As a new year opens, we can look back at how changes made in 2009 will have ripple effects well into 2010, and how these changes act as a double-edged sword.
YEAR IN REVIEW
The year 2009 was another grim year for medical privacy and data breaches that released the personally identifiable information (PII) or protected health information (PHI) of millions of Americans. With a number of large data breaches and exposures occurring at major pharmacy retailers, hospitals, health insurance providers and managed care programs, the last year of the decade was especially busy. While these incidents often were the result of the improper disposal or lack of destruction of physical documents and paper files, a growing number of incidents surrounded the loss or theft of laptop computers and storage devices. Some medical data exposures were even the result of hacking into improperly secured networks. Overall, medical industry data breaches affected nearly 3 million confirmed individuals throughout the U.S. in 2009 alone.
While the sheer number of records released last year was immense, there were a few bright spots, namely updates to key health regulations known as the Health Insurance Portability and Accountability Act (HIPAA). These updates, carried out via the HITECH Act, included the passage of the first Federal data breach notification law mandating that citizens be notified if their PII or PHI is exposed without their consent. Even the method and model of HIPAA enforcement has changed, with privacy enforcement funded by fines levied against violators. The hope is that this will result in improved efforts by health care providers and insurers to secure PII/PHI of the American consumer.
With all of that said, however, 2010 brings with it not only a new decade but the greater risk of data breaches and medical-related identity fraud -- even in light of new regulatory restrictions.
2010 AND MEDICAL REGULATORY CHANGES
The regulatory changes brought about in early 2009 by the President’s stimulus bill, the HITECH Act, will begin stirring changes in the medical industry from a privacy and data management perspective. This doesn’t even take into account the sea change that is about to happen in health care administration with the passage of the nation’s new healthcare plan. Even individual states such as New Hampshire and California are regulating healthcare privacy more stringently than the Federal government. Overall, 2010 will be looked at as a year in transition for the medical industry, which will be “retooling” to begin meeting new regulatory requirements and mandates dealing with security, privacy, storage and destruction of medical data. While these regulations may result in better managed care and privacy for the America patient in the long-term, in the short term there is going to be some chaos, which often breeds fraud.
One of the things that the HITECH Act did was put forth a lofty goal to create “…an electronic health record for each person in the United States by 2014.” Along with this came the call for better privacy requirements and enforcement under HIPAA. With the movement to electronic health records over the next four years, there is an emerging market for assisting medical offices, hospitals and other medical service providers with converting existing paper medical records into electronic medical records. Providers, both respectable and disreputable, are springing up selling solutions for converting to, managing and even securing these electronic records. And while some of these solutions will be well-thought-out, solid products, others may not be.
This could result in security holes in certain electronic health record systems and even result in data breaches during the paper-to-digital file conversion. The other issue that arises is the use of contactors by medical offices, hospitals and insurance providers to carry out these solutions. As we have seen in a number of circumstances, access to private medical files by unauthorized personnel has been a problem at both California’s largest HMO and a top southern California university hospital. It is therefore reasonable to expect further problems in the future when it comes to converting paper based medical record keeping systems to modern computer based records.
Though the 2014 deadline is still some time away, as the economy improves and companies in the medical field begin to reinvest in IT infrastructure, they will be doing so with a thought toward how they will secure and manage electronic health records and so 2010 will bring with it the risks associated with this conversion process.
INCREASED USE OF TECHNOLOGY
With the movement towards electronic health records, you can bet that doctors and hospitals will be leveraging the digital nature of these health records to more closely and better manage their patients in 2010. This includes the ability of doctors to use smart-phones to work on the go, monitor patients and access patient records. New applications for smart phones even allow doctors to prescribe medication using the application itself. In fact, based on a report issued by Manhattan Research, 64% of doctors nationwide own smart phones, and that number is expected rise to 81% by 2012.
But what happens when a doctor loses that phone? Then what? Access to confidential medical records can be granted quite easily if doctors fail to secure their iPhones, Blackberries or other smart devices. . Unfortunately, the reoccurring theme in data breaches during the past decade has been one based largely on human error and improper implementation of basic security safeguards like passwords and encryption. It is a virtual certainty that doctors will lose unsecured smart phones that store and access medical data. We know this will happen. So, as smart phone apps for doctors and for managing medical data find growing acceptance among medical practitioners in 2010, expect the potential exposure of medical records to grow this year as well.
THE RESULT OF MEDICAL DATA BREACHES
The problems associated with the loss of American patient and consumer data are multifold. Aside from the risks associated with traditional forms of financial identity theft and fraud that can be carried out using PII, the increasing risks associated with medical identity theft are serious. The use of a person’s PII or PHI to obtain medical services by a medical identity thief can result in fraudulent medical/pharmaceutical bills that eventually go into collections and impact the victim’s credit file. Uglier situations can result in denial of health insurance coverage, life insurance coverage and even denial of employment. The worst-case scenario would be the case of a medical identity theft victim obtaining emergency medical services and receiving the blood type or countra-indicated medication of the identity thief for whom the hospital had previously provided medical services.
These scenarios are all possibilities for many Americans as our PII and PHI are exposed on a more regular basis. While most exposures result in no activity at all, a small percentage of the data left unprotected by healthcare providers and insurers is utilized by criminals and fraudsters to obtain medical treatment and even to defraud medical providers for devices like electric wheel chairs and other high-dollar items that are often resold or never actually obtained. This adds to the high cost of medical services for all of us, and can be a nightmare for anyone who has to actually undo the web of fraud that is medical identity theft.
The patient as consumer
So, with all of the gloom and doom regarding the growing risk of exposure of American’s PII and PHI, what can we do to protect ourselves in 2010 and the new decade? Patients have to recognize that in today’s day and age, they are nothing more than consumers of services. As consumers, we all need to be diligent about making sure that the medical services and charges associated with our identities are accurate. This means regularly checking to make sure you are not a victim.
Here are some things you can do to reduce your risk of being a victim of medical identity theft:
Check your insurance plan’s “explanation of benefits statement” for any unusual treatments or services that you don’t recall receiving.
Request an annual statement or itemized list of all claims billed to you from your insurance company. Since fraudsters often change the mailing address on record, you may not be receiving your “explanation of benefit statements.”
Check your credit file periodically to see if any medical related charges are noted. Better yet, sign up for credit monitoring services and be alerted to any changes in your credit file as they happen.
Avoid disclosing your Social Security number to your doctor, dentist or other medical provider. There shouldn’t be a need for them to collect this information from you unless you are on Medicare/Medicaid or similar state programs. If they insist, ask them why they need it and have them explain it to you. If you are still uncomfortable take your medical needs somewhere else.
Treat your insurance card like a credit card. Keep track of it and report it immediately if it is lost.
Regularly obtain copies of your medical records from your medical providers. There might be a cost, but it allows you to review the visits and services provided, and gives you an advance record in case these records are ever altered or changed.
Eduard Goodman is chief privacy officer at Identity Theft 911.
Subscribe to our FREE Ezine and be eligible for Health News, discounted products/services and coupons related to your Health. We publish 24/7.
We videotape Press Conferences, produce SMT's, VNR's, B-rolls, PSA's, - all with distribution: HealthyTelevisionProductions