Tuesday, August 29, 2017

HIPAA and Protecting Patient Information

by Michelle Hennen RHIA, CPC, RMC, CMM

Privacy is…
  • the patient’s expectation
  • the patient’s right
  • the foundation of trust between the healthcare organization and the patient; as well as preserving the health of the organization

Top Hit List for Incidents
  • Inappropriate release of PHI
  • Inappropriate access of PHI
  • Inappropriate emailing of PHI
  • Use of portable electronic devices

Why is our information important?

The value of the data itself is relatively low, but the impact of what criminals can do with the data is extremely high.  Some examples are:
  • Insurance Fraud/False Medical Claims
  • Identity Theft
  • Tax Fraud

The impact to the healthcare organization losing PHI is:
  • Trust in the healthcare organization
  • Costs for the organization
  • The average cost per stolen record is $363 which includes the cost of patient notification, media notification, and HHS notification (this does not include any costs with a government audit or remediation efforts)

How much is our PHI worth on the black market?
Our PHI is bought and sold just like merchandise on the internet.  The information most valuable is:
  • Credit card information
  • Mother’s maiden name
  • Date of birth
  • Social security number
  • Patient medical record

In a cited a case last year one patient learned that his records at a major hospital chain were compromised after he started receiving bills related to a heart procedure he had not undergone. The man’s credentials were also used to buy a mobility scooter and several pieces of medical equipment, racking up tens of thousands of dollars in total fraud.  Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.

Here is suggestion for healthcare organizations to implement to safeguards PHI.
  1. Protect email accounts. Healthcare providers should use a tool that scans incoming email messages in real time in order to spot suspicious messages and filter them out before someone clicks a phishing link. On top of that, every employee should be aware of suspicious emails. If something seems a little “off,” they should know how to report it right away.
  2. Every organization needs some sort of security software or service in place. This is something that can be outsourced to a company or handled with healthcare security software.
  3. Back up your data regularly. This is one of the most important parts of a good cyber security strategy. If an organization has good back-up data, they don’t have to shell out millions to decrypt information and get that data back.
  4. Keep an eye on mobile devices and their use.  If staff members will be accessing data on a mobile device, healthcare organizations should consider restricting access to critical data and systems. At the very least, they should invest in a centrally-controlled system so mobile devices can be wiped clean if they are stolen or compromised.


No comments: