It seems like every day we hear about another major data breach impacting a high-profile organization such as Target, Home Depot or JPMorgan Chase. In many cases, the credit card data belonging to millions of consumers is compromised. It has become such a common occurrence, that we have developed “data breach fatigue.” If your credit card is stolen, you can call your bank 24 hours a day and have it stopped immediately. But what if your protected health information (PHI) is stolen? Who do you turn to when that happens?
Stolen PHI can take months to discover, giving thieves plenty of time to exploit it by submitting fraudulent medical claims or selling it on the black market. Correcting your PHI is also difficult. Hospitals and insurers who are given access to you PHI don’t have to work with you to rectify any errors that show up on your medical history. The impact of stolen PHI can be devastating, including the following incidents.
- Illegal access to prescription drugs – Thieves can use your PHI to obtain prescription drugs for their personal use or to sell. Dishonest pharmacists may bill your policy for these prescriptions.
- Medical claim fraud – Thieves who don’t have medical insurance may assume your identity, checking into hospital which is then later charged to your policy. This can put your life at risk. Faced with an emergency situation, you can potentially receive the wrong blood type, medicine which you are allergic to, or the wrong treatment based on the thief’s past treatment. You could also receive inaccurate diagnoses such as mental illnesses, which could follow you indefinitelty.
- Loss of health insurance – Fraudulent insurance claims using your records may max out your policy limits. This will leave you no coverage when you have a medical emergency or are in need of treatment.
- Ruined credit – Organized crime rings commonly use stolen PHI to generate false hospital and medical bills. They can obtain lines of credit against your mortgage and apply for credit cards, leaving you solely responsible for paying it off. Meanwhile, you would be denied loans and mortgages and be forced to pay higher premiums and lending costs. You can potentially lose job opportunities while employers check your credit history.
The Health Insurance Portability and Accountability Act (HIPAA) provides standards for protecting PHI, however isn’t governed as closely as the credit card industry which is controlled by the Payment Card Industry Data Security Standard (PCI DSS). Annual third party audits are required to maintain compliance for all merchants, and the governing body is directly impacted when a breach occurs. HIPAA audits are only performed on a few selected entities. If a healthcare company is breached, the auditing body has no accountability. The loss of PHI ultimately becomes the responsibility of the victims.
Unlike credit card companies which tend to have elaborate fraud detection systems in place, protecting PHI is mainly the individual’s responsibility. Some of the ways you can protect yourself include the following.
- Monitor your credit – Obtain regular credit reports from a reputable credit agency such as Experian, Equifax or TransUnion. Many credit agencies will continuously check your credit and possibly place fraud alerts on it if anyone has charged fraudulent medical bills in your name. They can also issue a credit freeze your credit, only allowing access to your report with a personal identification number (PIN).
- Check medical records – Regularly check your records from your doctor, pharmacist and hospital to ensure your information is current and correct.
- Appeal refusals to grant you access to your medical records – If you are refused access to your medical records, it could be a sign of tampering. File an appeal with your medical provider immediately. You should be entitled to a “Notice of Privacy Practices” policy without cost. You can also file a complaint with the U.S. Department of Health and Human Service (HHS) at http://HHS.gov.
- Monitor your insurance benefits – Make sure to review your health insurance benefits at least once per year. If you see treatments listed that you never received, contact your insurer immediately.
- Watch your insurance premiums – Higher premiums can be a sign of false claims against your health insurance.
Protecting health data according to HIPAA standards is notoriously difficult. The regulations surrounding HIPAA tell you what you should do to protect data, however they don’t tell how to do it – there is no guidebook or suggested process. Since it’s not prescriptive, it can be very difficult to know what needs to be done. While many companies turn to certified information security professionals for guidance, many choose to ignore HIPAA requirements, citing cost and complexity.
HIPAA concerns are growing and healthcare companies are trying to become more compliant. A simple and economical solution is engaging with compliant cloud providers to safeguard their PHI. The value of moving PHI data to a provider who specializes in healthcare is that it eliminates the need to purchase and maintain expensive hardware and software applications.
Unfortunately, many providers claim compliance without actually being audited, which is a requirement for HIPAA. It is important to team up with a provider who can not only provide HIPAA attestation, but who also partners with their customers. That’s the difference between engaging with a trusted business advisor and a company that will just sell you a slot in the cloud.
Concerned about safeguarding your PHI? The HOSTING compliance team stands ready to help. Contact us anytime with your questions and concerns. And download our white paper, Getting Strategic About HIPAA and HITECH Compliance for more information.