Confidentiality and security in the healthcare industry is of paramount importance today. Without a patient’s authorization, no personal health information can be shared or used. HIPAA (Health Insurance Portability and Accountability Act) was established in 1996 to set national standards for the confidentiality, security, and transmissibility of personal health information. Under this Act,
healthcare providers are required, to protect and keep confidential any personal health information of patients. The Rule also gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.
Healthcare breaches can happen due to a number of reasons, paramount being potential economic gain. Moreover, due to the digitization of records and the wearable devices, healthcare industry faces the biggest threat to patient information by cyber criminals. But, they face the biggest challenge of security of the sensitive information not just from third party vendors but also from within the organization itself. Today with third-party vendors employed to handle the processing and workflows, that include verification and eligibility of patient information for insurance coverage that helps in reducing claim dismissal, the need to maintain confidentiality and security goes a notch higher. However, very often it is employees within the industry itself who can inadvertently leak information and be your biggest HIPAA vulnerability.
Given the statistics, as per the Protenus Breach Barometer, November 2016 saw the most breaches committed this year so far. With 57 reported incidents, 54 percent was caused by employees(insiders) itself (see inbox for more stats).Added to this significant incident, the report stated that 60 percent of the breached parties took longer than the 60-day window required to report breaches to the department of Health and Human services. Let us see how the healthcare staff inside our own organizations can be the biggest HIPAA vulnerability factor:
Manual maintenance of Medical records – Given that the practice of Electronic Medical record keeping is yet to be streamlined, mishandling of patient records is seen as a common HIPAA violation. When a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient’s exam room available for another patient to see. Hence it is very essential to initiate the EMR– Electronic medical record system as early as possible.
Vulnerabilities in the IT system: Laptops & Mobile devices are the most vulnerable to theft. Very often doctors and administrators carry patient information in their mobile devices or their laptops. If such devices are not password protected and data not encrypted then access to patient-specific information is very easily available.
The quick communication channel: Although it may seem easy and simple to text patient information this confidential information can be easily accessed. Not everyone, be it the doctors or even the patients realize that this is confidential information, be it blood test results or any other patient related information. And, both parties need to have encryption on their devices, which may not always be the case.
Use of Social Media – Even giving examples of diseases by showing a patient’s photo on a social media site even if the intention is to throw light or make people aware of the problem, is and can be considered a HIPAA violation.
Accessing patient information on home computers – More often than not, clinicians will often use their home computers or laptops from home to access patient information to record notes or check on follow-ups – this too is a HIPAA violation.
Resource crunch: Smaller clinics may not have the resources to put certain IT measures into place like encryption etc. But, even carrying a patient’s Medicare card in a wallet by a doctor is considered a HIPAA violation, as it contains the patient’s Social Security Number (SSN).
Water cooler or break room gossip: Simply just talking about patient’s to friends and co-workers is known to be a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.
Thus, unless we bring in certain measures and protocols within our own systems to enlighten our own staff about HIPAA violations, just handing over certain workflows and processes to third party vendors and assuming that security measures are in place will not help. Regular trainings and audit checks of the various in-house systems and processes are a must to ensure that HIPAA violations are not being broken. Moreover, certain IT security measures too must be included in the audit to enhance security measures and Patient Health Information (PHI) from being hacked and lost