One way to spend less time worrying about the new HIPAA provisions is to outsource your shredding service. Yes, outsourcing shredding service tends to be more cost effective, but it’s more than that. With the mandatory fines up from a maximum of $25,000 to $1,500,000 (a 6,000% increase if you’re keeping track), it makes sense to implement measures that help ensure your office is using the highest level of document security possible. Not to mention, according to the Department of Health and Human Services, fines will be mandatory for certain violations, specifically including the disposal of patient information that is not properly destroyed first.

By outsourcing your shredding service, you take the burden off the office staff and let them focus on revenue producing activities. Because it is most secure, we recommend using an ON-SITE service. With ON-SITE service, you get to witness the shredding right in your parking lot and know with certainty that your paperwork has been destroyed in compliance with HIPAA right before your eyes.

For more information visit www.hvshred.com

Our mission at HV Shred, Inc. is to use this blog to keep the public up to date on the latest in identity theft news and prevention. Compiled by the FTC, the following information should help raise awareness about a form of identity theft many do not realize could affect not only their finances, but also their health—it’s called Medical Identity Theft.

How would you know if your personal, health, or health insurance information has been compromised? According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, you may be a victim of medical identity theft if:
· you get a bill for medical services you didn’t receive;
· a debt collector contacts you about medical debt you don’t owe;
· you order a copy of your credit report and see medical collection notices you don’t recognize;
· you try to make a legitimate insurance claim and your health plan says you’ve reached your limit on benefits; or
· you are denied insurance because your medical records show a condition you don’t have.

Medical identity theft may change your medical and health insurance records: Every time a thief uses your identity to get care, a record is created with the imposter’s medical information that could be mistaken for your medical information – say, a different blood type, an inaccurate history of drug or alcohol abuse, test results that aren’t yours, or a diagnosis of an illness, allergy or condition you don’t have. Any of these could lead to improper treatment, which in turn, could lead to injury, illness or worse.

More on steps to deter, detect, and defend against medical identity theft in a future blog. In a nut shell, protect your personal information at every turn—don’t share unless you know and trust the receiver and be mindful of how you’re storing and disposing of your personally identifying information. For data that is obsolete, consider contacting us to set up an appointment to shred and recycle. More at www.hvshred.com

In another round of “HIPAA enforcement is amping up and the penalties can be very costly” this week’s blog details another recent action taken by the US Department of Health &Human Services Office for Civil Rights.  A recent press release announced that the Organization issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule.

According to the press release, it was found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with Office for Civil Rights, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request.

The Office for Civil Rights also found that Cignet failed to cooperate with investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Setting up service with an on-site shredding service is a key component of ensuring top quality HIPAA compliance.  For more information, please visit www.hvshred.com

On December 14, 201o Governor Paterson signed the Wage Theft Prevention Act into law.  Embedded within the new law is an update to payroll records management.  To be in compliance with the new law, employers disposing of records containing personal identifying information must follow one of these procedures:

• Shred the record before disposal;
• Destroy the personal identifying information;
• Modify the record to make the personal identifying information unreadable; or
• Take action that they reasonably believe will ensure that no unauthorized person will have access to the personal identifying information in the record.

“Personal identifying information” refers to any of the following information included in an employment record:

• An individual’s Social Security Number,
• An individual’s mother’s maiden name,
• A driver’s license,
• A financial services account number or code,
• A debit card number or code,
• A checking account number or code,
• An automated teller machine number or code,
• An electronic serial number, or
• A personal identification number.

Along with compliance and avoiding fines, properly storing and disposing of personal identifying information be it for our employees, our clients, or our proprietary information just makes good business sense.  For more information on how to make on-site shredding service as simple and cost effective as possible, visit www.hvshred.com

HIPAA enforcement is amping up and the penalties can be very costly.  In a February press release from the US Department of Health & Human Services, the Organization announced that Massachusetts General Hospital has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

 Mass General, one of the nation’s oldest and largest hospitals, signed a Resolution Agreement with HHS that requires it to develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients. The settlement follows an extensive investigation by the HHS Office for Civil Rights (OCR), which enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to protect the privacy of patient information through administrative, physical and technical safeguards at all times.

The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. OCR opened its investigation of Mass General after a complaint was filed by a patient whose PHI was lost on March 9, 2009. OCR’s investigation indicated that Mass General failed to implement reasonable, appropriate safeguards to protect the privacy of PHI when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating provisions of the HIPAA Privacy Rule.

The documents were lost on March 9, 2009, when a Mass General employee, while commuting to work, left the documents on the subway train that were never recovered.

OCR Director Georgina Verdugo suggested, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

Setting up service with an on-site shredding service is a key component of ensuring top level HIPAA compliance.  For more information, please visit www.hvshred.com

Thanks to Vanacore CPA’s for raising this topic in their recent newsletter.  We wanted to share it with our supporters:  Fraud prevention and detection is the not the most comfortable of topics to address with your team, but it is crucial to cost efficiency.  Just setting the right tone of doing business with character and integrity can be powerful.  As an owner you should express your views to employees that fraud, in any form, is not acceptable. A few more suggestions to forward the mission:

• Encourage employees to make suggestions about ways to improve controls. This will also conveying the fact that you are alert to the possibility of fraud occurring and serves as a good deterrent.

• Require that all new vendors be approved by you, prior to checks being cut. Review the listing of vendors on a monthly basis to ensure this procedure is being followed.
• Establish mandatory vacations for all employees; this will allow another individual filling in for that position to notice if anything improper is occurring.
• If you, as the owner, do not sign checks, require that all checks over a certain dollar amount require your signature, i.e. $1,000.
• Receive unopened bank statements directly and review the activity. Pay particular attention to the payees on cancelled checks and where wire transfers are going.
• Do not allow expense reports to be submitted too long after expenses occurred because it allows too much time for the individual in a supervisory role to forget the details.
• Receive and review unopened payroll reports directly to ensure there are no fictitious employees and that legitimate employees are being paid at their proper rate.

With each measure, put the emphasis on the concept of teamwork.  This will work especially well if individual compensation is somehow tied in the overall success of the company—make A fatter bottom line better for everyone.

In a recent press release, The Federal Trade Commission (FTC), the government agency that works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them, reported that for that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints.  Making a first time appearance in the top 10 is “Imposter scams” – where imposters posed as friends, family, respected companies or government agencies to get consumers to send them money.  Along those lines, the FTC also has issued a new consumer alert, “Spotting an Imposter”, to help consumers avoid imposter scams.

 The 2010 Top Ten List:

 To file a complaint go to Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357).

 More information on identity theft prevention is available at www.hvshred.com

Rep. Cliff Stearns (R-Fla.) said he intends to introduce privacy legislation that would empower the Federal Trade Commission to oversee a five-year self-regulatory program.

In a recent speech, Stearns also said that consumers should have access to the information amassed about them online and be able to opt out of the data collection. “We might not be able to tell businesses they can’t stop collecting the information, but certainly we should be able to see that information. The consumer can decide whether it’s too much to be collected, and then decide whether to opt out,” he said.

Stearns said the bill he intends to introduce grows out of a draft floated last year by himself and former Rep. Rick Boucher (D-Va.). That proposal drew comments from more than 70 organizations, which Stearns said were incorporated into the bill he will unveil.

The measure will join at least three other potential privacy bills in the House.

Rep. Jackie Speier (D-Calif.) recently introduced the Do Not Track Me Online Act, which calls on the FTC to issue regulations requiring that Web companies allow consumers to opt out of online tracking. In addition, Rep. Bobby Rush (D-Ill.) reintroduced an online privacy bill that would require ad networks to obtain users’ consent to tracking. And Rep. Ed Markey (D-Mass.) says that he, too, intends to online privacy legislation.

For the latest updates, keep checking back to www.hvshred.com