THE PRIVACY ANALYTICS NEWSLETTER

EDITIO N 2 , 2 0 1 2

Privacy Analytics: The developers of the only commercially

available integrated data masking and de-identification tool
Table of Contents:
1. Anatomy of a Data Breach: This first in a three-part series
Part 1: Data Privacy Regulations, Penalties and Statistics
By James J. Giszczak and Dominic A. Paluzzi, McDonald Hopkins Law Firm
Page 2

2. Trust: The Prescription for a Long and Healthy Relationship

By Jay Innes
PAGE 5

3. Medical Identity Theft: Seven Years On

By Jay Innes
PAGE 7

4. The First Wave of OCR Audits for HIPAA and HITECH Compliance: Key Results Summary
By Mike Humason, Director of Healthcare Systems, Micro Solutions
PAGE 8

5. Patient Recruiting Innovation Emerges from Personal Experience

By Jay Innes
Page 10

6. Privacy Analytics update: PARAT software upgrades and recent news

Page 11

If you have not already subscribed, please signup to receive the monthly
Risky Business newsletter: http://www.privacyanalytics.ca/registernl.asp
Follow us on

@privacyanalytic

Look for the Privacy Analytics company site on

All comments and story ideas welcome:
Contact Jay Innes at jinnes@privacyanalytics.ca

Trust PARAT for re-identification risk

assessment and de-identification

CONTACT US
www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

Anatomy of a Data Breach: A 3-Part Series

Part 1: Data Privacy Regulations, Penalties and Statistics

BY JAMES J. GISZCZAK AND DOMINIC A. PALUZZI, MCDONALD HOPKINS LAW FIRM

INTRODUCTION

If you just read these questions and are asking yourself, what is an
Incident Response Plan?, or what is a Written Information Security
Program?, you are not alone. Lets discuss why we even need to be
talking about data privacy in the first place.

In todays electronic age, with personal and financial information

and protected health information stored on computers, on laptops,
on the internet, and on other miniature media devices, and with
the rise of identity theft, individuals are more concerned than
ever about protecting their personal information and protected
health information. Increasingly, companies have become targets
for people, both internally and externally, misappropriating this
information for improper purposes.

WHAT DATA IS PROTECTED AND WHO IS

IMPACTED?
By state and federal statute, personal information (PI) or personally
identifiable information (PII) refers to unique identifiers such as an
individuals Social Security number, drivers license number, credit
card numbers, credit report history, passport number, tax information
and banking records. Protected Health Information (PHI) refers to
medical records, health status, provision of healthcare and payment
for healthcare.

Anatomy of a Data Breach is a 3-part series of articles that will

discuss data privacy and the rapidly-changing laws that entities must
adhere to and the challenges they face through the compliance
process. This first article will address the general concepts of data
security, stunning statistics, critical privacy laws and penalties for
non-compliance. The second article will feature proactive measures
and requirements to minimize the risk of a data breach in your
organization. Finally, the third article will address the immediate and
appropriate actions to take once a breach occurs.

Every industry is at risk when it comes to data privacy, but some

are more critical, such as: billing companies, education, insurance,
staffing, healthcare, retail, manufacturing, accounting, financial
services, legal, pharmaceuticals and government/military. These
industries are most at risk due to the amount of sensitive PI and PHI
that they either own, license, or otherwise have access to and/or
control of.

What is most important in the data privacy arena is for your

organization to partner with vendors that have significant
experience advising clients on best practices, security and storage
policies, dealing with data breaches, and complying with state and
international data security laws. Its important to find a balance
between the information requirements of your organization and
the individual rights of your employees, customers and third parties.
This area of law is rapidly changing and its critical that the complex
privacy laws are both understood and followed.

STARTLING STATISTICS
Over 544,664,595 data breaches have been reported since 2005
(Privacy Rights Clearinghouse). Of course, many have gone
unreported, so this figure is more than likely 3 times higher or
1,633,993,785. A Ponemon Study has recently found that the average
cost of a data breach is $214 per compromised record, which is
broken down as follows:

QUESTIONS TO CONSIDER:

Activity

Does your company have a Written Information Security

Program?
Have you established clear data security procedures?
Does your company have an Incident Response Plan?
Are you aware of the myriad of state, federal and international
laws that require data breach notification?
Do you have appropriate IT and electronic policies concerning
personal or other sensitive information, whether it is in hard
copy, or stored on laptops or other portable devices?
Does your company properly protect its personal information
with confidentiality agreements for its employees, vendors and
visitors?
Does your company properly train its employees on its data
security program and policies?

Percent

Dollar

Investigation & Forensics

11%

$23

Audit & Consulting Services

10%

$21

Outbound Contact

5%

$10

Inbound Contact

6%

$13

Public Relations/Communications

1%

$2

Legal Services - Defense

14%

$30

Legal Services - Compliance

2%

$4

Free or Discounted Services

1%

$2

Identity Protection Services

2%

$4

Lost Customer Business

39%

$83

Customer Acquisition Cost

9%

$19

100%

$214

Total

Source: http://www.ponemon.org/index.php

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

Health Information Technology for Economic & Clinical Health

Act (HITECH)
o Imposes new notification requirements on covered entities,
business associates & vendors if a breach of unsecured PHI
occurs
Gramm-Leach-Bliley Act (GLBA)
o Requires financial institutions to safeguard security
of customer information/records and protect against
unauthorized access of same
Federal Trade Commission (FTC) Red Flags Rule
o Requires financial institutions and creditors to implement
written identity theft programs to identify theft, prevent
crime and anticipate damages
Identity Theft Enforcement and Restitution Act (ITERA)
o Victims of identity theft allowed to recover an amount equal
to value of time spent by victim to remediate the intended
or actual harm incurred
Payment Card Industry Data Security Standards (PCI DSS)
o Requires organizations handling bank cards to conform
to numerous security standards regulated by Visa and
MasterCard

Of the attacks, 85% are not even considered difficult and 96% are
avoidable through simple or intermediate controls (Verizon Data
Breach Investigations Report).
So what is the incentive for a criminal to have access to your PI
through either a low-tech breach or via hacking into a computer
network? The value of your stolen data on the black market is quite
surprising:

Overall Rank
2010

Item

2009

Percentage
2010

2009

2010 Price
Ranges

Credit Card
Information

22%

19%

$0.07-$100

Bank Account
Credentials

16%

19%

$10-$900

Email
Accounts

10%

7%

$1-$18

13

Attack Tools

7%

2%

$5-$650

Email
Addresses

5%

7%

$1/MB-$20/
MB

Credit Card
Dumps

5%

5%

$0.50-$120

Full Identities

5%

5%

$0.50-$20

14

Scam Hosting

4%

2%

$10-$150

Shell Scripts

4%

6%

$2-$7

10

Cash-out
Services

3%

4%

$200-$500 or
50%-70% or
Total Value

COST OF NON-COMPLIANCE
As if the requirements in the statutes themselves were not
burdensome enough, many of the regulations include significant
penalties for failing to comply with the data privacy statutes. A few of
the legal penalties include:
Up to $750,000 in penalties to the company for failure to notify
affected individuals
$10,000 per violation for officers/directors personally (GrammLeach-Bliley Act)
Up to $50,000 per violation for consumer health information
retained on a hard drive (Health Insurance Portability and
Accountability Act [HIPAA])
Officers/directors can serve up to five years in prison
Banks can lose FDIC insurance
Bank officers can be barred from industry under GrammLeach-Bliley Act
State privacy statutes provide for private civil actions for
instances of non-compliance, including punitive damages and
attorneys fees
Under HIPAA, failure to properly erase consumer health
information can carry a minimum prison term of one year

(SOURCE: HTTP://WWW.SYMANTEC.COM/THREATREPORT/)

CRITICAL PRIVACY LAWS & STANDARDS

As a result of the increased frequency of data thefts and breaches of
PI and PHI, the data privacy regulations are voluminous and onerous.
There are at least 35 federal laws with data protection or privacy
protections. Forty-six states, the District of Columbia, Puerto Rico,
the Virgin Islands and numerous foreign countries have enacted
legislation requiring notification of security breaches involving PI
and/or PHI. Relative to the 46 state statutes, it is the residence of
the affected individual which determines the applicable notice law,
regardless of whether or not the entity has a business physically
located in that state. There are at least six recently proposed federal
bills which, if enacted, may supersede the 46 state laws currently in
effect. A highlight of some of the critical privacy laws and standards
can be found below:

CONCLUSION

Health Insurance Portability & Accountability Act of 96

(HIPAA)
o Requires healthcare providers to ensure the confidentiality
of all protected health information (PHI)

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

A comprehensive approach to data privacy and network security is

the most effective means to avoid a data breach and is the best way
to be prepared to respond to a breach when necessary. It is important
for organizations to recognize the need to be proactive. Complying

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

with the latest data security laws through a comprehensive approach

will provide benefits in the immediate future, reducing the likelihood
of a data breach, and minimizing the loss when such an event occurs.

include a discussion of cyber insurance coverage available to help

insureds mitigate the cost of a breach and protect an organizations
balance sheet. The third part in the series will discuss the data
breach response process and appropriate notifications to affected
individuals and state attorneys general, in addition to media notice
when necessary, public relations management and credit monitoring
to help mitigate damages incurred.

Part two in this series will feature various proactive steps

organizations should take to be compliant with data privacy laws
and regulations, including drafting and implementing appropriate
data privacy policies and procedures and ongoing training of
employees on the importance of data security. The article will also

James J. Giszczak, a Member with McDonald Hopkins, litigates matters involving data
security and data privacy and advises clients regarding data security measures and
responding to security breaches. Jim also works with clients in a myriad of industries
to assess and implement appropriate data security safeguards and continues to works
with federal, state and local authorities, as well as third party vendors.
Jim can be reached at: jgiszczak@mcdonaldhopkins.com
An Associate with McDonald Hopkins in Detroit, Michigan, Dominic A. Paluzzi, advises
clients regarding data privacy and network security measures, drafts information
security programs and incident response plans, and responds to data security breaches.
Dominic coaches clients who have experienced a data breach, ensuring compliance
and minimizing exposure.
Dominic can be reached at dpaluzzi@mcdonaldhopkins.com

iTunes Announcement

AVAILABLE NOW!

Subscribe to the free iTunes podcasts, co-sponsored by Privacy Analytics, providing a comprehensive
webinar series addressing the topics of de-identification, data breaches, data protection, consent,
ethics, privacy regulations, and data sharing.

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

The Secret to a Long and Healthy

Relationship With Your Healthcare Provider?
BY JAY INNES
Ottawa. ON, Canada. Two recent patient
surveys indicate that it is not just the rich and
famous who worry about the security and
confidentiality of personal health records,
patients are starting to ask questions
about the migration to Electronic Health
Records (EHRs) and the questions may have
an impact on the sacred doctor-patient
relationship.
In 2011, the National Partnership for Woman
and Families and Alan Westin, Professor
Emeritus, Columbia University, conducted
a survey of more than 1900 American
adults to produce Making It Meaningful:
How Consumers Value and Trust Health IT.
The survey revealed that more than 80 per
cent of respondents do not feel they are
adequately informed of the ways in which
their medical information is collected and
used. The study concludes that the onus falls
on the physicians as the frontline caregivers
to provide crucial guidance and that the
physicians should cultivate trust in EHRs.
In a recent webinar co-sponsored by Privacy
Analytics, healthcare lawyer Ken Rashbaum,
reminded the attendees of the recent quote
from Leon Rodriguez, when the director of
the Office for Civil Rights (OCR) connected
trust and healthcare, If people lose trust
in the healthcare system, they will not get
the care they need. Rodriguez went on to
tell the Detroit Free Press that enforcement
promotes compliance.
Rashbaum, who was providing information
on the HIPAA spot audits now underway in
the U.S. and advising on breach prevention
strategies, acknowledges that this is an
exciting but unsettled time for healthcare
sectors. As healthcare providers in many
countries move from paper to digital records
encouraged by government incentives,
patients are seeing the elevation of the roles
of data stewards and IT departments.
For the first time in medical history

information has become a tool of care

because we have the ability to coordinate
and consolidate information from so
many different sources, says the New
York attorney who has more than 25
years experience in the healthcare and
pharmaceutical industries.

Jules Polonetsky, the Co-Chair and

Director at the Future of Privacy
Forum, followed up a recent webinar
co-sponsored by Privacy Analytics
by predicting the evolution of public
attitudes toward the privacy and
sharing of healthcare records.

The report from the National Partnership for

Woman and Families goes on to highlight
the fact that consumer education is needed
to enhance the understanding of the link
between the care process and the records
systems that support care. Almost twothirds of all respondents indicated that
widespread adoption of EHRs will lead to
the theft or loss of personal information,
which, as Rashbaum indicates, strikes at
the core of the bond of trust between the
doctor and patient.

Its clear that on their own, privacy

and security measures protecting
health data wont address consumer
concerns. Consumers will need to
feel confident that data collected
is being used on their behalf, not
simply for the benefit of third
parties.

If patients lose confidence in the security

and the trust in the confidentiality of their
information then they are not going to be as
forthcoming with their physicians and the
information may no longer be reliable from
the care point of view.

To access Jules webinar addressing

the most central privacy issues
of the future, including data use,
innovation and de-identification,
follow this link: https://www.
ehealthinformation.ca/survey/
webinarjan122012.aspx

Rashbaum is quick to point out that the loss

of confidence is less with the physicians
than the mutable nature of electronic
information (easier to lose than paper), and
such concerns are exacerbated by media
coverage of information leaks and losses
that could potentially undermine the many
beneficial uses for the electronic records.
If the data cant be trusted by the patient,
then the patient will be reluctant to give full
and comprehensive information, and then
the physician may in turn look with less trust
on the information, warns Rashbaum.
The reactions of patients who are concerned
about the security of their records and the
impact on trust were revealed in a recent
four country survey conducted for the
Florida company FairWarning. The results
measured patient expectations, actions

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

and reactions to concerns over the security of personal health

records signaling an increase in public awareness. The surveys of
patients in the U.S, U.K., France and Canada indicate that patients
will alter behavior if trust is compromised and, in some instances,
withhold information from healthcare providers which could be
detrimental to future care strategies and treatments. The decision to
withhold information from a care provider resulting in an inaccurate
or incomplete health record may seriously harm the patient and
diminish faith in the system, two reasons explaining the increased
focus on enforcement.

The top three barriers as determined in

Making the Case for Connected Health:

In the survey summary of all four countries, more than 90 per

cent of patients responded that care providers have an ethical
and legal obligation to protect privacy. Further emphasizing the
relationship between doctor and patient, more than 85 per cent
of all respondents indicated that if they had a sensitive medical
condition then the care providers reputation would have an impact
on the choice of provider. The four country surveys also indicate
that patients will seek to impose consequences on the healthcare
executives who are responsible for a data breach.

Patient privacy behavior or belief

1. IT systems cannot talk to each other

2. Concerns about privacy and security of data
3. Cost to my organization

Privacy Concerns, Patient Responses:

FairWarning Four Country Surveys

In every market the patient still has this trust with the care provider
but they react very emotionally when things go wrong, all the way
to the sacking of the executives, says Kurt Long, FairWarning CEO,
admitting his surprise at the 90 per cent response rate demanding
fines or dismissal for executives who fail to act following a breach.

Believe care provider has ethical and legal

obligation to protect privacy

96.25%

Patient postpones treatment due to privacy

concerns

29.75%

Patient willing to travel outside of community

for care due to privacy concerns

42.75%

Patient withholds medical information due to

privacy concerns

44.5%

(Source:

http://www. fairwarning.com/subpages/resources.asp#patientsurveys)

Useful Links:

We conclude that theres a lot of trust and a belief that care providers
are doing the right things but when it goes wrong, boy are they mad,
adds Long.

Making It Meaningful: How Consumers Value and Trust Health IT,

National Partnership for Woman and Families and Alan Westin,
Professor Emeritus, Columbia University, February, 2012 (http://www.
nationalpartnership.org/site/DocServer/HIT_Making_IT_Meaningful_
National_Partnership_February_2.pdf?docID=9783)

With time to absorb the survey results and a commitment to use the
current surveys to benchmark follow up studies in the four countries,
Long predicts a blend in openness and privacy in the future.

How Privacy Considerations Drive Patient Decisions and Impact Patient

Care Outcomes: Trust in the confidentiality of medical records influences
when, where, who and what kind of medical treatment is delivered to
patients, New London Consulting for FairWarning, 2012 (http://www.
fairwarning.com/subpages/resources.asp#patientsurveys)

I think there is going to be this bifurcation and there will be a set of

people who are comfortable with an awful lot of information about
themselves being public. On the other hand, I think that theres going
to be a core set of information, including our medical information
-- the most sensitive aspects of our medical conditions -- that all of us
are going to really value and want to protect.

HIPAA Security Spot Audits Begin: Chicken Littles and Annual Traditions,
Webinar by Ken Rashbaum for Privacy Analytics, February 2012,
(https://www.ehealthinformation.ca/survey/webinarfeb132012.aspx)

NOTEWORTHY: A recent eight-country study by Accenture provides

an overview of the progress achieved in adopting healthcare IT,
leveraging its benefits and studying the barriers to advancement.
Making the Case for Connected Health assesses three areas: healthcare
IT adoption; health information exchange implementation; and
insight driven healthcare including the use of advanced analysis of
data to support decision making, population health management
and innovative care delivery models. Interviewing 160 healthcare
leaders and more than 3,700 doctors and clinicians, the report
defined the barriers to electronic medical record adoption and the
implementation of health information exchanges.

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

Average

Connected Health: The Drive to Integrated Healthcare Delivery,

Accenture, 2012, (http://www.accenture.com/us-en/Pages/insightmaking-case-connected-health.aspx?amp&sf3179485=1)

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

Medical Identity Theft: Seven Years On

BY JAY INNES
Ottawa. ON, Canada. In 2005, the National Committee on Vital
and Health Statistics (NCVHS) Subcommittee on Privacy and
Confidentiality approached Pam Dixon and asked her to appear and
answering the question, What are the risks of electronic healthcare
records?

Top Locations of Breaches Involving Unauthorized

Access or Disclosure of PHI
As of Feb. 17, 2012

When Dixon, the Executive Director and Founder of World Privacy

Forum, was unable to find a single academic or mainstream
publication addressing the issue of medical identity theft, she
focused on Justice Department files and worked to compile stories
for her testimony.
After the appearance, the chair approached me and said, None of
us has ever heard about this before and I dont care if you dont have
funding for this or not, you have got to do more work on this, Dixon
recalls from her California office.

# of Breaches

Location

40

Paper

Network Server

Other

Email

Electronic Medical Record

Desktop Computer

(Analysis of OCR data Jan 17 Feb 17, 2012 by Health Information Privacy/Security
Alerts HIPAA & Breach Enforcement Statistics
(http://www.melamedia.com/HIPAA.Stats.home.html)

Spurred on, Pam Dixon and World Privacy Forum released Medical
Identity Theft: The Information Crime that Can Kill You, on May 3, 2006,
the most comprehensive report to date on medical identity theft and
medical identity fraud. The report helped to define the term medical
identity theft and provided real-life crime stories and accompanying
statistics. The media gravitated to the report and helped to raise
public awareness.

It can be done but its just a matter of shifting a very old culture into
a very new age where security is essential.
Looking ahead, Dixon predicts that the healthcare world will
continue to attract the attention of organized crime and in the
coming months the World Privacy Forum will complete a two-year
project on criminal operations in the healthcare field that will plot the
geographical locations of the criminal activity in the U.S.

The purpose of the report was to prove that medical identity theft
existed and we expected some push back, says Dixon.

Useful Link:

But it was like a stack of dominoes, like an avalanche, it was

definitely the cracking open of a very new Pandoras Box, she says,
recalling the thousands of emails she received from providers and
patients who shared their stories.

Medical Identity Theft: The Information Crime that Can Kill You,
World Privacy Forum, 2006, (http://www.worldprivacyforum.org/
medicalidentitytheft.html)

Dixon is proud that her home state adopted the recommendation

that data breach notifications be mandatory for consumers and that
Washington soon followed.

Privacy Analytics News:

In the years that have passed since the report was released, Dixon
seems frustrated that the public continues to hear stories about data
breaches caused by the loss or theft of unencrypted USB sticks and
unencrypted laptops. As a privacy expert serving many industries,
she says that these simple mistakes would just not happen in the
financial sector or to a bank employee because there is a culture of
security.

1) Hospital News article on integrating maternal-child data for

all births in Ontario:
http://www.hospitalnews.com/ integrating-maternal-childdata-for-all-births-in-ontario/
2) Tracking Superbugs in Ontario Long-Term Care
Facilities: http://www.canhealth.com/current%20issue.
html#12marstory5

She explains the differences between the financial and healthcare

sectors and although she holds out hope for progress in the
healthcare field, she realizes that the two sectors are vastly different.
One of the reasons is that the healthcare sector is dealing with
people -- patients -- and there is a need to access information quickly,
so the security structures have to be a lot more complex and a lot
more thoughtful, she says.

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

The First Wave of OCR Audits for HIPAA and HITECH Compliance: Key
Results Summary
BY MIKE HUMASON, DIRECTOR OF HEALTHCARE SYSTEMS, MICRO SOLUTIONS
Thousand Oaks, California, U.S.A. Since the passage of the
Health Information Technology for Economic and Clinical Health
Act (HITECH), part of 2009s ARRA, those who watch the news to
see what government regulators are doing to enforce the many
provisions of HIPAA and HITECH, plus various state regulations in
addition. Changes to enforcement structure and doctrine have
indicated that sweeping changes are underway, leading to a far more
proactive effort to audit, investigate, and where indicated to mandate
corrective actions on the part of healthcare providers in the areas of
patient records privacy and security. Subject matter experts and legal
experts have speculated at length over if, and when, a major wave of
audit activities might commence. A pilot project was initiated late last
year, initial information on which is just becoming available.

Audit targets are selected using random samples from a

database of CEs created by OCR contractor Booz Allen Hamilton.
Four categories were created:
Level 1: large payers/providers (revenues > $1 Billion)
Level 2: regional insurers/regional hospital systems ($300M to
$1Billion)
Level 3: community hospitals, outpatient surgery centers, regional
pharmacies, self-insured plans ($50M to $300M)
Level 4: small providers, community or rural pharmacies (less than
$50M)
The formal audit program will begin in May 2012
OCR announced that the number of previous contacts with a CE
would have a bearing on who to audit

BACKGROUND: In 2011, The US Department of Health and Human

Services (HHS) announced that its Office of Civil Rights (OCR) would
begin HIPAA audits of covered entities and business associates in
November, and that its contracted auditor, KPMG, would audit up
to 150 entities by the end of 2012. HHSs website provides detailed
information regarding when the audits will begin, who may be
audited, how the audit program will work, what the general timeline
will be for an audit, and, generally, what will happen after an audit
is completed. In addition, HHSs sample Audit Letter indicates
that KPMG will focus on discovering vulnerabilities in privacy and
security compliance programs, and that certain information
and documents will be requested in connection with the audit.
However, no additional details are given regarding what covered
entities and business associates may be asked to produce. Covered
Entities (CEs) and Business Associates (BAs) are in line to be audited
in the near future, and no CE is exempt. Audit programs are meant
to supplement, not replace, current investigation and enforcement
activities.

There is a definite process to the audits:

KPMG will notify CEs preceding an audit, and will send a list of
required documents with the notification
CEs must respond to the document request within 10 business
days
CEs will be notified 30 to 90 days prior to an onsite audit
Audits may last several weeks
Following the onsite audit, CEs will receive a preliminary written
report
CEs have 10 business days to supply additional documentation,
and to comment in response to findings
Within 30 days following the CE comment period, the auditor
will send a final report to OCR
If the final report indicates any serious compliance issue, OCR
may initiate a compliance review this will be similar to a formal
investigation, as is usually in response to a formal complaint or a
large PHI breach

More recent information reveals the following:

An initial pilot phase will audit 20 CEs, including
o 1 State Medicaid program
o 1 State SCHIP program
o 3 group health plans
o 3 health insurance companies
o 3 physician practices
o 3 hospitals
o 1 laboratory
o 1 dentist
o 1 long term care facility
o 1 pharmacy

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

If a compliance review happens, it could result in:

Technical assistance provided by OCR
Loss of eligibility to receive Meaningful Use funds
Corrective action plan for the CE, which may include mandatory
third-party compliance review for 3 to 5 years
Civil monetary penalties
If the compliance review indicates willful neglect, OCR will
impose formal corrective action
Penalties may be up to $50,000 per incident, and up to $1.5
million per calendar year for the same type of violation

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

Higher penalties may be assessed at the discretion of OCR

A dedicated workforce team should be developed and trained to

enact all of the above they should meet on a regularly-scheduled
basis to ensure that compliance efforts are ongoing and current.
Their findings, recommendations and actions should be properly
documented, and should be available to investigators and auditors,
along with all of the above items. Compliance efforts must be
proactive, ongoing, and should never be considered a one-time
event. It should be borne in mind that CEs bear the burden of proof
in demonstrating compliance.

The 10-day response requirement in the event of an audit notification

means that CEs which do not have a considerable amount of
preparation already done will find themselves under great pressure,
and possibly unable to comply. A comprehensive compliance plan,
done in advance, provides insurance against failure and possible dire
consequences.
Recommendations include:

CONCLUSION: It is clear that the mandates of HITECH mean far

more than just the adoption of electronic health records systems.
Complimentary compliance efforts in the areas of Privacy and
Security, including risk analyses and audits will be a standard part
of any healthcare providers responsibility going forward; failure to
address these issues in advance may prove enormously costly, not
just in terms of fines, but also in time taken to respond to an audit
notice with no prior preparation, and in the costs of corrective action.
Compliance efforts must be continuous and ongoing, overseen by a
dedicated team, and all activities must be properly documented and
readily available.

A proactive, thorough risk analysis done by an established

subject-matter expert
Centralized compliance documentation, including, but not
limited to:
o Policies and procedures and a written trail of workforce
training and implementation
o Documentation of continued, ongoing workforce training
o Risk analysis report findings, and written record of
remediation of all gaps identified
o A regular, periodic and annual audit program
o Written Disaster recovery and Emergency operation plans,
plus policy for regular review and updates
o Incident response and breach notification documentation
o Documentation that electronic PHI is being encrypted with
an industry-standard solution
o Evidence of control over access to PHI
o Evidence of compliant data backup and recovery
o Remote access management
o Plan to address government/regulatory investigations and
audits
o Documentation concerning release of PHI for treatment,
payment, and operations not requiring patient authorization

Getting outside help is a smart solution it cant be denied that you

dont know what you dont know and most healthcare staff are fully
occupied by the demands of patient care. Dont be afraid to ask for
help!

Mike Humason, Director of Healthcare Systems at Micro Solutions (http://www.

micro-sol.com/ ) in Thousand Oaks CA/USA, brings a 35+ year experience in the
healthcare field to his current role as a consultant specializing in the areas of Electronic
Health Records (EHR) adoption, and aiding clients in compliance with the many
regulatory standards of HIPAA and HITECH. Micro Solutions conducts assessments
and audits, from simple and small to highly penetrative and granular, which
result in a comprehensive compliance and security client profile, accompanied by
recommendations to cure gaps. We serve physicians, outpatient centers, long-term care
facilities and hospitals, as well as business associates such as law offices which bear a
significant compliance burden.

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

Patient Recruiting Innovation Emerges from Personal Experience

BY JAY INNES
Ottawa, ON, Canada. In 2008, sitting waiting at yet another doctor
consult to determine the best method to treat a large birthmark on
his baby daughters right leg, Tom Dorsett decided he needed more
information if he was to become an active and engaged advocate
for his family. As a health IT consultant, Dorsett went in search of
all relevant information; from treatment options to clinical trial
updates. His efforts supported his daughters treatment while his
frustrations led to the creation of ePatientFinder, a patient recruiting
process providing pre-screened candidates for clinical research.
ePatientFinder matches technology and physicians in primary care
and in-patient environments with the information that allows them
to identify ideal candidates for clinical trials through data analytics.
I realized that it would be very powerful, not only for the research
organizations but especially for the patients, because awareness is
still statistically very low regarding clinical trials and patients with
specific ailments, said Dorsett in a recent interview from his Texas
office.

the more detailed the

data, the more longitudinal
the record, then the more
effective our service.
Tom Dorsett
In contrast to the long held inefficient and expensive strategy of
recruiting candidates through mass media, this regionally-based
and laser-focused process is conducted at the point-of-care, offering
physicians the added benefit of enhancing communications with
patients.
With our model, we are actually able to run analytics on the
database in real time so that as patients come in, theyre being
screened. If theres a match, were able to reach them while theyre
checked into the hospital, which greatly increases the likelihood of
patient participation, adds Dorsett.
During a turbulent phase for the healthcare industry, led by
government incented EHR/EMR subsidies, buffeted by challenging
economic times and balancing the demands of citizens seeking
immediate answers while requiring privacy protections, Dorsett
realized that collaboration was the first step to success. Along with his
executive team, Dorsett worked with Health Information Exchanges
(HIEs), Regional Health Information Organizations (RHIOs) and
Electronic Health Record (EHR) vendors to create a growing health IT

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

oriented referral network to capitalize on the rapid expansion of the

pool of individual longitudinal records.
Were very excited that finally the longitudinal data exists because
there has been a slow transition from the existence of only claims
data to a more highly developed clinical data-set, says Dorsett,
recognizing the current data revolution.
Historically, its been claims data, which is of minimal value to what
we do because were looking to locate very specific patients. So the
more detailed the data, the more longitudinal the record, then the
more effective our service.
The ePatientFinder concept was validated in November with the
announcement that five drug makers teamed up to gather health
data from 13 New York hospital systems to assist in attracting patients
to clinical trials. The Bloomberg News story stated that the hospitals
systems stand to make $75 million per year while pharmaceutical
companies benefit from reducing the drug trial times and cutting
costs.
We allow hospitals, health information exchanges and physicians to
gain new revenue from sources they never really would have thought
about because we help them bring in revenue from the research
community just by getting them involved in the recruiting process,
says Dorsett.
Theres a lot of interest in what to do with this data, either from a
straight analytics play to where organizations, hospitals and on down
to the larger ambulatory clinics that are able to analyze their data.
In the ePatientFinder model, information is not shared with the
drug companies; instead the model is focused on working inside
a hospitals firewall. The onus is on the individual organization to
decide whether to opt-in the referring physician to deliver the study
information to their patient. The patient then decides whether to
apply for the study.
It creates a unique opportunity and if the hospital isnt ready to
take the plunge and start running clinical trials itself then we have
the ability to bring revenue in from the research and development
sector into those organizations just by getting them involved in these
programs, says Dorsett.
Still in the development stages ePatientFinder is now building its
data network and pilot projects are currently in design to go live with
a top ten pharmaceutical company this spring. As for Toms daughter,
she has received treatment for her birthmark and it has faded
considerably.

10

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5

RISKY BUSINESS - THE PRIVACY ANALYTICS NEWSLETTER - EDITION 2, 2012

PARAT 2.5 Release

In March, Privacy Analytics Inc will release PARAT 2.5, featuring the addition of a masking tool to support the effective de-identification of
healthcare data sets to provide privacy guarantees for safe handling and sharing.
The Privacy Analytics Risk Assessment tool is the only commercially available integrated
data masking and de-identification tool on the market today and the only tool for handling
longitudinal data sets.
New features include:
1) New Batch Processing: Batch process a complete de-identified dataset, includes SQL
Scripts, data import/export, masking and de-identification
2) New Longitudinal Suppression Algorithm: Significantly faster while lowering the amount
of required suppression
3) New Longitudinal Attack Simulator: Simulating re-identification attacks on a longitudinal
dataset
4) New, Improved Masking Toolset: Now featuring advanced masking, masking
propagation and compound pseudonyms
5) Improved Import Capabilities: PARAT Import from CSV and Microsoft Access more
robust to handle large datasets
6) Automatic Import Type Detection: PARAT CSV will detect field data types and date
formats automatically
7) New Task Manager: View the currently running tasks and end long-running tasks
To find out more and book a demo, click here (www.privacyanalytics.ca)

www.privacyanalytics.ca | 613.369.4313
info@privacyanalytics.ca

11

800 King Edward Drive, Suite 3042

Ottawa, Ontario, Canada K1N 6N5