The number of entities reporting breaches of unsecured PHI affecting 500 or more individuals has doubled since the agency that enforces the HIPAA privacy and security rules first posted them on its Web site two months ago.
The Office for Civil Rights (OCR) in February posted a list of 32 entities that since September 22, 2009, had reported the egregious breaches to OCR. On Friday, that number climbed to 64.
HITECH requires OCR to make public any breaches of 500 or more. OCR said on the site it will continue to update the page as it receives new reports of breaches of unsecured PHI.
Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix, AZ, and principal of HIPAA Boot Camp in Casa Grande, AZ, released a report to HealthLeaders Media that breaks down the types of breaches posted on the OCR Web site.
Highlights include:
27% involve laptops
19% involve paper records
17% involve desktop computers
Of the 64 breaches of unsecured PHI, 11 involved business associates. Eight of the entities on the Web site are listed as "private practice." OCR says it cannot list the names of sole practitioners who do not give it consent, per the Privacy Act of 1974.
Providence Hospital
State: Michigan
Approximate number of individuals affected: 83,945
Date of breach: Feb. 4, 2010
Type of breach: Other
Location of breached information: Hard drive
Universal American, Inc.
State: New York
Business associate involved: Democracy Data & Communications, LLC
Approximate number of individuals affected: 83,000
Date of breach: Nov. 12, 2009
Type of breach: Incorrect mailing
Location of breached information: Postcards
"Private Practice"
City and state: San Antonio, Texas
Approximate number of individuals affected: 21,000
Date of breach: Feb. 20, 2010
Type of breach: Theft
Location of breached information: Portable electronic device
Shands at UF
State: Florida
Approximate number of individuals affected: 12,580
Date of breach: Jan. 27, 2010
Type of breach: Theft
Location of breached information: Laptop
Proposed HIPAA Privacy Rule regulations could be published in the Federal Register within the next 120 days after the Department of Health & Human Services (HHS) sent for review this week regulations per HITECH requirements to the Office of Information and Regulatory Affairs (OIRA), according to privacy and security experts.
Asked when it believes rules will be public, the Office for Civil Rights (OCR), which oversees enforcement of the HIPAA privacy and security rules, wrote in an e-mail to HealthLeaders Wednesday, "HHS cannot predict the OMB timeline."
John R. Christiansen of Christiansen IT Law in Seattle says he expects to see it made public some time between the end of this week (not likely, he says) and the end of the summer.
OIRA has 90 days to review the regulations, though the head of the submitting agency can extend that time and OIRA may request a one-time 30-day extension, says Jana Aagaard of the Law Office of Jana Aagaard in Carmichael, CA.
OCR in March confirmed it expected to release proposed rules regarding privacy and security provisions of HITECH, but it did not say when.
The industry has been waiting on rules from OCR concerning HITECH provisions effective February 17.
These provisions include:
Business associate (BA) liability
New limitations on the sale of personal health information, marketing, and fundraising communications
Stronger individual rights to access electronic medical records and restrict the disclosure of certain information
"Although the effective date [February 17, 2010] for many of these HITECH Act provisions has passed, the [notice for proposed rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements," OCR wrote in a statement on its Web site.
Government and private insurers can't reduce coverage for mammography screenings that fall outside the controversial U.S. Preventive Services Task Force (USPSTF) mammography guidelines, according to a provision in the new health reform law.
The Patient Protection and Affordable Care Act calls the USPSTF recommendations the most current recommendations regarding breast cancer screening, mammography, and prevention.
However, Congress included an insurance coverage protection for patients whose screenings and other actions counter the USPSTF recommendations. Congress wrote in the law:
"Nothing in this subsection (2713) shall be construed to prohibit a plan or issuer from providing coverage for services in addition to those recommended by United States Preventive Services Task Force or to deny coverage for services that are not recommended by such Task Force."
Mammography industry insiders called this a victory over the recommendations, which at least one expert tabbed as "atrocious" and a two-decade step backward for women's healthcare.
The USPSTF guidelines, released in November, suggested that women should not be required to start breast cancer screenings at 40. Instead, the task force said women should decide whether to get screened at 40 only after discussing the pros and cons with their physician. Routine screening should start at 50, according to the USPSTF.
The Annals of Internal Medicine, the journal that published the new recommendations, backed the changes in a February 2010 editorial, saying women need to understand the benefits and harms that come with screening.
USPSTF supporters say screening changes are needed because too many women are being over-treated for breast cancer, many of whom still die despite diligent screening. Breast experts counter that these changes put many more women at risk unnecessarily.
The ACR Breast Imaging Commission is now backing a new Congressional bill that would permanently protect mammography reimbursement, says Rebecca Spangler, director of congressional affairs and government relations and economic policy departments for ACR in Washington, D.C.
"It's not time to let down your guard," says Spangler. "I think we just have to stay vigilant. The immediate risk was averted, but it's something that I think everyone needs to stay on top of."
Congressman Leonard Lance (R-NJ) introduced the new bill that ACR backs—H.R. 4794: "Safeguarding Access to Preventive Services 2010," to prohibit insurers, both government and private, from denying or restricting an item or services based on recommendations from the USPSTF or any "successor task force."
The House bill currently has five co-sponsors:
Jo Ann Emerson (R-MO)
Cathy McMorris Rodgers (R-WA)
Erik Paulsen (R-MI)
Michael Rogers (R-MI)
Jean Schmidt (R-OH)
The bill was referred to the House Education and Labor committee March 9, which is the first step in the legislative process. The committee then works on revising the bill before it is set forth for general debate.
Freelancer Kelly Bilodeau contributed to this report.
The Office for Civil Rights (OCR) cited a 36-year-old privacy law as the reason why it cannot post on its breach notification Web site the names of private practitioners who report breaches of unsecured PHI affecting 500 or more individuals.
OCR writes in an e-mail to HealthLeaders Media that private practitioners who report these major breaches of unsecured PHI are considered "individuals" as defined by the Privacy Act of 1974.
Therefore, these "individuals" can stop OCR from posting its name on its breach notification Web site if the "individual" does not provide written consent. In those cases, OCR lists the entities as "private practice."
"It is the legal opinion of HHS that the names of private practitioners are identifiable as 'individuals,' as defined by the Privacy Act of 1974," OCR writes to HealthLeaders Media.
As of today, April 12, 59 entities reported breaches of 500 or more, eight of which were listed as "private practice." That nearly doubles the initial report of 32 reporting entities when OCR made its Web site public in late February.
Though OCR did not cite the actual disclosure provision from the Privacy Act of 1974, here is the language in the 552a, subsection (b) section of the Act:
"No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains …"
Kate Borten, CISSP, CISM, president of the The Marblehead Group, says the privacy argument here would seem moot since each entity, per HITECH, must notify each of the 500 or more affected individuals in the breach via a letter as well as through the media.
HITECH is part of a sweeping set of changes to HIPAA enforcement and breach notification included in the American Recovery and Reinvestment Act of 2009, signed into law February 17, 2009.
Congress included the more strict provisions for privacy and security protections and made enforcement tougher by including potential public scrutiny on government Web sites.
However, Borten says not posting the names of each entity "defeats the purpose of public posting. I doubt this is what Congress had in mind."
HealthLeaders Media asked OCR in an e-mail why these "private practices" are not subject to the same public scrutiny as the other entities listed on its Web site.
OCR did not respond directly to the inquiry, only citing the Privacy Act of 1974.
"This application of the Privacy Act may not be what Congress intended, but as healthcare entities are required to comply with an increasing number of laws and regulations, there will inevitably be unintended and unforeseen conflicts between laws," says Jana Aagaard, attorney in the Law Office of Jana Aagaard in Carmichael, CA. "This is an example of the unintended consequences that often accompany new regulations."
"We've always had a history of being transparent with our public reporting," Bill Powanda, vice president at Griffin and the hospital's spokesperson for the incident, tells HealthLeaders Media.
The breach at the 160-licensed-bed facility in Derby, CT, involves allegations that a radiologist formerly affiliated with Griffin improperly had access to the records of nearly 1,000 of the hospital's patients.
Connecticut Attorney General Richard Blumenthal confirmed his office is investigating the case.
Powanda says Griffin was honest with its patients and also complied with HITECH breach notification requirements by:
Notifying the HHS secretary
Notifying patients who have had their PHI accessed in the breach
Disclosing the information to the local media
Posting information about the breach on Griffin's Web site
Notifying the Connecticut AG's office
Powanda says Griffin's transparency is part of its "Planetree model," the philosophy that includes the effort to "foster education and communication," according to Griffin's Web site.
"We believe in transparency," Powanda says. "It's part of our Planetree model. It's about openness, disclosure, and empowering the patient through information."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, tells HealthLeaders Media it appears Griffin Hospital did all the right things in its breach response.
Griffin's level of transparency, he says, "shows that the organization is well intentioned in getting information out to those that are affected so as to salvage its reputation of goodwill in serving its customers."
It is paramount, Ruelas says, that covered entities be able to "tell a good story when it comes to showing their compliance efforts, especially during the time when addressing a breach and the associated requirements to include the prescribed breach notifications."
"This shows that an organization is committed well beyond just drafting policies to fill a policy binder on a bookshelf or policy folder on a computer file server," Ruelas adds.
Griffin's strong response to the breach does not overshadow that nearly 1,000 patient records may have been inappropriately accessed.
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital's medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital's Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
"Though there are certainly some questions that Griffin will have to answer with respect to its own practices and safeguards that may have detected or even possibly prevented this breach," Ruelas says, "the transparency can give the impression that the organization, as are those who are affected, is intent on finding answers to very critical questions."
Griffin President Patrick Charmel defends his hospital's practice of securing patient information in its Web site statement:
"Griffin Hospital has stringent policies, procedures, and systems in place to protect patient information and takes very seriously our obligation to safeguard the personal and health information of our patients," Charmel says. "This breach, however, appears to have been a deliberate intrusion into Griffin's PACS to view patient radiology reports. We acted quickly to complete an audit and investigation and to notify affected patients. As a result of this breach, steps are underway to further strengthen the security of patient information."
The HITECH breach notification requirements can be found in the interim final rule published in the Federal Register August 24, 2009.
The rule states that:
Covered entities (CE) must notify affected patients "without unreasonable delay," but no later than 60 days after the CE discovers or should have discovered the breach or from the time a business associate (BA) notifies the CE of a breach
BAs must notify CEs when they discover a breach
Breaches affecting 500 or more patient records require notice to the secretary of HHS and prominent media outlets serving a state or jurisdiction
Breaches affecting deceased patients required notice to next of kin
Notices must describe what occurred; details of the unsecured, breached PHI; steps to help mitigate harm to patients; and the CE's response
Breaches of unsecure PHI affecting fewer than 500 patient records require annual notice to the secretary of HHS 60 days after the end of the reporting year
Connecticut Attorney General Richard Blumenthal is investigating his second case involving HIPAA violations this year, using again a legal authority granted to state attorneys general under the HITECH Act signed into law February 2009.
Blumenthal's office confirmed in a statement Monday that it is pursuing a case involving allegations that a radiologist formerly affiliated with a Connecticut hospital improperly had access to the records of nearly 1,000 of the hospital's patients.
Three months ago, Blumenthal announced he was suing Health Net of Connecticut, Inc., after the insurer reportedly failed to secure private medical records and financial information of 446,000 Connecticut members and then did not promptly notify them of the possible security breach for six months.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP and author of HIPAA Blog, says the power granted to state AGs to pursue lawsuits is a major change for HIPAA enforcement.
"Combined with the ability of individuals to get a 'piece of the pie' when penalties are handed out, this will be the biggest game-changer in HITECH," says Drummond.
The hospital involved in this week's case is Griffin Hospital of Derby, CT, a 160-licensed-bed facility that handled about 7,500 admissions last year (179,000 outpatients). Griffin confirmed the breach of protected health information (PHI) in a statement on its Web site.
From February 4 to March 5, Griffin said an investigation revealed a radiologist previously affiliated with the hospital or on the hospital's medical staff used the passwords of other radiologists and an employee within the radiology department to gain access to 957 patient radiology reports on the hospital's Digital Picture Archiving and Communication System (PACS). The reports included patient name, exam date, exam description, gender, age, medical record number, and date of birth, according to the facility.
The radiologist, once contracted with Griffin for radiology professional services, had authorized access to the hospital's PACs system. However, his employment with the radiology group was terminated on February 3, 2010, Griffin says, and his password revoked.
But through its investigation, Griffin learned of a repeated, unauthorized access from a single computer to its PACS. Its audit identified the former employee's computer Internet Protocol Address as the one that made the inappropriate access.
The former employee downloaded the image files of 339 of these patients, Griffin said.
HealthLeaders Media on Tuesday asked a Griffin Hospital spokesperson if the former radiologist sought personal financial gain by recruiting the hospital's clients. Bill Powanda, vice president at Griffin and the hospital's spokesperson for the incident, said, "that will all come out in the investigation."
"These charges, if true, are deeply disturbing," Blumenthal said in a statement. "Patients rightly expect and demand that their medical information remain secure and confidential, viewed only by authorized individuals. Unauthorized accessing of patient information is a violation of the federal HIPAA law that my office is empowered to enforce. I will seek strong and significant sanctions, if warranted by the facts."
Griffin began the investigation when patients contacted Griffin about "unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin Hospital."
Griffin said it has complied with HITECH breach notification requirements by:
Notifying the HHS secretary
Notifying patients who have had their PHI accessed in the breach
Disclosing the information to the local media
Posting information about the breach on Griffin's Web site
Griffin officials have also notified Blumenthal's office about the breach, changed all of the passwords for PACS users whose passwords were used without authorization, and advised all users of the need for strict password confidentiality.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says bringing state AGs into the HITECH enforcement mix raises the possibility of discovered breaches to a "new level."
"I certainly can see attorney generals becoming motivated first responders to discovered breaches when compared to actions that may be taken by a federal entity. Bottom line, enforcement, or at least the threat of enforcement, is moving closer and closer to home with respect to the location of the involved covered entity," he says.
The co-chair of the ACR Breast Imaging Commission calls the US Preventive Services Task Force (USPSTF) mammography guidelines "atrocious" and a two-decade step backward for women's healthcare.
Carl D'Orsi, MD, co-chair of the ACR Breast Imaging Commission, says, "What those guidelines have done is picked women's healthcare up and put it back 20 to 25 years when the mortality from breast cancer was 30% higher."
The USPSTF guidelines, released in November, suggested that women should not be required to start breast cancer screenings at 40. Instead, the task force said women should decide whether to get screened at 40 only after discussing the pros and cons with their physician. Routine screening should start at 50, according to the USPSTF.
The Annals of Internal Medicine, the journal that published the new recommendations, backed the changes in an editorial last month, saying women need to understand the benefits and harms that come with screening.
"Nearly everyone knows [or is] someone whose breast cancer was found on a mammogram," Annals wrote. "Many perceive that the mammogram 'saved a life.' Unfortunately, only a fraction of abnormalities initially detected on mammography and subsequently treated truly represents a life saved rather than unnecessary or premature treatment."
Many women also die despite screening and early detection, Annals wrote, and there are unintended risks that go along with screening.
"Breast cancer prematurely claims the lives of many, but it is wrong to mislead women about the effectiveness of current screening methods," Annals wrote. "Women deserve to make decisions about screening for breast cancer armed with the best available information about potential benefits and harms."
However, D'Orsi says changing mammography practices will put women at risk and won't be realized for years.
The Annals said those who disagree with the USPSTF recommendations are relying on emotion rather than science, but ACR and the Society of Breast Imaging (SBI) wrote in a statement, "This ignores the fact that different conclusions can be reached based on the same data. The USPSTF admits that its members were not unanimous in endorsing these recommendations."
ACR and SBI still say women 40 and older should automatically be screened for breast cancer, and women over 50 should continue with annual exams, said Carol Lee, MD, chair of the American College of Radiology Breast Imaging Commission, in a written release.
Lee and others said that the USPSTF recommendations were based on shoddy science and fly in the face of evidence. Since mammography screening began in 1990, the mortality rate from breast cancer dropped by 30%. Prior to screening women, the death rate had been unchanged for 50 years, according to ACR.
ACR said the USPSTF based its recommendations to reduce breast cancer screening on "conflicting computer models." It also based them on the controversial view that the parameters of mammography screening change abruptly at age 50.
"There are no data to support this premise," the ACR said.
ACR and SBI also criticized the makeup of the USPSTF, which did not include anyone with experience in breast cancer care.
"Allowing a small number of people with no demonstrated expertise in breast cancer care to make recommendations regarding diagnosis of the nation's second leading cancer killer makes no scientific sense, and has set a off a chain of political and clinical events that many women may ultimately pay for with their lives," said James H. Thrall, MD, chair of the American College of Radiology Board of Chancellors in the ACR/SBI statement. "Lawmakers at all levels need to act now to ensure that these recommendations do no further damage, and that women have full and ready access to mammography."
Women should speak up about this issue, W. Phil Evans, MD, FACR, president of the SBI, said in the statement.
"Doctors, payers, and patients should disregard the USPSTF recommendations and continue to follow recommendations set forth by the American Cancer Society, American College of Radiology, and Society of Breast Imaging," said Evans.
ACR also wants federal and state legislators to officially exclude USPSTF mammography recommendations from coverage decisions by federal and state insurance programs.
State and federal legislators should act to ensure that public and private insurance companies cannot deny mammography coverage to women based USPSTF recommendations, the organizations said.
Freelancer Kelly Bilodeau contributed to this report. E-mail her at kelly@phbphoto.com.
The Office for Civil Rights (OCR) cannot post the names of entities that report breaches of unsecured personal health information affecting 500 or more individuals unless the entity gives it written consent, OCR tells HealthLeaders Media.
In cases where OCR does not have written consent, it will cite the entity on its Web site as "private practice." This method has led industry insiders to question OCR, says Kate Borten, CISSP, CISM, president, The Marblehead (MA) Group.
Per the HITECH, OCR must post "a list that identifies each covered entity" that reports breaches of 500 or more.
However, of the 44 organizations listed on the Web site as of Friday, seven are cited by OCR as "private practice."
"Under current Privacy Act restrictions," OCR writes to HealthLeaders Media in an e-mail, "OCR may not disclose the names or other identifying information about private practitioners without their written consent."
Five of those "private practices" are from the same city on the same date—Torrance, CA, September 27, 2009—but each post with a different number of individuals affected. The highest number of affected individuals is 6,145. The other two "private practices" are out of Stoughton, MA, and Wilmington, NC.
Borten says listing private practice "defeats the purpose of public posting. I doubt this is what Congress had in mind."
Since September, of the 44 entities that have reported such large breaches, 10 involved business associates (BAs). It is not clear whether the "private practices" are BAs or covered entities.
The most egregious breach case came from Blue Cross Blue Shield of Tennessee, which affected 500,000 as a result of stolen hard drives, OCR reported on its Web site.
Following Blue Cross Blue Shield is AvMed, Inc., a Gainesville, FL, health plan. A stolen laptop on December 10, 2009, resulted in a reported breach affecting 359,000 individuals, according to OCR.
Borten says she's also concerned that the Web site posting of the breaches of 500 or more is hard to find. To get to the 500 list, users must click "New Breach Notification Web Pages" on the privacy home page. From there, the link to the 500 list is on the bottom right-hand corner.
In response to HealthLeaders' inquiry about the prominence of the site, OCR wrote, "The OCR HIPAA Privacy Web site is one of the most visited Web sites in the department, and the link to the new breach Web site is prominently available from the home page."
Borten says she "respectfully disagrees."
"Only someone who is determined to find the site and knows it must be there is likely to find it by drilling down," she says.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ, says he too feels the Web site is hard to track.
"I didn't necessarily see the Web-based notices all that easy to find," Ruelas says. "I would have expected them to be a bit more prominently displayed."
Borten says she hopes OCR will reconsider "where and how it posts breaches so that the full intent and impact of the law is met."
But OCR stands by its method, telling HealthLeaders, "The posting of breaches affecting over 500 individuals, as with other provisions in HITECH, has brought a strong refocus on compliance with the HIPAA Privacy and Security rules."
Office of Civil Rights (OCR) today confirmed it expects to release proposed rules regarding privacy and security provisions of HITECH, but still has not said when.
For the past couple of weeks, industry insiders have talked about an enforcement delay in HITECH provisions effective February 17 until OCR formally publishes rules regarding the provisions. OCR hadn't responded formally until today.
These provisions include:
Business associate (BA) liability
New limitations on the sale of personal health information, marketing, and fundraising communications
Stronger individual rights to access electronic medical records and restrict the disclosure of certain information
"Although the effective date [February 17, 2010] for many of these HITECH Act provisions has passed, the [notice for proposed rulemaking] and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements," OCR wrote in the statement on its Web site.
Earlier this month, an OCR lawyer told HealthLeaders Media the HIPAA privacy and security enforcer will release a proposed rule regarding business associate provisions in HITECH "shortly."
Adam H. Greene, Office of the General Counsel for OCR, wrote in an e-mail to HealthLeaders that OCR's rulemaking will elaborate on the expected date of compliance surrounding the rule.
Per HITECH, BAs had to be compliant with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule by February 17 and had to enter into an updated agreement with their covered entities.
However, a law firm blogged last month that Greene said enforcement of some BA provisions will be delayed until final rules addressing those provisions are published.
OCR reminded covered entities and BAs that two interim final rules implementing HITECH provisions have already been issued and are currently in effect: enforcement and breach notification.
New civil money penalty amounts apply to HIPAA privacy and security rule violations occurring after February 17, 2001. Covered entities and BAs must comply now with breach notification obligations for breaches that are discovered on or after September 23, 2009.
OCR has said it would use its "enforcement discretion" not to impose fiscal sanctions with regard to breaches discovered before February 22, 2010.
"Since that date has passed, OCR will enforce the Breach Notification Interim Final Rule, including with the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements," OCR added.
An author on Red Flags Rule compliance tells HealthLeaders Media that eliminating small practices from complying with the FTC's identity theft prevention program regulation would lead to more identity violations.
In December 2009, the U.S. District Court issued a summary judgment in favor of the American Bar Association that said the Red Flags Rule does not apply to attorneys or law firms.
Piggybacking off that decision, a group that includes the American Dental Association, American Medical Association, American Osteopathic Association, and the American Veterinary Medical Association wrote a letter to the FTC urging it to remove them from compliance. Also, the House passed a bill last year that calls for removing entities with 20 or fewer employees from Red Flags Rule compliance.
The FTC's compliance date with Red Flags has been in effect for nearly a year and a half (November 1, 2008). The enforcement date, however, has been delayed four times. It is now June 1, 2010.
Randy Berry, BA, CPA, financial leader and Red Flags Rule compliance expert with Columbus Healthcare & Safety Consultants in Columbus, OH, says it would be unfortunate if entities with 20 or fewer employees are let off the compliance hook.
"Smaller businesses with small multi-tasking staffs have fewer controls and are more at risk than that of larger businesses with a larger staff size," says Berry, author of the Red Flag Manual and Training CD Package. "Small businesses are more prone to customer identity theft."
The FTC is fighting back to get smaller entities to comply. On February 25, FTC filed a notice that appeals the U.S. District Court's December judgment in favor of the ABA's stance that attorneys and law firms are not considered "creditors," per the FTC's Red Flags Rule definition. (All "creditors" must comply).
"We are disappointed that the Federal Trade Commission has decided to appeal its loss of the Red Flags litigation in the District Court," ABA President Carolyn Lamm said on the ABA's Web site.
However, Berry says recent FTC research identified the severe problem of organizations not ensuring that their business associates (BAs)/service providers have adequate identity-theft safeguards in place within their software systems and networks for peer-to-peer (P2P) file sharing.
Berry cited "improper release or theft of an individual's personal financial information" as the core reason behind the Red Flags Rule.
"Continual delaying the enforcement of the Red Flags regulations jeopardizes tens of thousands of individuals' personal financial information," Berry says. "This confidential personal financial information is potentially being transmitted across non-secured networks between a business and their business associates/service providers, which also may have weak internal controls programmed into its P2P software."
The responsibility to comply, Berry says, should be on the BAs/service providers to add identity theft prevention safeguards to their software program and to add more security features to their networks.
Agreements with BAs and service providers should include requirements for the BAs, Berry says, "to take adequate safeguards to ensure that the businesses' customer's personal financial information is secured along with the customer's personal health information as required by HIPAA."