The Danger to Patients When Health Information Privacy Isn’t Protected

In December 2016, Fairbanks Hospital in Indianapolis issued a statement on a potential patient data breach. Two months prior, Fairbanks became aware that files on its internal network containing patient information were electronically accessible to Fairbanks employees who should not have had access to them. An outside investigation determined that this issue had existed since at least November 2013.

While the hospital noted in its statement that it was unaware of any actual or attempted misuse of the protected health information, such are the challenges that healthcare systems across the country are facing. In fact, 10 breaches affecting 500 or more individuals occurred in January 2017 alone, according to records kept by the Department of Health and Human Services (HHS). More tellingly, a September 2016 report issued by the U.S. Government Accountability Office (GAO) found that electronic health information system breaches involved more than 115 million records in 2015, with “serious adverse impacts such as identity theft, fraud, and disruption of healthcare services.” This number has grown significantly since tracking began.

Improving privacy at the federal level

Following its report, the GAO made five recommendations for improving privacy; among them, it stated the HHS should update its guidance for protecting electronic health information. HHS agreed to take action on the following:

• Update security guidance for covered entities and business associates to ensure the guidance addresses the implementation of controls described in the National Institute of Standards and Technology Cybersecurity Framework
• Update technical assistance provided to covered entities and business associates to address technical security concerns
• Establish performance measures for the Office for Civil Rights (OCR) audit program

HHS also agreed to consider revising the current enforcement program to include follow-up on the implementation of corrective actions and establishing and implementing policies and procedures for sharing the results of investigations and audits between OCR and the Centers for Medicare & Medicaid Services, thus better ensuring covered entities and business associates are complying with HIPAA and the HITECH Act.

The GAO report acknowledges that organizations have been challenged in implementing HHS’ Security and Privacy Rules. HHS data from 2015 reveals that some of the thorniest implementation challenges include performing risk assessments and developing the risk management plans that document how identified risks are to be addressed.

Stakeholders across the private sector have expressed concerns that risk management programs under the HHS guidance are difficult because requirements are not clearly defined, the GAO report found. The organization aims to make it clearer that all requirements have been adequately addressed.

However, this risk is only one component impacting patient mistrust.

Concerns over authorized data misuse

Respondents to the latest Black Book survey are also greatly concerned that their data regarding pharmacy prescriptions (90%), mental health notes (99%), and chronic conditions (81%) is being shared beyond their chosen provider and payer to retailers, employers, and/or the government without their acknowledgment. That lack of acknowledgment and control over their health information is one of the biggest factors leading to the dangerous levels of distrust. And again, patients are right to be leery.