Keeping Our Health Information Secure from Data Breaches
OPINION -- It seems like almost weekly we read about a data breach. Some data breaches reach the media because they involve breaches affecting 500 people or more and are required to be reported on a government website. Others come to the forefront because of the individual or individuals involved, a lawsuit, or even a leak. Reporting of data breaches is generally viewed as a good thing, particularly in healthcare, where a person whose protected health information (PHI) has been compromised in some way is advised of same. The Healthcare Insurance Portability & Accountability Act (HIPAA) Privacy Rule and subsequent legislation was designed to protect our PHI, and to ensure that we are made aware of breaches of our PHI.
If one turns to the government website to review the reported breaches, one also will note what fines or penalties that the breaching party paid, and what remedial action was taken. We have heard of laptops being left in cars or other places, laptops or iPhones being stolen, and the like. In this era of hand-held devices, laptops, and iPads, it is quite easy to misplace one or have one stolen. With the movement toward electronic health records (EHRs), and clinicians and others using mobile devices to assist in the delivery of healthcare, it is not surprising that many are concerned that their PHI may be disclosed in some way that is embarrassing or harmful to them.
But many ask, what can be done? If one reviews the remedial action taken by parties who were involved in breaches of PHI, one sees that certain individuals involved may have been terminated, counseled, or trained if they were involved in the breach. Some organizations have done what they think they can do to minimize the potential effects of BYOD (bring your own device). However, many healthcare organizations do not provide the type of mobile devices that clinicians and others want to use. As a result, many organizations will face an uphill battle trying to counter the effects of BYOD. Also, the very nature of mobile devices is that they are portable and often very small. Thus, they are easy to misplace, lose, and to steal. It is quite important that the data on such devices be properly encrypted and if lost or stolen, that there is a means to destroy the data remotely.
The continued reports of data breaches inform us that the HIPAA laws are working in one sense. That is, if one's PHI is compromised, one should be advised of same. On the other hand, the constant disclosures occasioned by the many data breaches makes one wonder if his or her PHI is safe. As individuals begin to wonder about the safety and confidentiality of their PHI, they may be inclined to tell less to their clinicians or try to ensure that less information gets into their electronic and/or personal health records. If this becomes the case, some of the many advantages of such electronic and personal health records will be lost, particularly in the care of such individuals.
When a recent data breach of customer information was reported that presumably affected millions of people, many became worried about their financial information and whether they might be the subject of identity theft. For others, it reinforced the risks that exist with respect to one's healthcare information. Some have even suggested that we should return to the day of paper healthcare records. You can see them and you can tell if they are locked up in your healthcare provider's office or a health system's facility. However, many forget the breaches that occurred when older medical records were disposed of in dumpsters or just copied and distributed.
EHRs hold much promise for the future, including potentially less errors due to handwriting, more information available in one's EHR facilitating the better delivery of healthcare because one’s clinicians have more information, and the ability to mine de-identified data for public health and research purposes. It would be quite disappointing if the many data breaches in any way stifle a patient's desire to have all of his or her information in EHRs.
Well, then what should we be doing? We all should be vigilant about unattended or misplaced portable devices, whether they be phones, laptops, or whatever. Given that 17% or so of the Gross National Product is healthcare related, there is always a chance that such devices may contain PHI. Those who have PHI on their devices should ensure that they follow the policies and procedures of the organizations with which they are affiliated, and not develop work-arounds that may seem like they are easier for the clinician, but perhaps not in the best interest of all. We also should develop innovative means to protect the PHI of individuals and mobile devices.
I recall once seeing an individual get into an armored money truck years ago with a case handcuffed to his wrist and another guard walking next to him. Both had guns. Is our healthcare information any less important than the money in that case?
Paul R. DeMuro JD, CPA, MBA, MBI, Schwabe, Williamson & Wyatt, PC, National Library of Medicine, Post-Doctoral Fellow in the Ph.D. Program with Oregon Health & Science University.