In this article and several to follow, I will discuss privacy and information security concerns and what you can do to protect your patients’ data.
Robert A. Dowling, MDAlmost 20 years after the Health Insurance Portability and Accountability Act (HIPAA) was first enacted, the privacy and security of protected personal information remains a significant concern in the daily activities of providers and their patients. In this article and several to follow, I will discuss privacy and information security concerns and what you can do to protect your patients’ data.
Clinical Innovation + Technology, a leading trade magazine for the clinical informatics community, recently featured these headlines (http://bit.ly/Databreaches):
The numbers in these headlines seem staggering, and often involve millions of individual records. They lead to large fines and untold expense in remediating the damage. The real impact may not be known for years, or ever recognized by the individuals affected. Stories of compromised personal information may seem sensational or exaggerated until they strike your organization or affect your patients-or even you personally. Consider this story:
A few years ago, a urologist attempted to file a federal tax return electronically and the submission was rejected because “according to IRS records, the tax filer has already filed a federal tax return for the specified tax year.” It was quickly determined that someone other than the urologist had filed a fraudulent tax return, and a sizable “refund” had been mailed to a physical mailbox on a vacant lot in a remote part of the western United States.
It took the victim over 18 months to completely reconcile the issue with the IRS, and during this time the criminal did the same thing the following tax year. This is a simple scam of epidemic proportion, according to a Feb. 12, 2015 NBC News article (http://bit.ly/Fraudsoaring). The same physician recently was the victim of a more sophisticated theft of identity involving bank accounts, false credit bureau accounts, and more. The impact at this time is unknown-beyond the considerable effort involved in closing accounts, freezing credit requests, and instituting new monitoring methods (not free).
In order to conduct this invasion of privacy and identity theft, a criminal needs only three pieces of information: name, date of birth, and Social Security number. All are nearly impossible to change once they have been compromised.
What does this have to do with HIPAA? A person’s name, date of birth, and Social Security number are ubiquitous in medical institutions and information systems and easily accessible to anyone using those systems. According to the Identity Theft Resource Center, medical/health care breaches account for 35% of all breaches and 78% of records (110 million) compromised in 2015 alone (table). These are the breaches we know about. Recognized or not, the protected personal information of millions of patients is being compromised at an alarming scale.
Bottom line: Theft of personal information from health care organizations is an important contribution to the broader problem of identity theft in this country. In articles to follow, I will examine this issue in greater detail, and provide some tips on how urologists can best protect the personal information of the patients in their practice.
Subscribe to Urology Times to get monthly news from the leading news source for urologists.