Your patients’ personal information is at risk

October 1, 2015

In this article and several to follow, I will discuss privacy and information security concerns and what you can do to protect your patients’ data.

Robert A. Dowling, MDAlmost 20 years after the Health Insurance Portability and Accountability Act (HIPAA) was first enacted, the privacy and security of protected personal information remains a significant concern in the daily activities of providers and their patients. In this article and several to follow, I will discuss privacy and information security concerns and what you can do to protect your patients’ data. 

Clinical Innovation + Technology, a leading trade magazine for the clinical informatics community, recently featured these headlines (http://bit.ly/Databreaches):

  • Some encrypted databases aren’t secure, finds Microsoft study

  • 45% of Americans have had records compromised

  • 81% of provider organizations have faced cyberattack in past 24 months

  • NY Blues cyberattack affects 10 million

  • UCLA cleared in data breach lawsuit

  • $750K HIPAA fine for Indianapolis practice

  • Employees disciplined, some fired for snooping in records

  • New cybersecurity center to protect California’s medical records.

NEXT: Impact of breach may not be known for years

More from Dr. Dowling

Do you know what your 'surgeon score' is?

CMS data offer insights into urologists’ pay

Social media: Why you need to be involved

 

The numbers in these headlines seem staggering, and often involve millions of individual records. They lead to large fines and untold expense in remediating the damage. The real impact may not be known for years, or ever recognized by the individuals affected. Stories of compromised personal information may seem sensational or exaggerated until they strike your organization or affect your patients-or even you personally. Consider this story:

A few years ago, a urologist attempted to file a federal tax return electronically and the submission was rejected because “according to IRS records, the tax filer has already filed a federal tax return for the specified tax year.” It was quickly determined that someone other than the urologist had filed a fraudulent tax return, and a sizable “refund” had been mailed to a physical mailbox on a vacant lot in a remote part of the western United States.

Read: mCRPC advances come with choices, challenges

It took the victim over 18 months to completely reconcile the issue with the IRS, and during this time the criminal did the same thing the following tax year. This is a simple scam of epidemic proportion, according to a Feb. 12, 2015 NBC News article (http://bit.ly/Fraudsoaring). The same physician recently was the victim of a more sophisticated theft of identity involving bank accounts, false credit bureau accounts, and more. The impact at this time is unknown-beyond the considerable effort involved in closing accounts, freezing credit requests, and instituting new monitoring methods (not free).

NEXT: Little information needed to conduct theft

 

Little information needed to conduct theft

In order to conduct this invasion of privacy and identity theft, a criminal needs only three pieces of information: name, date of birth, and Social Security number. All are nearly impossible to change once they have been compromised.

What does this have to do with HIPAA? A person’s name, date of birth, and Social Security number are ubiquitous in medical institutions and information systems and easily accessible to anyone using those systems. According to the Identity Theft Resource Center, medical/health care breaches account for 35% of all breaches and 78% of records (110 million) compromised in 2015 alone (table). These are the breaches we know about. Recognized or not, the protected personal information of millions of patients is being compromised at an alarming scale.

Bottom line: Theft of personal information from health care organizations is an important contribution to the broader problem of identity theft in this country. In articles to follow, I will examine this issue in greater detail, and provide some tips on how urologists can best protect the personal information of the patients in their practice.

More from Urology Times:

Watch out for these 7 common EHR mistakes

Extracapsular prostate cancer leads patient to sue

True informed consent bolsters patient safety

Subscribe to Urology Times to get monthly news from the leading news source for urologists.