Patients Demand the Best Care … for Their Data

The following is a guest blog post by Art Gross, Founder of HIPAA Secure Now!.
Art Gross Headshot
Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk.  With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud.  Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.

Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection.  They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.

But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority.  And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.

In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster.  Surprisingly this happens over and over.  Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.

Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files.  They hold the records hostage and ask for ransoms.  Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.

Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.

Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook.  Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.

And word gets out through social media that the practice is ‘behind the times.’  The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data.  This is the cockroach running through the restaurant that ends up on YELP.

It’s time to pull back the curtain and tell patients how you’re protecting their valuable data.  Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence.  For example, our practice:

  • Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
  • Shows patients that the organization has policies and procedures in place
  • Trains employees on how to watch for risks for breaches
  • Gives employees limited access to medical records
  • Backups systems daily
  • Performs system activity regularly

Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.

About Art Gross
Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started HIPAA Secure Now! to focus on the unique IT requirements of medical practices. Email Art at artg@hippasecurenow.com.

Full Disclosure: HIPAA Secure Now! is an advertiser on EMR and HIPAA.

About the author

Guest Author

4 Comments

  • From my percpective the idea of building Patient Portals and forcing all the data their for patients to access is totally ludicrous. When has a patient not had access to their Medical Records. They don’t need them on the WEB for EVERYONE to steal.

    Truth is ONC/Government/Medicare cannot possibly believe that all this data out there will not be breached. Further, patients that never asked for it to be put out there, will have it out there, EVEN IF THEY DON’T PARTICIPATE IN THE PORTAL.

    WHY IS THIS MANDATE OUT THERE, IT DOES NOTHING TO PROMOTE BETTER HEALTH CARE FOR PATIENTS? Proof me the value over the REAL RISK.

    Ask any SECURITY EXPERT that charges the practice or EHR Vendor to consult on Security to sign an agreement, if you adhere to my policies and are breached, I WILL PAY ALL INCIDENTAL AND ACTUAL DAMAGES due to the BREACH.

    Never happen, instead ONC will penalize the Vendors and the End Users (Hospital, Ambulatory Service Providers), then the Data will be removed (Customer De install), one penalty after another.

    If you ask me, HIPAA and ONC et. all in the Government should just accept like the rest of the world does Breaches will happen and not act like it’s anyone’s fault. They should accept this, and we should accept our Patient Records, once on a Portal, are not really SAFE.

    I Fully understand the benefits of a National Government Required HIE, only one, run centrally. But that is not a Portal, which has little real benefit. Patients have communicated, viewed charts and set appointments fine without it. It’s nice, it’s neat, but hardly worth the risk, and truly in it’s infancy.

  • Sophia,
    Agreed, however, in light just now announced breach of Federal Government Employees HR Records (REALLY BIG DEAL, CIA/FBI/Military/Government Home Addresses, Family Info, etc….) 18M records.

    http://www.huffingtonpost.com/2015/06/05/government-data-breach_n_7522192.html

    and the value on the open market of a Health Record is 10 times that of a credit card.

    http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924

    No matter how much care you give, the minute you take it from a Private Secured Network and put it on your private corporate portal, the Government’s HIE or anywhere else attached to the World Wide Web in any way, then that cannot be guaranteed, no matter what you do.

    Agreed, you should do your best to protect it, but in the end we all have to just agree there is no PRIVATE HEALTH DATA, the minute we put it on the Portal or HIE.

    The Hacking Industry is evolving much more rapidly then the technology that protects them.

    And from a PROVIDERS standpoint, the Doctor that has his charts sitting on a rack in his office, is much more secure, can’t download those on the WWW and no cost for consultants, no cost for Firewall Software and most likely will not get flagged for failure of audit. See all this is just to much for the provider to handle, especially given the low pay they receive to cover overhead as it is.

Click here to post a comment
   

Categories