THE BLOG

Medical Privacy in the Digital Wild

Protect the health information that you control. HealthIT.gov recommends the following:
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

The uproar about Obamacare notwithstanding, I, for one, am thankful for health insurance. COBRA's ridiculously expensive insurance offer following my lay off two years ago was a joke, so I resolved to go back to practicing DIY health care. Then along came Obamacare. As a frequent freelancer, I'm used to long stretches of time without health insurance, but this past year was different. For the most part, being covered has been a blessing.

For the most part. From the beginning there were several administrative glitches, the worst of which was being told on the day of an appointment that the doctor no longer carried my insurance, and unless I wanted to pay out of pocket, he wouldn't be able to see me.

"But my tooth is killing me!" I cried. "Why didn't someone call me?"

"Sorry," said the receptionist, who clearly was not sorry.

This happened to me twice in 2015, with two different doctors. It was stressful enough to have to find care on the fly, but now I'm also concerned about the security of my medical records as they travel from one office to the next. If, as the Associated Press reported, Healthcare.gov initially shared our private information with Google, Twitter, Yahoo, etc., and if it's true that health care organizations have not, by and large, built a secure infrastructure for our records, then what hope do we have for keeping our precious information safe?

Some doctors still maintain paper files on patients, some are migrating to digital, and others are fully online. Clearly there are plenty of fault lines in the system. The health care industry looks like one huge, lucrative data hunting ground for hackers.

HIPAA, the Health Insurance Portability and Accountability Act passed by Congress in 1996, is supposed to guarantee that

...health care providers and organizations, as well as their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.

According to a white paper by McAfee, the big cyber security company, "Patient confidentiality continues to grow as a leading concern for healthcare organizations." A study conducted by the Medical Identity Fraud Alliance (MIFA) found that more than two million patients were victims of identity theft in 2014. "Given the high volume of medical records and personal information leaked by healthcare providers and payers, organizations are now more focused on reducing how much unprotected PHI [Protected Health Information] they store and shrinking the target hackers go after so that fewer patients are exposed to the risks of medical identity fraud," says Todd Feinman, CEO, Identity Finder LLC.

One way information leakage occurs is in the day-to-day communications among medical professionals. In fact, another study found that 90 percent of health care organizations do not use HIPAA-compliant messaging apps. According to Ben Moore, Founder/CEO of TelMedIQ, a company that provides HIPAA-compliant communications solutions to the health care industry, opportunities for security breaches abound in the "tens of millions of phone calls that occur every day between doctors, nurses, and other clinicians throughout practices, hospitals, and healthcare systems. There are also huge volumes of patient calls to doctors and practices, some of which will go to voicemail. Patients will often leave PHI, which are HIPAA protected; however, voicemails, unlike other forms of communication, are not protected."

What we can do
After being dropped twice by doctors with no warning, I realized I was on my own. Ultimately we're all on our own. It's up to us, the health care consumers, to inform ourselves about what our doctors are doing to keep our medical records safe.

Erin Mackay, a health information technology specialist with the National Partnership for Women & Families, says the burden of protecting your sensitive personal information is on health care providers. She suggests changing doctors if you feel privacy standards are too lax.

If you have to leave a voicemail message for your doctor, do not mention any sensitive medical information. Remember, voicemails are not protected by HIPAA.

Protect the health information that you control. HealthIT.gov recommends the following:

  • If you store health information on your personal computer or mobile device, exchange emails about it, or participate in health-related online communities, be smart about it. Simple tools like passwords can help keep your health information secure if your computer is lost or stolen.

  • File a complaint. If you believe your information was used or shared in a way that is not allowed under the HIPAA Rules, or if you were not able to exercise your rights, you can file a complaint with your provider or health insurer. The notice of privacy practices you receive from them will tell you how to file a complaint. You can also file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights or your State's Attorneys General Office.
  • If you believe that an online company that is not covered by HIPAA, such as a message board, has shared your health information in a way that conflicts with their privacy policy on their website, you can file a complaint with the Federal Trade Commission.