By Christian Gitersonke, CEO, Health Insurance Answers
Theft of Private Health Information (PHI) has been around almost as long as healthcare in this country. As technology has evolved and safeguards continue to be put in place to protect it, criminals have found ways to exploit the often times inadequate and sloppy protection of our personal health data.
Regardless of the technological safeguards in place, one of the greatest exposures we see are employees writing down PHI on a note pad or post it note and throwing that in a trash can at a desk or purposely walking out with the information to sell on the dark web. Another glaring problem is that many times employees do not realize the data they are exposing is considered a breach and inadvertently release it to those who may do harm.
Many low-level healthcare crimes start at the most basic level. A disgruntled employee in a clinic or a biller looks to make extra money and the gate is open. Dealing in stolen PHI is also a lot less risky for many would-be identity thieves. The process for starting a Medicare approved service, Durable Medical Equipment (DME) company or home health agency has traditionally been an easy one. Once established, all the would-be thieves need to do is secure a few, readily available facts about a patient and then go to work billing for services and products without the patient being the wiser for a long period of time.
With little to no regulation on medical billers, front office staff, and even certain clinical support staff, healthcare is a free-range market for thieves. Where did the breach originate? Many times, it’s difficult to identify the source and whether it was intentional or not.
Outsourcing healthcare job functions overseas invites PHI compromise and data breaches
Do patients know what their data is used for when it is collected? Do they know where that data is stored? Are they advised how their PHI is handled when seeing a doctor or healthcare provider? When your healthcare provider changes, does that information stay behind for good or is it destroyed once it is handed off to the next healthcare professional? What happens when the physician uses a dictation service or a billing service based in another country? Does HIPAA cover these entities? The short answer is no. Even with the most robust business associate agreements, HIPAA’s strength and reach does not protect this information from falling into the wrong hands. To add a scarier aspect to all this, many providers do not realize some or all of their services are offshored away from the protection of HIPAA. To date, there is no law requiring a vendor to disclose this. If the provider doesn’t know, you can all but guarantee the patients do not know either.
Solutions & Challenges
The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996; one of the law’s principal purposes is to protect sensitive patient information. Other objectives of the Act were to combat waste, fraud and abuse in health insurance and healthcare delivery. It brought about much stiffer penalties for those who breached the newly imposed regulations and gave lengthier sentences for those who wished to criminalize healthcare. Even with the stiff financial penalties for breaches, the problem has not abated and continues to grow.
The Centers for Medicare & Medicaid Services (CMS) threw their hat into the ring to help offset the out-of-control fraud, waste and abuse that was happening for decades within CMS regulated programs. As part of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) initiative, it was required by Department of Health and Human Services (HHS) to issue new cards that would no longer display the cardholder’s Social Security number no later than April 2019. In the past, all a would-be criminal would need to commit fraud was a copy of a patients Medicare insurance card and a date of birth. Of course, the fraud was rampant.
One suggested solution to this challenge would be to require medical providers and facilities to guarantee the security of the patient’s private information and impose additional penalties to those exposing a patient’s secured data. It’s worthy of consideration.
The key component that has been missing for decades is transparency for patients. There are few other services in life we receive that we don’t know exactly what we are being charged and what that charge is for. Can you imagine having your car serviced and you are given a cryptic statement that doesn’t clearly list what is to be done and how much each item costs. You have no way to compare to see if what you were going to receive is even comparable, reasonable, or necessary. And to boot, you are told there was no way to estimate your cost but please sign here that whatever the cost, you agree to it. Imagine grocery shopping this way or having your yard landscaped in this manner.
Audit reports of employees printing documents as simple as determining who ran, accessed, and downloaded reports with patient data can go a long way to shoring up internal management’s handle on what is happening with this very sensitive data on a daily and ongoing basis.
A strong cyber defense can identify trends and anomalies in people’s behavior, which is the first step in stopping cyber criminals before they ever get started. Recently, an employee with the State of California in the I/T department at copied more than 1,400 Covid test results with no apparent reason. Understanding the motivation behind why cyber healthcare criminals are doing what they are doing, lends us clues and answers as to how to get ahead of them and implement the right technology solution to stop them before they get started.
Real Time Access
When patients can see changes happening to their health record in the same way we can access our credit report is when this theft and fraud can be come to a grinding halt. If you were able to see any new charges paid on your behalf today rather than weeks, months, or years later, it would offer a real time solution to combatting this ever-growing problem.
In the age of one click ordering and speedy delivery, we take for granted the security or lack thereof, behind some of our most important and guarded personal information, our private health information. Making informed decisions and authorizing the right type of consent to those who handle this information is vitally important and ultimately falls to the responsibility of the patient. As in many other facets of life, personal responsibility is king. When in doubt as to where your personal health information is going to end up, demanding to know who else will have access to it, when it will be accessed, and how long it will be accessible, are all questions we have a right to have answered to our satisfaction.
About the Author
Christian Gitersonke is the CEO of Health Insurance Answers. He has run multiple revenue cycle management companies on behalf of physicians, works closely with electronic health record organizations and advocates for patients’ rights, protection of protected health information, and transparency in healthcare. Christian is endorsed by providers as well as community organizations that seek to make healthcare work for patients through protection and proper disclosure. He also serves on multiple boards for post-secondary education as an advisor.
Christian can be reached online at firstname.lastname@example.org, https://www.facebook.com/healthinsanswers, https://www.youtube.com/channel/UCbia0MOqTYGEFZ2ZRAosLDQ and at our company website http://www.healthinsanswers.org