By: Jennifer de la Chevotiere
On the Expert Depos blog, we’ve discussed several legal topics surrounding compromised online privacy. At this point in the game, most people know that they need to take steps to protect their personal and financial data when they enter it online.
Whether it’s changing your passwords often or doing your research on a company before handing over your credit card number, there are concrete steps ways to protect yourself.
But what about your sensitive medical information?
It’s easy to think that the health professionals you interact with are acting under strict guidelines and know how to handle your information properly. And of course, there are guidelines in place: the Health Insurance Portability and Accountability Act (HIPAA) to be specific.
HIPAA was established in 1996 and mandates nationwide standards for how the healthcare industry handles personally identifiable health information. It is comprised of the Privacy Rule and the Security Rule. Together, these rules define what information is to be protected (whether it’s physical, oral, or electronic information), and how it should be stored, transferred, altered, destroyed, or shared.
The fines for violating HIPAA range from $100 to $1.5 million depending on the number of consecutive violations and the level of culpability determined after investigation. Particularly egregious cases can even result in jail time.
Though, HIPAA complaints are relatively uncommon. For all medical professionals in the USA (doctors, nurses, therapists, pharmacists etc.), from April 2003 to September 2017, there were 165,175 complaints made. Of these complaints, 36,775 led to a full investigation, with 25,441 instances of corrective actions required.
Knowing all of this can make it feel like the situation is totally under control.
But, here’s where things get a little less comfortable.
The average person isn’t going to know about HIPAA. And they aren’t going to ask about data handling policies before choosing a health care provider. I know that this has never crossed my mind until I started researching all of this. There’s a blind trust there.
So, most people aren’t going to know what to look for in order to complain in the first place! In fact, they may even be actively participating in risking their information.
I recently spoke with an individual who offers HIPAA consulting for therapy practices. He suggested that the privacy issue may be a lot more widespread than you would imagine, claiming that several practices he has worked with regularly ask for sensitive information over public networks like Facebook!
And, when you think that each corrective action that needed to be taken could affect tens to thousands of people – depending on the size of the practice – each with their most sensitive personal information on the line, every reported case begins to feel a little more sinister.
The fact is, the health industry runs on information. And when you have people who are trained in the health field, but not so much in IT, mistakes are going to get made in how that data is handled. Even providers who have policies in place, may not take the time to update policies and software as they start to become obsolete. Or, they may hire contractors to work on their systems who do not know how to properly handle sensitive medical data.
The opportunities for mistakes are numerous.
MedPro compiled some of the worst cases here, as a cautionary tale to medical professionals, including some precedents set in landmark cases.
So, the next time you visit any type of medical provider, especially small practices that may not have funding for HIPAA consulting or consistent software updates, you may just want to inquire about their privacy policies…
We would love to hear what you think about the situation. Is HIPAA enough? Should there be more information available to the public about their rights to privacy? Do you know what to look for?
Let’s take this conversation to Twitter!
You can tweet us @expertdepos and/or use the hashtag #expertdepostech