How to Prevent Identity Theft via Stolen or Compromised Medical Data

Accurate medical data entry is indispensable for clinicians and hospital staffs to make informed decisions and improve the quality of care. Medical data is the backbone of any healthcare organization. It consists of information such as patient details, medical history, insurance details and other details of a highly sensitive and personal nature. In order to protect this patient data, state and federal laws like HIPAA (Health Insurance Portability and Accountability Act) have introduced proper methods for storing medical records and destroying them once they have passed their retention period.

Why Should You Protect Your Medical Records?

Medical records contain personal information of patients that should be protected from identity theft. The identity thieves use the personal information of an individual to gain access to credit cards, health benefits and other monetary benefits. A hacker may use a patient’s name or health insurance number to file a claim with the insurance provider, and this may mix up your information with the identity thief’s data. For instance, a man from Colorado was billed $44,000 for a surgery that he never had. Later it was found that his social security number was stolen and used by someone else.

Employees Mishandling Medical Records

Privacy of patient details has to be maintained and it is the responsibility of the employees who handle the medical records to maintain this confidentiality. Improper use or any damage to the medical records can result in huge fines for healthcare providers. Despite strict security regulations and HIPAA privacy, data breaches are common. Data breaches can be caused due to unintended disclosure of data like sending records to the wrong mail or sometimes employees disregard HIPAA rules. Following are two instances of data breaches that led to hefty fines.

• The Department of Health and Human Services and the Indiana community healthcare provider Parkview Health System reached an $ 800,000 HIPAA settlement in 2014. According to the investigation, the Parkview employees had left boxes containing medical records of up to 8000 patients unattended on the driveway of a physician who they had been told was not home that day.
• In 2015 the Department of Health and Human Service Office for Civil Rights (OCR) settled with a Denver based Healthcare provider, Cornell Pharmacy, for $ 125,000 following the discovery of around 1,600 patient medical records left in an open container on Cornell Pharmacy’s premises.

Protecting Medical Data from Data Breaches and Identity Theft

Every healthcare unit should implement measures to keep patient records that are in paper charts out of the hands of identity thieves and ensure the safe and efficient storage of medical records. If the medical records have passed the retention period then destroy those documents. According to the Department of Health and Human Services, a properly destroyed medical record is defined as a medical record that is unreadable, indecipherable or cannot be reconstructed. According to HSS standards, the ideal way of destroying medical records is by shredding the documents. There are two types of shredding:

• Offsite Shredding: Offsite shredding is ideal for destroying huge volumes of medical records. Hospitals can hire a shredding service, where a shredding truck comes to the location, collects the documents that need to be destroyed, transports the documents to a secure place for shredding.
• Mobile Shredding: This is an innovative technique where shredding box trucks equipped with industrial shredders help in shredding the medical records while the healthcare providers watch. The documents that need to be destroyed are collected in locked bins and lifted into the shredder and in this way the shredding company will not come in contact with the sensitive medical records.

Guidelines to Remember

With every year the number of data breaches keeps on increasing; and HIPAA and other privacy violations lead to huge fines being imposed on the erring parties. Hospitals and other medical units are taking efforts to protect medical records and ensure that they are stored securely. Here are some of the guidelines that should be kept in mind:

• Employees should be informed about any updates: Privacy laws and measures for storing and destroying medical records keep changing, so it is important to keep the hospital employees updated about the changes. Educate them about HIPAA Privacy and Security Rules that govern the transmission of all electronic patient data. This prevents mishandling of medical records by employees.
• Have a proper destruction method: Improper disposal of paper medical records is another reason for identity theft. So make necessary arrangements for efficient disposal of medical records.
• Digitize the records and ensure that they are stored securely: Health records can be digitized stored with proper encryption and this reduces the risk of violation of privacy laws or hacking of medical data. Encryption is the key element to avoid data breach. Although HIPAA does not require data to be encrypted, it is important to ensure that the patient data is encrypted. Data in motion can be encrypted using a virtual private network (VPN) or a secure browser connection.
• Protect hardware such as servers, network endpoints, mobile and medical devices that are vulnerable.

Protecting the Organization against Theft and Other Fraud Activities

Fraudulent activities with medical records have drastically increased with new technological developments including electronic medical records. Entities maintaining medical records must take all necessary measures to prevent falling victims to these threats. Here are some tips to prevent data breaches in medical data.

• Conduct a risk assessment: Conduct a risk assessment of the IT system in accordance with the HIPAA Privacy and Security Rules that govern the transmission of all electronic patient information prevent data breaches. This will help identify any likely threat.
• Monitor records and devices: Make sure that the employees are watchful of electronic devices or paperwork, which are unattended. IT department should ensure that the patient information is safeguarded and employees should be reminded of keeping the data safe.
• Develop a strict BYOD policy: Bring Your Own Device Policy should be very tight and security guidelines should be strictly followed.
• Manage identity and access stringently: Manage the identity of users and make sure that only authorized users are granted access to patient data. This ensures safety and efficiency of data.
• Examine service-level agreements carefully: If you are moving patient data to the cloud, make sure that you have a thorough understanding of the Service Level Agreement (SLA) and also ensure that the SLA complies with the HIPAA state privacy laws.
• Create subnet wireless networks: The networks provide data for public use but make sure that the private information is not exposed. So create a sub network for guest activity, and a separate and secure network for medical devices and applications using patient data.
• Hold business associates accountable for IT security policies: Healthcare organizations have many vendors who have access to patient data. Therefore Business Associates should provide security and risk assessment and develop a reliable process for reporting data breach.

When it comes to data and its vulnerability, medical data entry is an essential element in healthcare organizations and it is important to ensure that necessary security measures are in place. As we move towards an increasingly evidence-based healthcare system, it becomes more and more critical for providers to embrace data for numerous reasons, but with reliable data entry company healthcare units can ensure absolute safety of their medical data.