You don’t need to be a HIPAA compliance auditor or a cybersecurity expert to figure out if your confidential medical information has been compromised or handled improperly. Or that your private data can be breached the old-fashioned analog way, as well as digitally.
You only need to know your rights if:
- An office manager in your child’s pediatrician’s practice leaks sensitive data when she shares specific health-related details with non-medical employees in an office connected to a waiting room.
- Your medical information is posted on the whiteboard outside the nurse’s station on the hospital floor you reside on as a patient.
- Your unencrypted information is published on a random website after it was stolen from your primary care physician’s office.
“Many organizations—from small doctors’ offices to health insurance providers, third party providers like billing services, pharmacies and large healthcare systems like hospitals—must respect patient privacy under The Health Insurance Portability and Accountability Act (HIPPA) of 1996,” says Christopher Frenz, director of IT Infrastructure, Interfaith Medical Center, and a NYMJCSC speaker. “This federal law specifies what information is considered private, how to protect it, who can access it and how.”
Under HIPAA, patient information should be protected from unauthorized entities, shared with patients for their review upon request and safeguarded through encryption, passwords and other secure software and hardware.
Policies outlining specific employees who should have access to data, what they can and cannot disclose, along with training to reinforce these policies should secure health information, also.
“IT professionals within healthcare organizations should conduct ongoing assessments of their operating systems, software applications—even medical equipment that uses digital technology—to identify threats to confidential patient data,” states Frenz. “This can be done through penetration testing and mock malware incident exercises.”
“The most important point to remember is that your IT department should partner with the organization’s board of directors and top management to implement initiatives that address potential problems. Everyone should be on board and understand that ‘an ounce of prevention is worth a pound of cure’ when it comes to protecting patient information.”
“While HIPAA and the Sarbanes-Oxley Act (SOX) for the financial services industry have been enacted to protect organizations and individuals, they provide limited defense against intruders,” says Tom Brennan, NYMJCSC chairman, OWASP global board member and founder/owner of Proactive RISK cybersecurity solutions consultancy. “Hackers are always ahead of compliance practices. CISOs, CIOs, developers and cybersecurity experts must remain vigilant and test their networks and applications constantly.”
Think your privacy has been violated? File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights Complaint Portal.