Digital Health Records and Data Security Breaches
With millions of new patients entering the U.S. healthcare system under the Affordable Care Act, the security of digital patient data has become a major concern. The U.S. Department of Health and Human Services (HHS) has set the year 2015 as deadline for healthcare facilities to start using electronic health records (EHRs), thereby ushering in the digitalization of all patient information. However, as confidential patient data is now available on health networks, they have become a bigger target for those who want to steal this data and make illegal use of it. Healthcare data breaches have doubled in the past few years and it continues. More than 130 health data breaches have taken place in 2013 and affected more than 5.7 million individuals. Medical identity theft involves the theft of patient data that includes health records, and information regarding insurance, blood type and medications. In certain cases a medical file might also include personal financial information if, for instance, the patient used his/her credit card to cover co-pay.
HIPAA Compliance in Third Party Organizations Hospitals not only need to worry about securing data on their own servers, but also securing data that belongs to them but is stored on the servers of a third party, such as a medical transcription service organization. When entrusting confidential patient data with medical transcription companies to get the records transcribed, physicians should also make sure that the service provider is HIPAA compliant and that the patient data will be safe with them.
Benchmark Study on Patient Privacy and Data Security According to the fourth annual Benchmark Study on Patient Privacy and Data Security by the Ponemon Institute, one of the key threats is the unproven security in the health insurance marketplaces, created as a result of the Affordable Care Act. Other top threats include: criminal attacks, employee negligence, unsecured mobile devices (smartphones, laptops, and tablets), and third parties—causing organizations to scramble. The survey found that the overall number of reported data breaches at healthcare organizations declined slightly last year, but criminal attacks on healthcare providers increased dramatically — up 100 percent since 2010.
Why Do Cyber Thieves Focus on Patient Records? Patient records are exposed to both insider and outsider threats mainly because of the value of the information to criminals. These records contain personally identifiable information (PII) and protected health information (PHI). When combined, this information represents highly sensitive “regulated data,” which is tightly controlled by federal laws, including HIPAA and GLBA, as well as numerous state breach notification laws.
Key findings of the research include:
Data breaches now cost healthcare organizations $5.6 billion annually, slightly lower than the past years.
Nearly 70 percent of respondents believe the Affordable Care Act has increased or significantly increased the risk to millions of patients, because of inadequate security.
Seventy-five percent of organizations cite employee negligence as their biggest security worry, as they increase exposure to sensitive data by the growing use of their personal unsecured devices (smartphones, laptops and tablets).
Seventy-three percent of organizations are not confident or only slightly confident that their third parties are able to detect a security incident, perform an incident risk assessment and notify them in the event of a data breach.
What Can Be Done? The most important thing patients can and should do is to check the Explanation of Benefits (EOB) provided by doctors and other medical providers.
HITECH Act for Tighter Security in Digital Health Records The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted on February 17, 2009 focuses on ensuring privacy and security of patient health information. This program provides incentive payments to eligible hospitals and providers who make a Meaningful Use (MU) of certified EHRs by the end of the year 2014. Eligible physicians can receive up to $44,000 over a 5-year period from Medicare or, alternatively, $63,750 over a 6-year period from Medicaid, while hospitals can receive a base annual amount of over $2 Million.
HHS Security Risk Assessment Tool HHS has also released a new security risk assessment (SRA) tool to help providers with HIPAA compliance. Conducting a security risk assessment is a key requirement of the HIPAA Security Rule and a core requirement for providers seeking payment through the Medicare and Medicaid EHR Incentive Program. The SRA tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information.