How often do we see Health Insurance Portability and Accountability (HIPAA) violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large-scale security breaches and, sometimes, reports of illegal sales of electronic medical records by various third-party sources are in the news. In Massachusetts and New Hampshire, for example, an e-record vendor recently admitted to large-scale e-record breaches.
ADVERTISEMENT |
The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the e-systems I have reviewed meet the minimal requirements but have security vulnerabilities.
But perhaps you’re not aware of another security breach: Your e-records are for sale to the highest bidder. They are being sold to insurance companies, debt collectors, and prospective employers. The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Although some of the stolen or hacked e-records get sold—and that’s terrible, of course—in most cases when your e-records are sold it is done “legally.”
Securing medical e-records comes with a price, and even with some of the best security in place, there may still be a breach. In most business models for building e-record systems, security is last on the list. Sadly, it doesn't appear to be much different in the healthcare industry.
So what’s to be done? Will it take a 21st-century modernization of HIPAA, written almost 20 years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?
In our digital age of e-records, our security should be safeguarded because we pay for the care we receive. The Dept. of Health and Human Services as well as the U.S. Congress should be focusing on this but, they are currently being distracted by advocating for or decrying Obamacare.
And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.
But don’t get me started on Obamacare implementation before we deal with HIPAA.
For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are inadequately protected by a 20th-century law.
This article first appeared in the July 18, 2013, edition of the AssurX blog.
Add new comment