By Dan Sandoval
The Federal Trade Commission is seeking comments on a proposed
rule that would relate to the Fair and Accurate Credit Transactions
Act (FACTA) and the Fair Credit Reporting Act (FCRA).
The proposed rule, currently known as 16 CFR Part 682, relates
to the "disposal of consumer report information and records,
pursuant to the Fair and Accurate Credit Transactions Act of 2003."
According to a news release issued by the FTC, the purpose of
the rule is to "reduce the risk of consumer fraud, including
identity theft, created by improper disposal of any record that
is, or is derived from, a consumer report."
The proposed rule requires that any person
or company possessing or maintaining covered consumer information
"take reasonable measures to protect against unauthorized
access to or use of the information in connection with its disposal."
The proposed standard for disposal is "flexible to allow
covered persons to make decisions appropriate to their particular
circumstances," according to the FTC.
Several types of records are specifically mentioned in the proposed
rule, although the term "disposal" is not clearly defined.
Records covered include, "Any record about
an individual, whether in paper, electronic or other form, that
is a consumer report or is derived from a consumer report. [This]
includes all types of records that are consumer reports or contain
consumer information derived from consumer reports [that] identify
any particular consumers."
Regarding destruction methods, the proposed
rule states that entities possessing the consumer information
"take reasonable measures to protect against unauthorized
access to or use of the information in connection with its disposal."
The FTC has not favored any single technology,
noting that such technology is changing rapidly. "The Commission
recognizes that there are few foolproof methods of record destruction,"
the rule states. "Accordingly, the proposed rule does not
require covered persons to ensure perfect destruction of consumer
information in every instance; rather, it requires covered entities
to take reasonable measures to protect against unauthorized access
to or use of the information in connection with its disposal.
The Commission expects that entities covered by the proposed rule
would consider the sensitivity of the consumer information, the
nature and size of the entity’s operations, the costs and
benefits of different disposal methods and relevant technological
changes. ‘Reasonable measures’ are very likely to
require elements such as the establishment of policies and procedures
governing disposal, as well as appropriate employee training."
While standards for destruction are not set,
examples are given, however. These include, "Implementing
and monitoring compliance with policies and procedures that require
the burning, pulverizing or shredding of papers containing consumer
information so that the information cannot practicably be read
or reconstructed," and, "Implementing and monitoring
compliance with policies and procedures that require the destruction
or erasure of electronic media containing consumer information
so that the information cannot practicably be read or reconstructed."
The Commission has set its comment period to
end in mid-June. "The FTC expects that entities subject to
the proposed rule will make decisions about what measures are
reasonable based on the sensitivity of the information at issue,
the costs and benefits of different disposal methods and relevant
technological changes," the FTC news release states. "The
proposed rule’s flexible standard also is intended to minimize
the burden of compliance for smaller entities."
The Commission is seeking comment on all aspects
of the proposed rule, with a deadline of June 15, 2004.
Text of the rule can be found online at the FTC’s Web site
May 2, 2005
Lost computer tape puts 600,000 Time Warner employee records at
risk of identity theft.
Time Warner announced Monday that 600,000 of
its employee records were lost on the way to a secure storage
The records were stored on a computer tape
and included the names and Social Security numbers of current
and former Time Warner employees. The data also included information
on the dependents and beneficiaries of the employees dating back
“We take the security of our employees’
personal information extremely seriously and we deeply regret
that this incident occurred,” said Larry Cockell, Time Warner’s
Chief Security Officer.
Time Warner is working with the Secret Service
to investigate the data loss. The company reports contractor Iron
Mountain lost the tapes while they were in transit to a secure
storage facility. Iron Mountain officials weren’t immediately
available for comment.
Shares in Boston-based Iron Mountain dropped
$0.38 to close at $29.32
Time Warner is advising employees to check
their credit reports at Experian and Trans Union. But it said
it has no evidence the files are being used to commit identity
fraud. The files left Time Warner for storage on March 22.
More than 1.39 million Americans learned that
they may have been the subject of identity theft in the last three
HSBC, a U.K. bank, recently informed 180,000
of its customers that information the company kept on them had
been exposed to potential criminals (see HSBC Warns 180,000 of
Earlier the same week, data-collection firm
LexisNexis announced it would mail letters to 280,000 Americans
whose information had been compromised (see LexisNexis Leaks 280,000
IDs). Before that, the San Jose Medical group lost 185,000 patient
records and Social Security numbers when someone walked out of
the hospital with a computer under each arm.
The recent rash of identity theft started with
ChoicePoint’s announcement in February that it had lost
detailed data on 145,000 people at the hands of a low-tech fraudster
(see The Choicepoint Incident).
Reuters contributed to this report.
November 22, 2004
By Mike Scott
Vol. 5 No. 24 Page 38
An employee of a Seattle cancer center became
the first privacy law prosecution. The case also could have been
prosecuted as identity theft and credit card fraud. That it became
a HIPAA case wasn’t a fluke.
A man pleading guilty to violating HIPAA’s
confidentiality rules could serve as a wake-up call for many in
the healthcare industry.
In mid-August, Seattle phlebotomist Richard
Gibson, 42, admitted that he had obtained personal protected health
information about a cancer patient that gave him the ammunition
to use four of that patient’s credit cards in racking up
more than $9,000 in charges. Gibson was an employee at the Seattle
Cancer Care Alliance and in essence performed an identity theft
on the unsuspecting patient to buy video games, jewelry, and other
items, according to the U.S. Attorney’s Office.
Federal prosecutors worked out a plea deal with Gibson. Earlier
this month, he was sentence to 16 months in prison (plus three
years of supervised release) and ordered to pay more than $9,000
in restitution. U.S. District Court Judge Ricardo S. Martinez
called Gibson’s use of a cancer patient’s health information
to perform credit card theft “some of the most deplorable
[behavior] I’ve seen in 15 years on the bench.”
The fact that the federal government elected
to prosecute Gibson for violating HIPAA rules was surprising and
unique, according to many law experts. If the case had followed
a more typical scenario, Gibson would have been prosecuted for
credit card fraud and identity theft. But because he was employed
by the cancer center—a “covered entity” under
the privacy rule—HIPAA was invoked. That should send a message
to hospitals and healthcare systems and practices across the country.
Brian Annulis, an attorney with the Michael
Best & Friedrich LLP law firm headquartered in Chicago, says
this move by the U.S. Attorney’s Office should tell healthcare
administrators that the government is serious about HIPAA. He
believes this is the government’s strongest legal message
yet concerning a HIPAA infraction.
“HIPAA includes a criminal provision
that hospitals would not be subject to, but they could be subject
to the civil provision,” says Annulis, whose firm specializes
in working with healthcare clients around the country. “Identity
theft is something that has been rearing its ugly head in our
country for a few years now, but the fact that the government
decided to use HIPAA means they wanted to get their point across
and to get some media attention. If this was just a regular $9,000
identity theft case, it wouldn’t even make the newspapers,
but this was meant to send a ripple throughout the industry.”
Annulis says the civil monetary penalties handed
out by the government to healthcare entities cannot exceed $1,000
per offense or $25,000 total per year, but the penalties in a
civil suit brought against a healthcare entity by an individual
are limitless—and, in certain cases, could mean a multimillion-dollar
lawsuit depending on how the crime was committed and how much
money or credit was stolen.
This case isn’t the first time a hospital
or healthcare employee has used information obtained from their
job to steal from a patient via identity theft. However, Annulis
says this is the first time the government has prosecuted a case
invoking HIPAA’s privacy component.
What’s It Mean?
So what does this case mean for hospitals, radiology practices,
and the healthcare industry in general? First, it is critical
for hospital administrators to review their internal HIPAA compliance
plans and communicate to all employees what the plan entails and
the penalties that could be levied against an individual who doesn’t
follow HIPAA guidelines. The same applies to imaging centers and
“The federal law only requires that healthcare
facilities go through a HIPAA training program up front, but we
tell our clients—whether physician practices, home healthcare
organizations, or hospitals—to take a HIPAA training program
annually. We also tell them to educate their employees about any
changes,” says Mike Fleischman, vice president and principal
of Gates Moore & Company in Atlanta, a consulting firm that
provides strategic and operational physician practice management
and tax and accounting services.
The government indicated that the serious nature
of this crime played a role in the penalties it was seeking. “Too
many Americans have experienced identity theft and the nightmare
of dealing with bills they never incurred. To be a vulnerable
cancer patient, fighting for your life and having to cope with
identity theft is just unconscionable,” says U.S. Attorney
John McKay. “This case should serve as a reminder that misuse
of patient information may result in criminal prosecution.”
U.S. Attorney Public Affairs Officer Emily
Langlie says government lawyers examined the statutes that could
be brought against Gibson, and it was determined that the amount
of time served and penalties levied were similar whether it was
tried under HIPAA or under credit card fraud laws. Since Gibson
was a phlebotomist who blatantly stole from a person who was relying
on the healthcare system to treat a serious ailment, Langlie says
the HIPAA angle was appropriate. “There is always an interest
in deterrence, and this is certainly a case that had more attention
than it would have had it been tried under a different statute,”
While some industry observers speculate whether this case was
prosecuted under HIPAA for publicity reasons, many feel it is
the first of numerous such cases. The current privacy regulations
have been in place since last April and additional security regulations
will be added in 2005.
Dan Rode, vice president for policy and government
relations for the American Health Information Management Association,
says that as of September, the Office of Civil Rights has turned
a number of cases, perhaps as many as 30 to 40, over to the U.S.
Justice Department that could be prosecuted under HIPAA laws.
Rode also says the Department of Justice looks at identity theft
complaints that arise out of a healthcare setting, gain additional
evidence, and formulate how the case should be prosecuted. “This
may be the first of a number of cases that are treated in this
manner,” Rode says. “What this case in Seattle has
shown us is that the prosecution under HIPAA is accepted well.”
Annulis says it is virtually impossible for
healthcare administrators to prevent a HIPAA violation if an employee
decides to break the law. But any civil penalties levied against
that entity could be significantly lessened or dropped altogether
if investigators determine that facility administrators took reasonable
steps to prevent the violation. Such steps include conducting
a complete criminal and credit background check on all new employees.
These checks cost money, but Fleischman says it is a basic function
of the hiring process these days that all organizations, whether
in healthcare or not, should take. “We have laws here in
Georgia where certain violations can be prosecuted under HIPAA
and state ID theft [statutes],” he says.
Fleischman adds that some healthcare organizations
are still ill-equipped to deal with HIPAA regulations and that
some are buying privacy manuals for the first time. He notes that
one area that could incite a HIPAA violation and warrants attention
is security. “Organizations have to make sure they are up-to-date
with their internal security standards,” he says. The electronic
security standards will be enforced beginning next year.
Preparation is more than half the battle, according
to Annulis. And healthcare organizations should understand how
serious the government is taking the Seattle case because of the
lightning speed with which the case moved through the courts.
“What you want to be able to do when the FBI or the police
come to your door is cooperate with them and show them your compliance
plan and how every employee has documentation of the plan,”
says Annulis. “They want to be able to say, ‘We did
all that we could.’”
No Track Record
The bottom line is that privacy compliance is a subject that is
still unclear and, from a legal standpoint, this compliance still
represents unchartered waters. Regardless, it is critical that
healthcare administrators heed the warning shot that the government
has fired in pursuing the Gibson case under HIPAA.
“For the first time, we have a case that
demonstrates the government’s interest in pursuing the HIPAA
law,” says Rode. “That is significant for every organization
[in the industry].”
— Mike Scott is a freelance writer who
has contributed to more than 70 magazines, newspapers, and Web
sites on numerous topics—from business to healthcare to
technology. He lives in Waterford, Mich.
Reprinted from the issue of December 2004 REPORT ON PATIENT
The Federal Trade Commission's first
two enforcement actions for violations of the Gramm-Leach-Bliley
Act (GLB) are a cautionary tale for covered entities (CEs) under
HIPAA. They underscore the risk of an enforcement action if organizations
have a compliance program that is window dressing and fails with
the "meat and potatoes" of assessing privacy risks and
On Nov. 16 the FTC charged two mortgage companies
with violating GLB, which requires financial institutions to protect
the privacy and security of consumer information. GLB provisions,
which mirror the HIPAA privacy rule in key areas, took effect
in May 2003.
In separate administrative cases, FTC
alleges that Nationwide Mortgage Group, Inc. of Fairfax, Va.,
and Sunbelt Lending Services, Inc., a subsidiary of Cendant Mortgage
Corp., headquartered in Clearwater, Fla., violated GLB's so-called
safeguards rule. "The Safeguards Rule” requires financial
institutions to have reasonable policies and procedures to ensure
the security and confidentiality of customer information,"
FTC says. For instance, financial institutions must designate
a high-level employee to oversee the privacy and security program;
conduct a risk assessment; deploy safeguards to control the risks
identified in the assessment; test and monitor the risks; sign
written contracts with "service providers" —the
GLB version of business associates — and periodically update
their security programs.
The FTC alleged that both mortgage companies
failed to comply with GLB's basic requirements. For example, the
mortgage companies allegedly didn't assess the risks to sensitive
customer information or install safeguards to minimize them.
Also, FTC alleged that Nationwide failed
to carry out safeguards to protect customers' names, Social Security
numbers, credit histories, bank account numbers, income tax returns
and other sensitive financial data. Nationwide allegedly didn't
train employees on information security, oversee its loan officers'
handling of customer information, monitor its computer network
for soft spots or provide consumers with privacy notices describing
how they use and disclose consumers' personal information.
Sunbelt allegedly neglected to provide online
customers with privacy notices and failed to oversee the security
practices of its service providers and loan officers working from
remote locations around Florida, FTC stated.
To resolve the allegations against Sunbelt,
FTC negotiated a settlement designed to prevent ongoing GLB violations.
The proposed "consent order" with Sunbelt requires (1)
an independent professional to certify that its security program
meets or exceeds the standards set forth in the consent order
- at the six-month point and every other year subsequently, and
(2) standard record- keeping provisions that enable the FTC to
monitor Sunbelt's compliance. A consent order is not an admission
This is not the first time FTC has hit companies
for alleged privacy violations. In one of the most high-profile
privacy cases ever, the commission pursued Eli Lilly for sharing
the names of several hundred Prozac users over the Internet. Eli
Lilly's error was allegedly caused by an untrained, inexperienced
programmer who was oblivious to Eli Lilly's information security
and privacy policies and procedures, the lawyer says. FTC and
Eli Lilly negotiated a settlement in the case.
December 21, 2004
Board of Governors of the Federal Reserve System
Federal Deposit Insurance Corporation
Office of the Comptroller of the Currency
Office of Thrift Supervision
Agencies Announce Final Rules on Disposal of
The federal bank and thrift regulatory agencies today announced
interagency final rules to require financial institutions to adopt
measures for properly disposing of consumer information derived
from credit reports.
Current law requires financial institutions
to protect customer information by implementing information security
programs. The final rules require institutions to make modest
adjustments to their information security programs to include
measures for the proper disposal of consumer information. They
also add a new definition of "consumer information."
The agencies' final rules implement section 216 of the Fair and
Accurate Credit Transactions Act of 2003 (FACT Act) and include
this new statutory requirement in the Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (retitled the
Interagency Guidelines Establishing Standards for Information
Security), which were adopted in 2001.
The final rules will take effect on July