By Yvonne Li, Cofounder and VP of Business Development at SurDoc
In recent years advances in healthcare information technology have helped to give patients a more dynamic and comprehensive healthcare experience. However, the rapidly changing landscape makes privacy and security threats a greater issue. The U.S. Department of Health and Human Services maintains an active list of health information breaches that have affected 500 or more individuals, as required by the HITECH Act. According to this list, there have been more than 100 breaches since January 2014, which range from hundreds to thousands and even millions of patients affected, in some instances. Oftentimes data breaches involve theft of data storage devices such as desktop computers, laptops and thumb drives, as well as lost data. Hacking incidents and unauthorized access are also prominent.
Data breaches will continue to increase in number and scale with the use of outdated storing and sharing practices. Penalties for violations of The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule range from $100 to $50,000 per violation.
Healthcare providers need to ensure they are taking every precaution to protect the privacy and safety of shared information as they consider the following:
All patient data should be encrypted – “at rest” and while transferred.
Data “at rest,” should always have a high level of encryption. Moreover, practices and policies that allow employees to take laptops home should be limited. According to a recent survey from Forrester Research, only 59% of healthcare IT professionals said they encrypt devices such as laptops, smartphones or tablets.
Some forms of information exchange should never be used for such sensitive information.
Email, CDs, and non-HIPAA compliant online file-sharing or storage services should never be used. Email is easily intercepted as we’ve seen from periodic email hacks made public through news media. CDs and thumb drives are easily lost or stolen, while being inefficient and costly. If used, online and cloud-based data storage websites should be HIPPA compliant services. Under HIPAA rules, it is the responsibility of the healthcare provider to ensure the safety of patient information.
Capitalize on opportunities to educate patients.
Educating patients on the risks associated with non-secure methods and “leaks” of their private information should be a goal for healthcare providers. As medical identity theft becomes the fastest-growing type of identity theft, with an annual growth rate of 32 percent, it is imperative that patients learn proper storage and sharing practices for their personal files. According to the Identity Theft Resource Center in San Diego, more than 1.8 million Americans were victims of medical identity theft in 2013 alone.
Not only can providers educate, they can also offer patients a secure service as an added value to their experience. Secure cloud storage and exchange services that provide a fast and convenient link between patients and doctors do exist. There are a number of HIPPA compliant services, such as the cloud-based HIPAA compliant data sharing and storage service SurMD, available for free or for a small cost, depending on the level of functionality and volume of storage needed in the practice.
Ask the right questions when looking for a service provider.
Know your provider inside and out by knowing what your service does and does not offer when it comes to security and data breach compensation. Providers should be able to track send and retrieve activities between patients and doctors. Knowing the location of your service partner’s data center and their security procedures ensures that your data is fully protected and compliant even when faced with a natural disaster or a security breach. In addition, the provider should be willing to sign a Business Associate Agreement (BAA) which reduces some provider liability for breaches on the server side.
As the demand for quick and direct communications between doctors, or doctors and patients grows, it is important to remember that not all methods of file sharing are created equal. Email, CDs and non -secure online and cloud-based data storage websites should be avoided when transferring private and critical medical data due to potential compromised privacy risks and additional incurred costs.
As a technologist and a business executive, Ms. Li’s areas of expertise are in cloud, mobile, enterprise and internet business models. She also has authored a number of business patents and developed two mobile engagement platforms for her two previous startups. Ms. Li has a bachelor degree in electrical engineering from University of Houston.