Technology, Data Security, and the Wall of Shame

A Surprising Statistic
A recent blog article on the Modern Healthcare web site states that 12.1% of the U.S. population has had their protected health information (PHI) compromised in data breaches. That amounts to approximately 1 in 8 Americans that have been affected.

With assurances of doctor-patient confidentiality, notice of HIPAA practices at the doctor’s office, and the need to sign a release form to get one’s own medical records, this is a staggering number, and it’s a tough pill to swallow.

More clinicians are using portable devices such as laptops, tablets, and even Google Glass in an effort to better coordinate care and increase provider productivity. As a result, patients’ medical information is no longer contained just within the medical records room but is transported in and out of the office and even maintained on the cloud. While there are many benefits to the implementation of these technologies, the opportunity for data to be misplaced or stolen is increased.

What is The Wall of Shame?
The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) is the watchdog for compliance with the HIPAA Privacy and Security Rules. The OCR Secretary must publicly post any data breaches affecting more than 500 patients, and that data can be found in a searchable database on the OCR site.  Many in the industry refer to this as the Wall of Shame.

When the Health Information Technology for Economic and Clinical Health Act, or HITECH, went into effect in February 2010, it strengthened the existing Privacy and Security Rules under HIPAA.  One key change made was that business associates of covered entities are now equally responsible for complying with these rules and are subject to the same fines and penalties.  Medical transcription companies, healthcare documentation specialists working as independent contractors, or any vendor or third party working with protected health information are examples of business associates.

Data breaches may take many forms. Laptops containing PHI are stolen or accidentally left behind; electronic protected health information (ePHI) on an organization’s server becomes available on Internet search engines due to changes in server configuration; ePHI stored on a photocopier hard drive is not erased when the equipment is returned to the leasing company. This represents just a few of the many scenarios reported on the HHS web site.

There has been a steady increase in the number of breaches on ‘the wall.’  For example, in 2004, there were 2 incidents posted in the HHS database; in 2013 that number soared to 242. This year already shows more than 100 reported breaches. Again, these are breaches where PHI for more than 500 individuals is involved. As one might expect, there is a noticeable jump in reported cases in 2010, after HITECH went into effect, incorporating not just covered entities but business associates as well.

The advancement of technology in healthcare documentation has the potential to improve the coordination of patient care and improve productivity for providers; however, with the increased number of avenues where information may be breached, we must be ever vigilant to protect that data.

Want to learn more?  Join us for AHDPG^TM‘s free online HIPAA training. This training is an Association for Healthcare Documentation Integrity (AHDI) Preapproved Activity for 2 CEC (Medicolegal).