keep sensitive personal information,— names, Social Security, insurance ID and credit card numbers, birth dates or other account data — that identifies patients and/or employees.

This information is necessary business functions, but it falls into the wrong hands, it can lead to fraud, identity theft, or other problems.

Given the potential economic cost of a breach of personal information — losing your patients’ or employees’ trust and perhaps even defending yourself against a lawsuit — safeguarding personal information makes good business sense.

Page 33: Foma id theft presentation

Important Federal Legislation Regarding Privacy Issues

HIPAA: Health Insurance Portability Act

Red Flag Rules

FCRA: Fair Credit Reporting Act

GLB: Graham-Leach-Bliley Safeguard Rule

FACTA: Fair and Accurate Credit Transactions Act

Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You

Page 34: Foma id theft presentation

HIPAA

Federal law passed in 1996 to provide national standards to protect privacy and security of individuals’ personal health information

Applies to healthcare providers (doctors, hospitals, labs, pharmacies, etc.), health insurance companies, billing companies and electronic billing clearinghouses

If you “collect, maintain, use, or transmit” any PII (paper or electronic) you must provide “reasonable and appropriate” safeguards to ensure confidentiality, security and privacy

Page 35: Foma id theft presentation

HIPAA

The provider must:

1) Notify patients about their privacy rights.

2) Adopt and implement privacy procedures.

3) Train employees in privacy procedures.

4) Assign responsibility for seeing that privacy procedures are adopted and followed.

5) Secure records containing individually identifiable health information.

Page 36: Foma id theft presentation

HIPAA Compliance and Enforcement Through 2007

(Totals > 35,000 complaints from 2003-2007)

Health Information Privacy Complaints Received by Calendar Year

Page 37: Foma id theft presentation

Consequences of HIPAA Non-Compliance

HIPAA provides specific federal penalties if a patient's right to privacy is violated including:

Non-criminal violations such as disclosures made in error provide for fines of $100 per violation up to $25,000 per year per standard.

Criminal penalties are provided for certain types of violations that are done knowingly of up to $250,000 and 10 years in prison for obtaining protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You

Page 38: Foma id theft presentation

HITECH

On February 17, 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the economic stimulus package, which was passed by the House and Senate on February 13.

It is intended to encourage the development of a national electronic health records network to provide improved patient care at lower cost.

It contains provisions to1) ensure records privacy and security as HIT develops 2) provide a notice to the patient when privacy is breached3) examine technologies to help patients track how their records

have been disclosed

4) contain new stronger patient enforcement measures and strengthen

existing HIPAA enforcement measures 5) require a study for providing for patient consent in electronic

records systems

Page 39: Foma id theft presentation

FACTA: OverviewFair and Accurate Credit Transactions Act

Implemented June 1, 2005

Intended to reduce the risk of consumer fraud and identity theft

Impacts any size business, not just large corporations

Deals with how businesses handle and dispose of employee and customer (medical patients) personal information

Provides fines of up to $2,500 for (punitive damages)

and up to $1,000 (statutory damages) per person per occurrence, as well as unlimited civil damages, class action damages and attorney’s fees.

Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You

Page 40: Foma id theft presentation

FACTA: Key Points

The FACTA disposal rule requires destruction of consumer information before it is discarded.

Any business that obtains confidential information regarding job applicants, employees, customers, or suppliers.

Any business that hires an employee and does a background check which includes a credit check is covered by the records disposal provision of the law.

Page 41: Foma id theft presentation

Red Flag Rules

Requires every financial institution or creditor (FTC includes health care providers) to develop and document a written Identity Theft Prevention Program with specific policies and procedures that must be implemented and must include:

Proof of implementation for each Red Flag business process

Identify, detect and respond to “Red Flags” Documented training of employees Continuously running oversight program Periodic reviews and updates

Original deadline of Nov 1, 2008 extended to May 1, 2009

A negative event will trigger an investigation. If there is proof of non-compliance, FTC will most likely levy fines of up to $2,500 for each independent violation and initiate civil actions, as well as require future audits at your cost.

Page 42: Foma id theft presentation

Graham-Leach-Bliley Act

If you attempt to collect debts from patients or accept financing for payment of medical services, you are subject

to GLBA

GLBA requires a written information security plan that describes how the company is prepared for, and plans to to protect clients’ (patients’) nonpublic personal information

Violation of GLBA may result in a civil action brought by the US Attorney General. Penalties provide for:

1) Civil penalties of up to $100,000 per violation for the company.

2) Officers and directors of the company may be subject to, and may be personally liable for, civil penalties of up to $10,000 for each violation.

Page 43: Foma id theft presentation

FCRA

The Fair Credit Reporting Act is a federal law that regulates the collection, dissemination, and use of consumer credit information.

Information furnishers, as defined by the FCRA, provide information to consumer reporting agencies. Typically these are creditors, with which a consumer has some sort of credit agreement (such as credit card and finance companies). If your practice sends information from delinquent accounts to consumer reporting agencies, this includes you.

With FCRA, a consumer may seek up to $1,000 in statutory fines, plus actual damages, punitive damages and reasonable attorney's fees and costs. Any consumer may file suit in any state or in federal court to enforce the Act.

Be Sure To Check With Your Attorney On How These Laws May Specifically Apply To You

Page 44: Foma id theft presentation

"The internal mistakes and the internal carelessness seem to be more prevalent than the stranger

from the outside trying to crack into your system."

Jill Dennis, Senior Vice President, American Health Information Management

Association

Page 45: Foma id theft presentation

The Enemy Within

MADISON, Wis. —

*A landlord snooped on tenants to find out information about their finances.

*A woman repeatedly accessed her ex-boyfriend's account

after a difficult breakup. * Another obtained her child's father's address so she

could serve him court papers.

All worked for WE Energies, Wisconsin's largest utility, where employees routinely accessed confidential information about acquaintances, local celebrities and others from its massive customer database. Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse.

by RYAN J. FOLEY 2008 The Associated Press: Feb 21, 2008

Page 46: Foma id theft presentation

Medical Practice Security and Privacy Challenges

1) Employee access to PII—Who has access? Must be on a strict need-to-know basis

2) Inadvertent compromise of PII/medical information to other

patients, drug and other sales reps, maintenance staff, etc.—Be aware of files left unsupervised or in the wrong place

3) Collection of unnecessary documents/PII—Do you really need all the information you collect?

4) Data collection, storage and handling—How do you obtain and keep personal information, files and records? In what form is it stored? Do you use paper or electronic files?

5) Collection, sharing, transfer, and utilization of medical info—Are you in compliance with HIPAA, FACTA, etc. Information sharing and transfer must be compliant and on a need-to-know basis as well

Page 47: Foma id theft presentation

Medical Practice Security and Privacy Challenges

6) Verification of patient/client identity-How do you verify patient identity and insurance eligibility?

7) Document destruction-Do you keep paper files, electronic media and/or computer files?

8) Data protection-Are your servers and computer networks secure and virus-free?

9) Whistle-blower law-Are your employees happy? Do you respect them? Content employees and compliance with current legislation are your best protections

10) Collections and credit issues-Are you compliant with current legislation? Do you know your vendors, and are they reputable? How do they handle and secure their data?

Page 48: Foma id theft presentation

DATA SECURITY PLAN

A sound data security plan is built on 5 key principles:

Take stock: Know what personal information you have in your files and on your computers.

Scale down: Keep only what you need for your business.

Lock it: Protect the information that you keep.

Pitch it: Properly dispose of what you no longer need.

Plan ahead: Create a plan to respond to security incidents.

FTC Guide, called “Protecting Personal Information: A Guide for Business,” available at www.ftc.gov/infosecurity.

Page 49: Foma id theft presentation

Reducing Your Risk

Most identity theft cases start in the workplace. Studies show that up to 70 percent of all intentional identity theft cases are an inside job - perpetrated by a co-worker or an employee

If you don’t absolutely need it, don’t collect it! If you collect it, protect it!

Cross-cut shred or pulverize any non-essential documents containing employee or customer personal information as soon as possible

Keep essential employee, customer, and client records in a secure and or locked area

Keep anti-virus software up to date and make sure any wireless networks are secure, use “SSL” technology to encrypt your data (such as Verisign) and conduct regular software audits of computers

Page 50: Foma id theft presentation

Scale Down

Use Social Security numbers for required and lawful purposes only -- like reporting employee taxes. Never use driver’s license numbers --as an employee or customer identification number, or because you’ve always done it

Don’t keep customer credit card information or financial account numbers unless you have an essential business need to do so

Page 51: Foma id theft presentation

Lock It

Four Key Elements of Data Security

1) Physical security

2) Electronic security3) Employee training4) Security practices of contractors and service

providers

Page 52: Foma id theft presentation

Physical Security

Most data compromises result from lost or stolen paper documents, CDs, flash drives, tapes and back-ups

Any media or files containing PII should be stored in a locked cabinet, preferably in a locked room when not in use, with limited employee access.

Be sure that employees put all files away when not being used, log off their computers, and lock their desks, cabinets and office doors when they are out of the office.

If files and/or media are stored in an off-site storage facility, limit employee access and maintain detailed log books to know if and when the storage site is accessed and by whom.

Page 53: Foma id theft presentation

Electronic Security

1) Identify and assess all computers, servers, and wireless devices that may contain PII

2) Monitor connections for key loggers

3) When receiving or transmitting credit card, social security numbers or other PII, use Secure Sockets Layer (SSL) or another

secure connection that protects information in transit and encrypt

all data

4) Avoid including PII in e-mails when at all possible, but if necessary, make sure data is encrypted

5) Separate web applications (billing, collections, insurance referrals)

from your practice website to make sure that PII cannot be obtained by hackers through your website

Page 54: Foma id theft presentation

Key Loggers

Software Key Loggers

USB Key Loggers PS-2 Round Plug Key Logger

Page 55: Foma id theft presentation

Electronic Security

6) Control employee access with the “strong” passwords, and

require frequent password changes. Make sure employees do not post passwords near their workstations, nor share them with other employees. Use password activated screensavers. Immediately terminate access and passwords for all workers leaving your employ

7) Avoid using laptops to prevent accidental loss or theft of records and files

8) Protect your computer network with a firewall, preferably a “border” firewall, which separates your network from the internet. Set “access controls,”to determine who has access and what they will be allowed to view

9) Limit wireless and/or remote access to your computer network

Page 56: Foma id theft presentation

Employee Training

Provide employees with copies of company policies, and post reminders where sensitive information is used or stored and where employees congregate.

If an employee works at home, make sure they follow all company policies and notify you immediately of any potential breach.

Impose disciplinary measures for all security-policy violations.

Train your employees regularly regarding electronic security measures. Include temps and workers at satellite offices.

Check references or do background checks for prospective employees who will have access to PII.

Page 57: Foma id theft presentation

Employee Training

Present a mandatory “Privacy Security Compliance and Identity Theft Training” for all employees.

Require that employees sign a confidentiality and security standards agreement for handling sensitive data.

This serves two purposes:

1. It makes Employees aware of their legal responsibilities to

protect PII, and

2. It serves as proof that handlers of PII have been through the

mandatory training as required by law.

Page 58: Foma id theft presentation

Security Practices of Contractors and Outside Service Providers

Make sure you know your vendors well

Always obtain good references and or have background checks performed

Find out how they handle data, what security and privacy provisions

they have made and if they have had any previous security issues

Make sure all outside service providers and contractors have their

employees sign a confidentiality waiver

If you share protected information with other health care providers (ie. hospitals, labs, other physicians), this must include their staffs as well

Page 59: Foma id theft presentation

Pitch It

Properly dispose of what you no longer need.

1) Credit card receipts, papers or electronic media with

personally identifying information inadequately

disposed of increase the risk of identity theft.

2) Disposal practices need only be reasonable to prevent

unauthorized access to or use of PII.

3) Reasonable measures can be based on the type of media, the sensitivity of the information and may

take into account the cost and benefit of the various

methods and technology available.

Page 60: Foma id theft presentation

Disposal Methods

Dispose of paper records by shredding using a crosscut shredder. Make shredders available throughout the workplace, especially next to photocopiers, fax machines and printers.

When disposing of old computers and portable storage devices, you can use wipe utility programs, but you are best off physically destroying the hard drives. (A five-pound sledge hammer works nicely and relieves tension too!)

Deleting files using the keyboard will not remove the files completely from the hard drive. The information can still be retrieved by someone with little more than basic computer skills. This is why you should not have employees work from home.

Page 61: Foma id theft presentation

Plan Ahead

Create a plan for responding to security breaches. They will happen, even with the best attempts at prevention. Be prepared by having a contingency plan in place.

1) Assign a senior staff member to coordinate and implement a

breach response plan.

2) If you believe a breach has occurred, disconnect any computers

from the internet suspected of being compromised.

3) Investigate any suspected security breaches immediately, and

take steps to close off any existing threats or network vulnerabilities.

Page 62: Foma id theft presentation

Plan Ahead

4) Know when to notify law enforcement, patients that may be affected, credit bureaus or other businesses that may be involved. Regulations vary by state.

5) Consult your attorney immediately in case of a breach.

6) Offer your employees the option to purchase an identity theft protection plan through your practice. (This may limit some of your liability, should their identity be stolen from data lost or compromised as a result of their employment with you, even if they decline coverage and you document it in their employment records.)

Page 63: Foma id theft presentation

Summary

Develop a sound understanding of the various laws we have reviewed today.

Take the first reasonable step as outlined by the FTC, and schedule mandatory meetings regarding identity theft for your employees.

Appoint an Information Security Officer as directed by provisions in the federal privacy laws and put an information security plan in place.

Make sure you take reasonable “good faith” measures, put them in

writing, have your employees sign them and put the signed copies in employee files for your protection.

Review the Employee Confidentiality Form and any other questions you have regarding your security and privacy plan with your attorney prior to implementation.

Check out the FTC PUBS index website:http://www.ftc.gov/bcp/menus/business/data.shtm

Review recent publications from the Better Business Bureau: www.bbb.org/securityandprivacy/download.asp.

Page 64: Foma id theft presentation

Information Security Officer

September 8, 2007

[insert employee designee]

RE: Information Security Officer

Dear [employee]:

As part of [ABC Medical Practice’s] comprehensive information security program, we are pleased to appoint you as Information Security Officer (ISO). As ISO, you will be responsible for design, implementation and monitoring a security program to protect the security, confidentiality and integrity of personal information collected by [ABC Medical Practice] from and about our employees, patients and vendors.

As ISO, you will help [ABC Medical Practice] identify material internal and external risks to the security of all personal information; design and implement reasonable safeguards to control the risks identified in an information risk assessment; evaluate and adjust the program in light of testing results; and coordinate the continuous monitoring of the program and its procedures.

As ISO, [ABC Medical Practice] will provide you access to necessary training courses and materials periodically to maintain and continuously update the security program.

Thank you for your commitment to [ABC Medical Practice]. Sincerely, [ ] Chief Executive Officer (President, etc.) [ABC Medical Practice]

Page 65: Foma id theft presentation

Sample Privacy and Security Policy

ABC Medical Practice Personally Identifiable Information Security Policy

(This privacy and security policy is incomplete and is presented as an educational tool only)

1. PurposeABC Medical Practice is adopting this policy to help protect our employees, patients, vendors and the practice from damages resulting from loss, misuse or other compromise of sensitive and non-public information. This policy will:

Define sensitive and personally identifiable information (PII),Describe the physical security of data and PII on paper, in hard

copy, and on physical electronic media when used, stored , distributed and/or

destroyed,Describe the electronic security of data and NPI when viewed,

stored, distributed and /or transmitted electronically

2. ScopeThis policy applies to all employees, temporaries, contractors, consultants and any other individuals who may have access to sensitive and non-public information, either by necessity or by accident, including all personnel affiliated with third parties

Page 66: Foma id theft presentation

Sample Privacy and Security Policy

ABC Medical Practice Personally Identifiable Information Security Policy

3. Policy

3.1 . Personally Identifiable Information (Definition): Any personal information about an individual or business, that if obtained either via legitimate or fraudulent means, can be used in a fraudulent manner, including, but not limited to:

Social Security number

Birth date

Copies of birth certificate or passport

Driver’s license or other government-issued ID number

Credit card information including any of the following: a) Credit card number (partial or whole) b) Credit card expiration date c) Cardholder name d) Cardholder birth date

Page 67: Foma id theft presentation

Sample Privacy and Security Policy

ABC Medical Practice Personally Identifiable Information Security Policy

3.2 . Authorized AccessOnly those employees with legitimate need to know will be authorized to

access files and data with sensitive information

3.3. File and/or Media Access

Files and/or electronic media containing sensitive information are not to be removed from the office except for transfer to or from offsite

storage facility

3.4. Electronic Transmission of Data and Sensitive InformationSensitive information is not to be included in any routine emails, inter-

office mail, etc.

3.5. Disciplinary MeasuresEmployees who violate security policies will be subject to disciplinary

measures such as suspension and/or termination

Page 68: Foma id theft presentation

Employee Privacy and Confidentiality Waiver

Employee Privacy and Confidentiality Waiver

I, , as an Employee of do hereby acknowledge that I must comply with all State and Federal laws that regulate the handling of confidential and personal information regarding patients and vendors of this company and its other employees. These laws may include but may not be limited to FACTA, HIPAA, The Economic Espionage Act, The Privacy Act, Gramm-Leach-Bliley Act, identity theft laws (where applicable), trade secret protections and implied contract breach.

I understand that I must maintain the confidentiality of ALL documents, credit card information and personal information of any type and that such information may only be used for its intended business purpose. Any other use of said information is strictly prohibited and is cause for immediate dismissal. Additionally, should I misuse or compromise, any personal information of said patients, vendors and/or employees; I understand I will be held fully accountable both civilly and criminally. This may include, but not be limited to, Federal and State fines, criminal charges, real or implied financial damages incurred by the patient, vendor, employee or this company.

I further agree to follow the rules and regulations this company has in place as regards to the handling of confidential information so as to protect the privacy of all involved.

_____________________________________Employee

_____________________________________Witness

_____________________________________Date

Page 69: Foma id theft presentation

Model Letter to Notify Patients of an Information Breach

Dear _____________:We are contacting you about a potential problem involving identity theft.

[Describe the information compromise and how you are responding to it.]We recommend that you place a fraud alert on your credit file. A fraud alert tells

creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. All three credit reports will be sent to you, free of charge, for your review.

Equifax: 800-685-1111Experian: 888-397-3742TransUnionCorp: 800-680-7289

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call [insert contact information for law enforcement] and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it can be accessed by law enforcement for their investigations.

We have enclosed a copy of Take Charge: Fighting Back Against Identity Theft, a comprehensive guide from the FTC to help you guard against and deal with identity theft.

[Insert closing]Your Name

Page 70: Foma id theft presentation

Key Information Contacts

Florida Division of Consumer Services1-800-HELP-FLA (435-3752)

http://www.800helpfla.com/identity.html

Federal Trade Commission

http://ftc.gov/bcp/edu/microsites/idtheft/

Florida AG's ID Theft HotlinePhone: 866-966-7226 (FL Residents) 850-414-3990 (Outside FL)

www.myfloridalegal.com/identitytheft

ID Theft Resource Center (ITRC)http://www.idtheftcenter.org/artman2/publish/states/Florida.shtml

Page 71: Foma id theft presentation

Executive Medical Management and Strategies

Jeffrey Helfand, D.O., M.S.President/CEO

Executive Medical Management and Strategies

Direct: 203-858-0338

Email: [email protected]