Share this article on:
How Private are Medical Records?
The introduction of the Health Insurance Portability and Accountability Act’s Privacy and Security Rules have helped to ensure that patient data is properly protected.
The introduction of the Enforcement Rule has made a difference. Prior to the introduction of this rule, few covered entities made sufficient efforts to become compliant with HIPAA Rules. With the threat of financial penalties and sanctions, covered entities have improved policies, procedures and data security measures to keep data private.
However, a look at the Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal shows that healthcare providers, health plans and BAs of covered entities are still struggling to prevent patient records from falling into the hands of criminals.
Over 113 Million Medical Records Exposed in 2015 Alone
A recent study suggests that the risk of data exposure has not changed much in the past decade; although the breach reports issued to the OCR show that data breaches are exposing more patient health records. In 2014, 12.5 million patient health records were reported as having been exposed.
Discounting the massive data breach at Anthem, which exposed 78.8 million subscriber records, the total number of victims of healthcare data breaches has reached 21.7 million and there are still two months left in 2015.
Add the Anthem data breach figures and the total number of victims created by theft/loss of devices, cyberattacks, accidental disclosures, improper disposal of records and PHI transmission errors is 113,042,982. Over 100 million more exposed records than last year. More than 1 in 3 Americans have had their health records exposed in 2015. 35% of the population of the United States.
Patient Lose Trust in HIPAA-Covered Entities’ Ability to Keep Medical Data Secure
A new survey conducted by the University of Phoenix College Health Professions School indicates that patients do not trust their healthcare providers to keep data secure. Over 2,000 adults were asked about the security of their health data, and 83% of adults over the age of 50 expressed concern about the vulnerability of their data. The younger generation were less concerned, although 72% of that age group also expressed concern. Overall, 76% of respondents said they were concerned about the ability of their healthcare providers to prevent their data from being exposed in cyberattacks. Interestingly, when asked about the sharing of health data, 55% said they were somewhat comfortable or very comfortable, but 45% said they were not.
Healthcare providers face a dilemma. They need to share data and make them accessible, yet by doing so they run the risk of data being exposed. The answer is to utilize cybersecurity technology and work with security companies to ensure protections are put in place that permit data sharing – in accordance with HIPAA Rules – but guarantees are provided that data are properly protected.
Who Has Access to Healthcare Data?
45% of Americans are not comfortable with the sharing of their health data, but many do not know who data are shared with. What are the HIPAA Rules covering data sharing and who has access to confidential medical records?
Healthcare Information Sharing Under HIPAA Rules
45 C.F.R. § 164.506 of the HIPAA Privacy Rule permits the sharing of healthcare data without prior patient authorization; however only for three reasons: Treatment, payment, and healthcare operations (Legal, administrative, quality improvement etc.)
The Protected Health Information (PHI) of patients can be shared for the “provision, coordination, or management of health care and related services.” This includes consultations and patient referrals. PHI can be shared between healthcare provider and third parties, if sharing is related to the provision of treatment for patients.
PHI can also be shared by covered entities in order to “obtain or provide reimbursement for the provision of health care.” Health plans are permitted to share PHI to “obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits.” Prior authorization is not required for health plans to share data in order to assess eligibility, conduct risk adjustments, utilization reviews, and for billing and collection services.
Sharing of PHI is permitted for “population-based activities relating to improving health or reducing health care costs, protocol development, case management, and care coordination.” Covered entities are also allowed to share PHI for legal reasons, and other functions that are critical to the running of the business, provision of core treatment and payment functions.
HIPAA does not permit the sharing of patient data for financial gain.
Access Rights to Healthcare Data
While federal rules are now being largely adhered to by healthcare providers, health plans, healthcare clearinghouses and BAs, medical records are perhaps not quite as private as many Americans believe. Data sharing is strictly controlled, but HIPAA Rules on data sharing also allow health information to be shared with other entities.
For instance, HIPAA Rules allow Protected Health Information to be shared with the government and law enforcement agencies. Federal subpoenas are issued by the thousand every year, in fact judicial approval is not actually required before medical records are shared with the government.
Reason must be provided before records are disclosed. That said, the Office of the Inspector General is permitted access to patient medical records if information is deemed to be relevant to cases of healthcare fraud. Data can also be shared with the Department of Justice in this regard. The Drug Enforcement Agency is also permitted access to patient health records, as are Relators.
In a report on the privacy of medical records by the Daily Caller News Foundation, Robert Rhoad, partner at law firm, Crowell & Moring law, believes the issuing of administrative subpoenas to release medical records “raises constitutional challenges.” He explained to the Daily Caller that “With respect to civil investigative demands and administrative subpoenas, there has been a sharp uptick in the issuance of those in the last few years.” Medical records are being shared frequently with government departments.
Cybersecurity Information Sharing Act of 2015
In order to counter the cyber security threat, the senate is currently working on pushing through the Cybersecurity Information Sharing Act of 2015. One of the main aims of the act is to remove the barriers that are currently restricting the sharing of data: Data which could prove vital in the fight against cybercrime. Should the act be passed, it would allow organizations in the United States to share data, which is likely to include PHI and PII of patients, with the Director of National Intelligence (DNI), Department of Justice (DOJ), the Department of Homeland Security (DHS), and the Department of Defense (DOD). The act will protect holders of data from liability resulting from sharing data without first having received consent from patients.
Healthcare data is private and confidential, and protections are (mostly) put in place to ensure patient privacy is protected. But, how private are medical records? Not quite as private as many Americans may believe.