Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

Just in…Santa retains ID Experts to provide breach remediation assistance.

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation.  We are now in the process of working to establish our web page for posting information regarding such breaches.  Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future.  The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules  to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

When holidays around the corner, the amount of fraudulent activity tends to increase. As we all know, the most important aspect of stopping fraud is reporting it immediately. Unfortunately, the holidays also mean that many financial institutions and companies are closed in observation. While many banks provide a 24/7 support year-round for reporting cards lost or stolen, some financial institutions do not. Even if your bank does provide the support, the only record you may have of that phone number may be on the card itself, so if you lose the card or have it stolen you might be at a loss where to call.

Luckily, most debit and credit cards are now backed by Visa or MasterCard. If your card is backed by one of these issuers, you may want to take this number down for emergencies. You know your card is backed if you see the Visa or MasterCard logo on the front.  If you are unable to contact your bank and you have had fraud or lost your card, you can use these numbers to get assistance. The representatives there can either put you in touch with the correct call center to block the card right away, or provide the service directly depending on your bank. In a pinch, these numbers can be essential.

VISA — 1-800-847-2911

1-800-MasterCard (1-800-627-8372)

Keep this information handy, but somewhere other than with your wallet (in case you lose it). I keep a long list of company phone numbers- everything from insurance to credit cards- just in case. These numbers are at the top of my list, and I have used them several times with great success. Be prepared, and all your holiday surprises will be pleasant!