Keeping Our Health Information Secure from Data Breaches

Paul DeMuro contends that we all should be vigilant about unattended or misplaced portable ‎devices, whether they be phones, laptops, or whatever

OPINION -- ‎It seems like almost weekly we read about a data breach. Some data breaches reach the media because they ‎involve breaches affecting 500 people or more and are required to be reported on a government ‎website. Others come to the forefront because of the individual or individuals involved, a lawsuit, or even ‎a leak. Reporting of data breaches is generally viewed as a good thing, particularly in healthcare, where a ‎person whose protected health information (PHI) has been compromised in some way is advised of same. The Healthcare Insurance Portability & Accountability Act ‎‎(HIPAA) Privacy Rule and subsequent legislation was designed to protect our PHI, and to ensure that we ‎are made aware of breaches of our PHI.

‎ ‎If one turns to the government website to review the reported breaches, one also will note what fines or ‎penalties that the breaching party paid, and what remedial action was taken. We have heard of laptops ‎being left in cars or other places, laptops or iPhones being stolen, and the like. In this era of hand-held ‎devices, laptops, and iPads, it is quite easy to misplace one or have one stolen. With the movement toward electronic health records (EHRs), and clinicians and others using mobile ‎devices to assist in the delivery of healthcare, it is not surprising that many are concerned that their PHI may ‎be disclosed in some way that is embarrassing or harmful to them.‎

‎ ‎But many ask, what can be done? If one reviews the remedial action taken by parties who were involved ‎in breaches of PHI, one sees that certain individuals involved may have been terminated, counseled, ‎or trained if they were involved in the breach. Some organizations have done what they think they can ‎do to minimize the potential effects of BYOD (bring your own device). However, many healthcare ‎organizations do not provide the type of mobile devices that clinicians and others want to use. As a ‎result, many organizations will face an uphill battle trying to counter the effects of BYOD. Also, the very ‎nature of mobile devices is that they are portable and often very small. Thus, they are easy to misplace, ‎lose, and to steal. It is quite important that the data on such devices be properly encrypted and if lost or ‎stolen, that there is a means to destroy the data remotely.‎

‎ ‎The continued reports of data breaches inform us that the HIPAA laws are working in one sense. That is, ‎if one's PHI is compromised, one should be advised of same. On the other hand, the constant disclosures ‎occasioned by the many data breaches makes one wonder if his or her PHI is safe. As individuals begin ‎to wonder about the safety and confidentiality of their PHI, they may be inclined to tell less to their ‎clinicians or try to ensure that less information gets into their electronic and/or personal health records. If ‎this becomes the case, some of the many advantages of such electronic and personal health records will ‎be lost, particularly in the care of such individuals.‎

‎ ‎When a recent data breach of customer information was reported that presumably affected millions of ‎people, many became worried about their financial information and whether they might be the ‎subject of identity theft. For others, it reinforced the risks that exist with respect to one's healthcare ‎information. Some have even suggested that we should return to the day of paper healthcare ‎records. You can see them and you can tell if they are locked up in your healthcare provider's office or a ‎health system's facility. However, many forget the breaches that occurred when older medical records ‎were disposed of in dumpsters or just copied and distributed.

EHRs hold much promise for the future, including potentially less errors ‎due to handwriting, more information available in one's EHR facilitating the better delivery of healthcare ‎because one’s clinicians have more information, and the ability to mine de-identified data for public health and ‎research purposes. It would be quite disappointing if the many data breaches in any way stifle a ‎patient's desire to have all of his or her information in EHRs.‎

‎ ‎Well, then what should we be doing? We all should be vigilant about unattended or misplaced portable ‎devices, whether they be phones, laptops, or whatever. Given that 17% or so of the Gross National ‎Product is healthcare related, there is always a chance that such devices may contain PHI. Those who ‎have PHI on their devices should ensure that they follow the policies and procedures of the organizations ‎with which they are affiliated, and not develop work-arounds that may seem like they are easier for the ‎clinician, but perhaps not in the best interest of all. We also should develop innovative means to protect ‎the PHI of individuals and mobile devices.

I recall once seeing an individual get into an armored money ‎truck years ago with a case handcuffed to his wrist and another guard walking next to him. Both had ‎guns. Is our healthcare information any less important than the money in that case?‎

Paul R. DeMuro JD, CPA, MBA, MBI, Schwabe, Williamson & Wyatt, PC, National Library of Medicine, Post-Doctoral Fellow in the Ph.D. Program with Oregon Health & Science University.

News source: