There have been several high-profile data breaches recently at health care providers. You've probably heard about them, including the massive breach at Anthem that affected 80 million patients. Earlier this month, Software Advice released the results of an online survey. It found:
"...45 percent of patients surveyed are “very” or “moderately concerned” about a security breach (which we defined as their medical records and/or insurance information being accessed without their consent, and potentially resulting in identity theft). We also asked the 45 percent who are very or moderately concerned to list the reasons behind their level of concern... The highest percentage of respondents (47 percent) say they are concerned about becoming the victim of fraud or identity theft."
When criminals use stolen health care credentials, it is usually to gain access to expensive treatments under the victim's name, and/or to gain access to prescription drugs. The victims are often liable for any co-payments. Experts warn that resolving medical identity fraud can be costly, time, consuming and require plenty of effort and expertise since the victim's medical records have been corrupted with the thief's medical and health information.
The researchers surveyed 243 people. The survey explored how patients' security concerns affect their relationships with their physicians:
"... we asked respondents whether data security concerns lead them to withhold personal health information from their doctors. We defined “personal health information” as including their own (or their family’s) prescription, mental illness and substance abuse history. While the majority of our sample (79 percent) say this “rarely or never” happens, it is significant (and unfortunate) that 21 percent of patients withhold personal information from their physicians specifically because they are concerned about a security breach."
That equals one in every five patients withholding personal information. And, there's more. Many patients fail to read the privacy notices from their physicians or health care providers:
"... we wanted to see how many actually read the Notice of Privacy Practices (NPP) at their doctors’ offices. NPPs are written explanations of how a provider may use and share health information, and how patients can exercise their privacy rights. Patients usually get NPPs (which typically look like this) during their first visit to a health care provider. HIPAA requires NPPs be presented to all patients, but patients do not necessarily have to read or sign the forms. In fact, 44 percent of our sample tell us they “rarely or never” read NPPs all the way through before signing, and 3 percent simply “never sign” them."
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act are laws enacted to protect patients' privacy and medical information. The HIPAA law specifies which health care providers and entities (e.g., "covered entities," "business associates," "subcontractors") are required to comply with HIPAA privacy and data security requirements. The U.S. Department of Health & Human Services (HHS) federal agency operates the official HIPAA privacy web site.
So, too many consumers (and especially teenagers) have a bad habit of ignoring privacy policies at health care providers, just as they ignore privacy policies at websites in general. (Granted, the legalese makes most privacy policies difficult to understand. And, many mobile app developers avoided publishing privacy policies, until forced to do so.) That must change because consumers are only hurting themselves.
Another key finding from the survey:
"... 54 percent of respondents say they would be “very” or “moderately likely” to change providers as a result of their personal health information being accessed without their permission. Digging deeper, we asked patients in that 54 percent if there would be anything their provider could do to retain them in spite of a breach... While 28 percent say there is nothing their provider could do that would convince them to stay, the greatest percentage of our respondents (37 percent) would stick with their doctor if they provided specific examples of how the practice’s security policies and procedures had improved after the breach."
Patients were especially likely to switch health care providers if the breach was caused by staff members. Good. It's one way to hold health care providers accountable when they fail to protect patients' sensitive medical information. And, good data security and privacy makes for good health care practices. After a data breach, it is even more important for health care providers to perform explicit actions to regain patients' trust.
Informed consumers know that their medical information is very valuable to criminals. How valuable? The Pittsburgh-Post Gazette reported:
"The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud... Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care... Hackers also can comb through clinical information, looking for material to blackmail wealthy or powerful patients..."
The newspaper described the troubling history and increasing number of data breaches in the health care industry:
"In 2011 and 2012, combined, there were 458 big breaches involving a total of 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. Around 10 percent of breaches stem from hacking, while around half are physical thefts of records or computers. The rest are inadvertent losses, unauthorized disclosures or improper disposals of health information."
You can browse details about many of those breaches in this blog. Select "Medical Fraud" or "Health Care/EHR" in the categories tag cloud on the right.
Another privacy threat for consumers is when non-covered entities, like social networking websites and fitness apps, collect medical and health information. Consumers don't realize that they share personal medical information with non-covered entities, they lose HIPAA privacy and data security protections.
Who are these non-covered entities? The Privacy Right Clearinghouse website provides a good description of HIPAA Basics, including:
"Here are just a few examples of those who aren’t covered under HIPAA but may handle health information: life and long-term insurance companies; workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities); agencies that deliver Social Security and welfare benefits; automobile insurance plans that include health benefits; search engines and websites that provide health or medical information and are not operated by a covered entity; marketers; gyms and fitness clubs; direct to consumer (DTC) genetic testing companies; many mobile applications (apps) used for health and fitness purposes; those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions; certain alternative medicine practitioners; most schools and school districts; researchers who obtain health data directly from health care providers; most law enforcement agencies; many state agencies, like child protective services; courts, where health information is material to a case"
So, the next time you hear a corporate apologist claim that breaches at health care providers don't matter, you now know how ridiculous that claim is. Breaches matter to patients. Hence, they matter. Period. No excuses. If health care entities archive data in cloud services, they'd better protect it and commit sufficient resources. Smart health care providers listen to their patients' needs. Woe to those that don't.
What are your opinions of the survey?