In the healthcare world, providing excellent patient care will always be the chief priority along with the oath to ‘do no harm.’ Healthcare organizations throughout the United States abide by this oath, but when it comes to a patient’s protected health information (PHI), even after a patient is successfully treated and released, their information can still come into harm’s way.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and the law included, in part, industry-wide standards providing protections and protocols for how a patient’s confidential information is handled. Twenty-four years later, HIPAA remains a prevalent story in the news, but it’s usually not a happy story. In 2019 alone, the Office of Civil Rights (OCR) shelled out over $15 million dollars in fines for healthcare facilities violating HIPAA law.
For each healthcare provider you visit, that equals one complete patient record on file at that facility. As of 2017, more than 95% of all hospital types have certified electronic health record (EHR) technology. This statistic shows that the healthcare industry has almost completely adopted the use of electronic records as their primary form of record keeping. This means that your entire medical history and private information has most likely been digitized. While your healthcare provider creates the initial patient record, these facilities are not the only ones responsible for maintaining, transmitting, processing, or accessing our medical records.
Covered Entity v. Business Associates
The healthcare provider under the law is considered a Covered Entity, which includes doctors, chiropractors, psychologists, and even your dentist. Among that list, your health insurance company and government healthcare programs such as Medicare and Medicaid are also considered a Covered Entity.
While these entities are the main hub for your patient records, you commonly provide your consent for other entities called Business Associates to review, evaluate, or further process your records and payments through a healthcare system. Some common Business Associates include:
- Medical transcription companies that process a doctor’s dictated notes on your visit.
- Financial Institutions or CPA firms that handle accounting services, payment processing, or accounts receivable.
- Claims processing companies for potential workplace-related injuries or other insurance-related claims.
- Data management or data aggregation companies that collect, manage, and/or store medical records for a Covered Entity.
- Document storage or disposal companies that may store the long-term patient records for the number of years required by each state before disposal.
At the end of the day, your one visit could result in multiple people and services viewing and handling your patient record. Though these organizations and companies are working hand-in-hand to provide you the best patient care and experience, many of us are unaware of just how many times our one record is passed along through a single system.
HIPAA and Your Data
The HIPAA law was created with two ultimate goals: to protect your most sensitive information and impose fines on healthcare organizations who fail to provide that protection. The truth is that if a healthcare provider is hacked or loses your patient data, there is very little you can do to avoid being a victim. Medical data is among the most sought after information on the dark web and hackers are notorious for using or selling that information.
Both the Covered Entities and Business Associates are liable under the HIPAA law if data is lost or stolen. Your healthcare provider likely has a contract with all their Business Associates that includes risk and control measures for safely transporting and storing PHI to avoid the unwanted disclosure of the information. If patient records are lost or stolen from a Business Associate, that company will receive OCR fines equal to those imposed on the Covered Entity.
However, even if the data wasn’t lost directly from your healthcare provider’s facility, they often are required under that same contract to aid in any investigation and assist in resolving the violation. For the healthcare provider, often the damage in reputation from having one of their Business Associates lose patient data far exceeds the fines. At the end of the day, no matter what the fines are or how bad the damage to reputation is, it’s your data that has been compromised and that is one our most precious assets.
What You and Your HealthCare Provider Can Do
Whether you are storing sensitive information like medical records at home or you’re a healthcare organization seeking safe and effective alternatives for storage and transfer of medical records, the Secure Data hardware-encrypted drives are an effective option to protect medical data.
The drives provide the highest level of password encryption and protection for electronic documents and other data. They are easy to set up and use while offering multiple storage sizes ranging from 8GB to 8TB of space. For healthcare organizations, the drives provide flexibility and are easily implemented into standard operating protocols. These drives can be remotely controlled, locked down, and even wiped if they fall into the wrong hands.
.png){kind=small}
