I know a lady who has worked out of her home for years as a medical transcriptionist. She receives audio cassette tapes recorded by physicians, therapists and other medical professionals, onto which they have dictated patients’ medical reports and personal information, which her employers need converted to a computer file. She dutifully enters the information into her computer, and emails the computer file back to the doctor’s office. The cassette tapes and the computer files contain, not only the names and medical histories, but also the Social Security numbers of the patients, which the office uses as patient identifying numbers. The emails are sent as clear text over the Internet.
If you know anything about compliance with the Health Insurance Portability and Accountability Act (HIPAA), then the flaws in this seemingly innocent arrangement should be readily apparent. The most obvious is that Social Security numbers should never be used as identifying numbers for medical patients, insurance claims, bank accounts or driver’s licenses. Now, the patients’ names and Social Security numbers have made their way into at least three different computer systems: the computers belonging to the transcriptionist, the doctor’s office, and the computers belonging to the Internet email provider.
Less obvious is the fact that the computers belonging to the transcriptionist and the doctor’s office are not password protected, nor are any of the files on these computers encrypted. Anyone with physical access to these machines, authorized or otherwise, has fast and easy access to the sensitive personal information of hundreds of patients. Should the right computer virus or spyware come into play, this information could be easy pickings to Internet criminals. Since the emails that are sent and received are also unprotected, they could be intercepted and easily exploited by savvy hackers at multiple points across the Internet.
A recent survey by Phoenix Health Systems shows that only 55% of healthcare providers and 72% of insurance companies are compliant with HIPAA security regulations, and that there seems to be a core group of about 20% that is “either unable or unwilling to implement federal Privacy requirements.” The survey also shows that 60% of providers have experienced “privacy breaches.” The majority of organizations experienced between one and five such breaches, but over 20% experienced six or more breaches. Clearly, companies need to be seeking professional help in becoming HIPAA compliant.
The sad fact is that medical care providers do not care about protecting your private information nearly as much as they care about protecting their own bottom line. In order for things to improve, consumers must insist that their private information be protected under penalty of lawsuit. To get the ball rolling, I’ve adopted a new tactic: anytime I’m ever required to sign anything at a doctor’s office, I write in the margin next to my signature, “I understand that <insert name of medical provider> certifies that they are compliant with all relevant HIPAA regulations.” That ought to get the discussion started!