Regrettable circumstances have found me recently visiting various local medical offices, and have once again led me to question the security of my private medical and financial information. While most people turn a blind eye to how patient records are handled by their favorite doctor or hospital, the security of such records has never been more important.
It’s my observation that, while most doctors, nurses and secretaries have at least heard of the Health Insurance Portability and Accountability Act (HIPAA), many of them aren’t really aware of what is required by the law and a shocking number of health professionals couldn’t seem to care less.
HIPAA basically states that doctors, nurses, office staff, insurance agencies, attorneys, secretaries, vendors, and anyone else who handles patient data must ensure that names, addresses, telephone numbers, social security, credit card, insurance, bank account and other identifying numbers that make their way onto computers must be protected from loss, corruption and unauthorized access. Computers should not be left unattended in unlocked rooms. Anti-theft measures should be in place. Computers and file systems should be password protected, and particularly sensitive files should be encrypted. Antivirus and antihacker measures should be in place. Patient data stolen by thieves or hackers, destroyed by accidents such as a storm, or damaged by a computer virus has lost its privacy, integrity, and has become unavailable. All three situations can be considered violations, incurring non-compliance citations.
Case in point is Providence Health & Services, a Seattle, Washington-based health care organization, which was recently punished to the tune of $100,000 for lax security policies. An investigation by the U.S. Department of Health and Human Services revealed that Providence had experienced the loss or theft of numerous laptop computers, CDs and backup tapes that contained the private medical records of over 386,000 Providence patients. Of course, none of the lost or stolen information was encrypted or password-protected. Providence is also being forced to implement a rigorous security program designed to stop such unconscionable losses.
In my own experience, it’s always dismaying to have the secretary in the doctor’s office ask me, in front of everyone else in the waiting room, “What’s your social?” I never speak my Social Security Number out loud in such situations. Instead, I insist that I write the number on the form myself. In another office, there I was observing the names, addresses, phone numbers, Social Security Numbers and medical insurance numbers of numerous other patients. It was almost unavoidable, as patient forms were strewn all over the reception counter for any and all to see.
In another office, after filling out the patient application form and having my insurance cards photocopied, the receptionist held up a digital camera that was connected to a computer (and probably, the Internet) and said that she needed to take my picture. “Why take my picture?” I asked. “It’s so that we’ll know who you are in the future,” she replied. “But, you didn’t even ask to see my drivers license, or any other photo ID,” I said. “What if I stole those insurance cards that you copied? How would you know that the picture you took is of the same guy whose name is on the insurance card?” A blank look came over her face, and after staring at me for a few seconds, she said, “Oh. Gee. I don’t know; it’s just what we do.” Grrrrrr!
Unless we, the patients, demand that all health-care professionals great and small start to take computer and Internet security seriously, and follow the security requirements of HIPAA, more and more patients will continue to be needlessly ripped off.
Here are some questions to ask your doctor: If my private patient data is on a computer, CD, or an external device such as a flash drive, is the data encrypted? Do you backup your computer’s hard drives, and, if so, are the backups encrypted? If you sent my private data across a computer network or the Internet, do you use a secure encrypted connection? If you give my information to a third party, do you require that they protect its security? Have you ever had a qualified independent company perform a HIPAA security audit? If your doctor says “No” or “I don’t know” to any of these questions, run, don’t walk, to a doctor that will actually give a hoot about your privacy.