When hackers infiltrated Target and Home Depot, consumers were once again reminded of the vulnerability of their personal information. But big retailers aren’t the only ones at risk — your family doctor’s office could unwittingly divulge much more sensitive details than your credit card number.
Michael Murray, an attorney with Drummond Woodsum in Portland, is on a bit of a crusade to convince health care organizations to take their patients’ privacy more seriously. While physician practices, hospitals and other providers often cite the federal law that protects the confidentiality and security of health information — the 1996 Health Insurance Portability and Accountability Act, or HIPAA — many remain unprepared to fully meet its requirements, he said. The federal government began enforcing the law’s privacy rules in 2003, and many providers are still catching up, said Murray, who represents smaller health care organizations and consumers facing privacy violations.
“Our health information is what’s on the line — very private, sensitive information about who we are, what kinds of decisions we’ve made in our lives, what kind of partners we have,” Murray said. “And the only thing stopping that from getting out to the public is the goodwill and hard work of the administrators at health organizations.”
Hackers are increasingly targeting hospital computer networks, including an August attack on a rural health company with hospitals across the country that compromised the personal information of 4.5 million patients. But shadowy programmers aren’t responsible for most health care data breaches. Health care organizations themselves are the culprit, with nearly 70 percent of all breaches since 2010 resulting from lost or stolen mobile devices, according to 2014 report by Bitglass.
Think the laptop a therapist takes home at night to catch up on work or the flash drive the IT guy leaves in his car, Murray said.
“You can have 5,000 patient files on something the size of a paperclip,” he said.
Complying with HIPAA is no small feat, requiring health organizations to map out every potential security weakness, from locking storage rooms for paper files to encrypting thousands of electronic patient medical records, he said. Administrators must develop protocols to address conceivable threats, train staff on those measures and often purchase expensive software, maintaining ongoing vigilance to protect patients’ information.
“That is the heart of HIPAA, and that’s the thing that takes a long time,” Murray said. “Even most well-meaning health care organizations want to avoid it because it’s such a hard thing institutionally for them to do.”
While bigger organizations, such as hospital systems, have more resources to throw at the HIPAA challenge, smaller providers may struggle to dedicate time and staff, Murray said. Along with health providers — such as doctors, nurses, dentists, therapists and substance abuse counselors — insurance and billing companies, accountants and others must comply with the law.
Many health care organizations struggle with following through on the many steps required to protect patient information, Murray said. He cited the 2007 case of a New York surgical center that inadvertently revealed to an adult woman’s parents that she had an abortion by calling her house instead of her cellphone, as she’d specifically instructed.
“It’s not easy for a health organization to take a request to call back a patient only in a certain way or to send information only to a secure email,” he said. “The reason it’s not is they have thousands and thousands of patients. They certainly want to; they’re usually not malicious.”
Here’s a few tips to protect your private health information:
— Look for your provider’s notice of privacy practices, which spells out the policies and procedures the office has adopted under HIPAA. “If you’ve never been handed one of those or you go to your health provider’s website and there’s nothing there about HIPAA compliance, there’s no notice, that’s a big red flag,” Murray said.
— Health entities must “tell on themselves” by reporting to the government any known security breaches. They also have to inform the affected patient. If more than 500 patients are involved, the media must often be alerted, he said.
— If you suspect you’re not getting a straight answer, you have the right to ask your provider to supply an accounting of any breaches of your personal information. You can report a suspected breach to the Department of Health and Human Services.
