Way back in 1996, when Congress passed the Health Insurance Portability and Accountability Act or better known as HIPAA, consumers believed that they could rest easier knowing that their personal health information and medical records were going to be protected. And the protective measures kept evolving with the Health Information Technology for Economic and Clinical Health Act (HITECH), signed into law in February 2009. But in retrospect, have these long acronyms and corresponding legislation protected our information as intended? Truthfully, the answer is yes and no. It is true that the legislation, in concert with some of the provisions of the Affordable Care Act (Obamacare) has driven the healthcare industry to take more measures to digitize health records and make them more accessible to patients and all of their providers. However, the flip side of these advancements is that electronic records residing on provider systems across the country are potentially exposed to hackers and other data breaches. Let’s examine how safe these Personal Health Records really are.
As part of HITECH, the Department of Health and Human Services (HHS) is required to post a public listing of data breaches of protected health information whenever more than 500 individuals are exposed. Since 2009, the website has an ongoing list of 1,746 total breaches. Most of these breaches never make the news cycle, but there have been a few, most notably Anthem Inc. which reported a 2015 data breach impacting more than 78 million subscriber records.
So the first question you might ask is, ‘Who is responsible for these data breaches?’ Typically, the organization that suffers the breach takes responsibility, with many offering the impacted clients free access to personal data security and identity theft programs, such as LifeLock or IdentityForce. But, the problem is not that simple. Health insurers, providers, and organizations, just like other industries are devoting millions of dollars to utilize the highest levels of encryption for the data being stored on their systems. Yet, they still have hackers and other foreign and domestic entities attack their systems. It has almost become a circular race. Organizations are fending off the attacks using the latest technologies, while the “bad guys” keep trying to find new ways and new technologies to break in.
So, what should I tell my patients when they ask about the safety of their personal health information?
First and foremost, inform them to take the protection of their health information seriously. But, reassure them that all providers are required to take active measures in protecting sensitive information. At the same time, they should be doing the same with any information in their control at home. It is a good idea to study the tips provided by the HHS Health Information Technology Division (Healthit.gov) including:
Using Good Passwords. Sure, we all want to use the easiest possible password to remember for our computer or mobile device, but those shortcuts are easily exposed by hackers. Using your dog's name, birth date or another snippet of personal information is fairly easy for others to figure out. Caution your concerned patients about all of the locations where that information is readily available on social media. Find useful password tips here.
Thinking Twice Before You Post. We all want to stay connected which is why Facebook, Twitter, LinkedIn, Google+ and other social media sites have a gazillion users. But, social media should not be accepted as a secure outlet for information. Before your patient’s post personal information, health or otherwise, tell them to simply think twice about it. You can also ask them to familiarize themselves with the privacy settings on the favorite social media sites.
Protecting Your Mobile Device. Most of us live on our smartphones these days. A good approach for both you and your patients is to take the time to read the privacy notice of any apps you want to download. You might be surprised at how much of your information they want to access. Protect your mobile device by installing commercially available encryption software. It is more affordable than you might think and will add a layer of protection to the data stored on your device. You can also explore software that allows you to remotely erase or disable data stored on your mobile device if it is lost or stolen.
When all is said and done, there is no foolproof way for anyone to protect electronic health information or personal data from nefarious people who are trying to access it 24 x 7 x 365. The best approach is to use a reassuring tone with any patients that express their concerns. Informing them about the potential dangers is the first step. Convincing them to take personal responsibility for the things in their control is the second step. After that, assure them that their insurers and providers are working diligently to protect their information.
Have you had any experiences with your personal health information being compromised? If so, we want to hear from you in the comments section below. Or, share your story on our Facebook page. Your experience may help others learn about the dangers and how to overcome them.