Whether it’s a senior’s first fitting for a hearing aid, or a baby boomer in for a collagen injection, both are closely scrutinizing new patient forms handed to them by the office clerk. With 100 million medical records breached and stolen to date, patients have every reason to be reluctant when they’re asked to fill out forms that require their social security number, driver’s license, insurance card and date of birth — all the ingredients for identity fraud. Patients are so squeamish about disclosing their personal information, even Medicare has plans to remove social security numbers on patients’ benefits cards.
Now patients have as much concern about protecting their medical records as they do about receiving quality care, and they’re getting savvy about data protection. They have every right to be assured by their physician that his practice is as concerned about their privacy as he is about their health.
But despite ongoing reports of HIPAA violations and continuous breaking news about the latest widespread patient data breach, medical practices continue to treat ePHI security as a lesser priority. And they neglect to train front office staff so the patient who now asks a receptionist where the practice stores her records either gets a quizzical look, or is told they’re protected in an EHR but doesn’t know how, or they’re filed in a bank box in “the back room” but doesn’t know why.
In some cases, the practice may hide the fact that office staff is throwing old paper records in a dumpster. Surprisingly this happens over and over. Or, on the dark side, the receptionist accesses the EHR, steals patients’ social security numbers and other personal information and texts them to her criminal boyfriend for medical identity theft.
Another cybercrime threatening medical practices comes from hackers who attack a server through malware and encrypt all the medical files. They hold the records hostage and ask for ransoms. Medical records can vanish and the inability to access critical information about a patient’s medical condition could end up being life threatening.
Physicians should not only encrypt all mobile devices, servers and desktops, regularly review system activity, back up their servers and have a disaster recovery plan in place, etc. they should also share their security practices and policies with the patient who asks how his office is protecting her records.
Otherwise, the disgruntled patient whose question about security is dismissed won’t only complain to her friends over coffee, she’ll spread the word on Facebook. Next time a friend on Facebook asks for a referral the patient tells her not to go to her doctor — not because he’s an incompetent surgeon but because he doesn’t know the answer when she asks specifically if the receptionist has unlimited access to her records.
And word gets out through social media that the practice is ‘behind the times.’ The doctor earns a reputation for not taking the patient’s question seriously, and for not putting the proper measures in place to secure the patient’s data. This is the cockroach running through the restaurant that ends up on YELP.
It’s time to pull back the curtain and tell patients how you’re protecting their valuable data. Hand them a HIPAA security fact sheet with key measures you’ve put in place to gain their confidence. For example, our practice:
- Performs annual risk assessments, with additional security implemented, including encryption and physical security of systems that contain patient information.
- Shows patients that the organization has policies and procedures in place
- Trains employees on how to watch for risks for breaches
- Gives employees limited access to medical records
- Backups systems daily
- Performs system activity regularly
Practices that communicate to patients how they are protecting their information, whether it’s provided by the front office staff, stated in a fact sheet or displayed on their websites, not only instills confidence and maintains their reputations, they actually differentiate themselves in the market place and attract new patients away from competitors.