What follows is an excerpt of an article by Michael L. Nelson, DPM, Vice President of Healthcare Strategy and Business Development for Equifax. It appeared in the Fall 2012 issue of the Journal of Healthcare Information Management.
“It’s not the tools you have faith in – tools are just tools. They work, or they don’t work. It’s people you have faith in or not.” ~Steve Jobs
If you extrapolate Mr. Jobs’s quote to a healthcare related extension, you’ll find that the general public’s fear of data breaches is rooted in the notion that systems aren’t foolproof—they’re hackable, too easily shared and age quickly. What the public is looking for is assurance that their personal and healthcare information are protected.
Addressing these concerns directly with their physician or his office staff may make a patient feel less vulnerable, but oral communication about data protection can only go so far. What could seal the deal is written documentation that addresses the specific processes that have been put in place to protect the patient’s information.
Government Privacy Initiatives
As health information exchange technology, standards and policies evolve, the privacy and security of protected health information (PHI), sensitive information (SI), and personally identifiable information (PII) is of the utmost concern. As a result, the HITRUST Common Security Framework, National Institute of Standards and Technology (NIST) and Data Use and Reciprocal Support Agreement (DURSA) all reference a “trust fabric” in order to comply with HIPAA privacy and security requirements. The trust fabric mandates that each constituent of a health information exchange is held accountable for HIPAA compliance—this includes both HIPAA Covered Entities and HIPAA Business Associates and their subcontractors.
Government regulators, standards organizations, and the healthcare industry all rely upon the “trust fabric” when they determine the necessary standards and policies to protect data including: access management, identity authentication, and email encryption. However, the public often has a different perception of “trust.” This is a major stumbling block in adoption of electronic health records and health information exchange.
Trust as an Issue
The healthcare industry must take into account the assumptions and experiences of the status quo. In order to do this, healthcare professionals may need to walk a mile in a patient’s shoes to understand his/her fear and reluctance to share personal information and then figure out how to overcome it.
When a patient hears the word “trust,” what he really wants and needs is “assurance.” Assurance can be a dicey proposition in our new-age world. First, there’s no such thing as a simple one-page contract. Most contracts resemble War and Peace and are written in arcane legalese. Secondly, our culture is rife with examples of lost trust, specifically with data privacy. Look no further than the scandals in Congress, the church or Major League Baseball to see why there’s a lack of public trust. Most people feel betrayed when seemingly respected organizations such as these are guilty of violations.
In light of the massive data breaches of patient records at Tricare, Sutter Healthcare and HealthNet, the ramifications of a data violation for facilities are severe from the patient’s point of view.
The breach of personally identifiable information may lead to identify theft which in turn can result in:
- Fraudulent financial activity such as drained bank accounts, damaged credit scores and loan denials.
- Criminal arrests as a result of crimes committed in the patient’s name.
- Fraudulent benefit filings such as unemployment or tax refunds.
In addition, the breach of protected health information or health plan information can lead to medical identify theft which in turn can result in:
- Costly procedures and medical tests for a stolen identity.
- Incorrect treatment or potentially life threatening adverse drug reactions from mixed patient/stolen medical record information.
- Getting turned down for life insurance because the insurance carrier believes that the applicant has a certain condition which in fact is not true.
- Employment denials due to medical records checks.
HIPAA Notice of Privacy Practices details the circumstances in which a patient’s information may be shared with other entities.
However, these notices don’t give ample assurance that a patient’s information is safe at the medical facility. Generic bromides such as “We take every precaution to make sure that your information is safe and secure” are condescending and simply not enough. Patients want written assurance that their data is secure from inappropriate access.
For more information about securing your patient records and other sensitive data, please contact one of our specialists.