Monday, December 5, 2011

Are You Short Changing Your Company?

Recently I entered a debate about the purpose of a company. I stated it was to actualize the goals of the business owner. The gentleman stated that it was to solve a problem that society had. I said solving a problem is the theme in which the business is built not the purpose of the company. The same is true with compliance governance. How does a company create a profit center compliance program? The answer is the same way you build a company.

Most companies that have less than 50 employees treat compliance as another task within someone’s job simply because it is viewed as a necessary evil and does nothing to elevate the company’s value or bottom line. So IT, HR, owner, or staff people are asked to perform compliance tasks. They have no methodology of how to create value and return on investment simply because it is not recognized as a business strategy built into the business model. It is not a view point taught, mastered, or understood well.

Many companies do not require a full time compliance officer. But having a person whose sole responsibility is compliance is better than incorporating it into someone’s job function. Renting a compliance officer, so to speak, allows the company to do what it does best and allows a compliance officer the ability to see the organization from a 10,000 foot perspective. Not just daily activities. It’s an important skill for profitable results.

Working in collaboration with the owner and employees independently encourages compliance programs that not only meets state and federal expectations, but provides greater value in return for the invested effort. The value must contribute to actualizing the goals of the business owner as well as meeting regulatory requirements to stay in business. Are you short changing your compliance efforts thus short changing your company?

Wednesday, December 15, 2010

2011 Data Security and Privacy Trends

Contact me at for a copy of the 2011 Data Security and Privacy Trends. You will be surprised and it will affect more small businesses and professions such as medicine, law, and accounting.

Wednesday, December 8, 2010

House and Senate Pass Red Flag Exclusion

The House and Senate agreed that physicians should not be identified as creditors under the FTC regulation known as the Red Flag Rule. It now awaits President Obama's signature. That does not mean that the medical industry has dodged a bullet in its responsibilities to protect identities.

While emphasis is on HIPAA as it relates to privacy and identity theft protection, let us not forget that as much as they may be intertwined in data collection and storage requirements they are not intertwined events when used criminally. One can steal an identity and not PHI [protected health information] and vice versa. There is no criminal trafficking of PHI. There is criminal trafficking of identities. Identity theft is lucrative and desired among thieves. It's easy to steal and in medicine it is used to gain access to expensive treatments and drugs. It is also lucrative because it is a repeatable crime that only requires gaining access to the information one time and using it or selling it over and over again. Once identities are stolen it can victimize individuals for years.

PHI, if inappropriately leaked, subjects medical personnel to consequences based upon company policy and subjects the company to HIPAA violations. The harm to the patient in most cases is either embarrassment or personal damages (including possibly economic). Identity theft subjects patients to potential loss of life, limb and civil liberties because there is more than one record out on the same identity. Talk about medical errors.... How is the doctor, NP, RN, or PA charged with treating the patient going to know which is right? How is a receptionist in an ER room or doctor's office going to know? The answer is they can't know 100% for sure.

Be advised that a trend is appearing among state attorney generals that if HIPAA violations occur, they will tack on requirements to include identity restoration as part of the damages. Connecticut was the first to shoot that arrow over the bow and many more are following. Massachusetts set a law in place that if you have a Massachusetts resident doing business in your organization that you are subject to Massachusetts identity laws or don't do business with a Massachusetts resident. The same goes for treating them. So the subject of identity theft is not going away nor is the obligations to conform to state requirements and among other authorities.

While I empathize with my medical industry brethren about not wanting to duplicate or add on any more unfunded mandates than is humanly able, this is one "red flag" we simply cannot ignore. It infiltrates our communities, our schools, our jobs, and our friends and families. It costs more financial loss than HIPAA violations. It cannot be stopped only controlled. Following HIPAA guidelines in good faith is prudent. When you protect an identity you not only save the company and your jobs, but you also save people a lifetime of heart ache and you save their lives.

Tuesday, November 23, 2010

Keeping Your Identity Safe During the Holidays

Our exposure to Identity theft is stronger during the holiday season.
Kroll Fraud Solutions Center posted the following tips to keep your personal information safer


Before you hit the stores, the very first thing you should do is take stock of what you are bringing along with you. Clean out your purse or wallet and remove unnecessary key identity components or valuables. Take inventory of whatever you will be carrying. That way, you’ll know what was taken if your purse or wallet is lost or stolen.

For added protection, keep your valuables with you at all times – your purse, wallet, or cell phone is not safer in your locked car than in your possession. Thieves know this is a common habit and will be scanning the parking lots looking for cars they can break in to.

Consider your preferred method of payment before heading out – there are pros and cons to each, and it’s up to the consumer to determine which best suits his or her needs. Generally, from a theft standpoint, credit cards are a safer bet because, unlike debit cards, you usually have more protection against fraudulent charges – many credit cards have a zero liability policy. Cash is another option, but while you will not have to worry about personal identifiers, it will be gone for good if your purse or wallet is stolen. Take your checkbook only if it’s absolutely necessary – stolen checks can turn into an ongoing forgery nightmare and give the thief direct access to your checking account.

Finally, be stingy with your personal information. If a store clerk asks what seems like too much personal information during a transaction, remember that you have a right to ask why it’s needed. Some stores ask for phone numbers or zip codes for customer tracking – sharing this information won’t necessarily increase your risk of identity theft. Beware of shoulder surfers and shield your PIN number while entering it on a keypad. Resist the temptation to apply for credit at the register – you may get a hefty discount on your purchases, but there’s added risk at this time of year that your identifiers will be exposed. Someone may overhear your information or, if it is written down, the paperwork can be easily misplaced.


Contrary to popular belief, online shopping does not necessarily carry any additional risk for identity theft than shopping in the store, provided you are taking reasonable precautions. However, it’s important to remember that thieves generally step up their activities during the holiday season – the increase in online traffic and transaction levels offer plenty of opportunities to steal data.

It sort of goes without saying, but you should never use a public computer (like those found at the library) to perform online financial transactions. Likewise, if the coffee shop is offering free – yet unsecured – wi-fi, don’t be tempted to buy anything there, either. These are high-risk scenarios that offer little protection to the consumer. You never know if a public computer contains spyware, such as a keylogger or some type of malware, and it is very easy for thieves to steal data via unsecured wireless internet hookup.

Even when using a computer you trust, you should make sure you have installed your security software’s latest update and run a scan of your computer. Beyond that, practice smart shopping by visiting reputable sites and being careful not to fall for phishing scams that will try to trick you into giving up or exposing personal information. Some sites may offer great deals, but be skeptical about the level of safety they provide for financial transactions.

Just as you would keep receipts from the stores, keep a record of all your online transactions. Check your debit/credit accounts daily and make sure only the transactions you’ve authorized have been registered. If you see any unauthorized transactions, dispute them with your financial institution immediately. If you haven’t received your monthly statement, call the financial institution to verify that no one has changed the address on your account.

Contact me for more information about how you can protect your identity and that of your company as well.

Happy Thanksgiving

Monday, November 1, 2010

Is this really the age of healthcare reform?

While suggestions and solutions about how to fix healthcare vary, what is clear is that the election is not resulting in new ideas only rhetoric and fear of change for the purpose of swaying votes. It is about the people or is it about the party?

What is also clear is that the strategy to decide how to reform healthcare in our communities is based on money. Hasn't that strategy already demonstrated how faulty it is? It is not to say that money should not be a consideration. It is to say that money should not be the leading criteria.

For example many doctors grappling with how to shape their practices in the coming decade tend to decide based upon the ability to earn more money first and infrastructure second. When considering whether to become an accountable care organization in the next 14 months most physicians speak about the end result of gaining more income.

History will tell you time and again the failures of approaching growth in that specific manner. Yet like countless of other fads we've seen in the past 20 years, the hype is driving action rather than reality. Becoming an accountable care organization is a good idea that requires a great deal of thought least of which should be about the shared savings physicians may or may not enjoy.

Until we are willing to change our viewpoints about what's really important and in what order of importance, healthcare reform will not succeed well whether under Republican, Democrat, Independent, Libertarian, Social, or Green rule. Is it about the people or is it about the doctor? Is it about the people or is it about the party? Is it about the people or is it about money? As patients we need to do the same. Is it about the care and the cost of it or is it about the value of it and how you define value of care?

Perhaps healthcare should be approached like a business model with a social responsibility. It encompasses so much more than how to make more money or how to save it. Using the 6P method established by Kris Rajan of CoGrow Inc, a practice would have a better chance at long term success.

You can find the 6P model in the book "The Blatant Truth About Owning A Medical Practice".

Thursday, October 21, 2010

Identity Theft up 123%

According to a report by the US Treasury Department, identity theft rose 123% in the past 5 years. The question that begs to be asked is why we aren't taking it seriously? Most believe that monitoring will be enough. What if I told you that monitoring only covers less than 20% of identity theft? Most of identity theft has nothing to do with credit cards and credit reports and if you wait for it to notify you, it's too late.

When you think that all it takes is knowing your name and your date of birth to steal your identity then everyone is at risk because the only form of proving your identity is your driver's license and it has enough information to steal it, use it, and repeatedly abuse it for years to come.

Protecting it is useless if it doesn't include a plan what you are going to do when it happens to you. Ask the 22 year old I met at Applebees the other day when I inquired about how they ID people. Her identity was stolen when she was 6 years old and she just found out. Six hundred hours won't begin to cover what has to be reversed in her case. The cost will be with her for a lifetime. For others the cost will be their lives.

Monday, October 4, 2010

State of Connecticut Acts

Five Days ago the State of Connecticut imposed upon all licensed insurance agents, of any type, the responsibility of reporting any identity theft breaches their clients inform them about to the attorney general's office. The attorney general has already taken the stance that any privacy breach that occurs in their state will require identity theft consultation and recovery as part of a company's responsibilities.

Three and one half percent of identities stolen are compromised and the costs to business grows exponentially. Not too many companies do full restoration really. Connecticut fired the first shot. How far behind do you think other states are in enacting the same requirements?

So tell me have you done your privacy prebreach preparedness yet? Do you know if it was done well? Take my test and find out.

As it relates to identity protection "How Naked Are You?" Take the Test. Get Your Score.