With the revamping of the federal HealthCare.gov insurance website, the Affordable Care Act has entered its second year – Obamacare 2.0. In the new year, one often-overlooked problem involves the security of patients’ private information – protected health information (PHI) and personal and financial data.
Even with all the security measures taken to safeguard this information, protected by law does not necessarily mean protected in fact.
Enrollees on the ACA exchanges must enter a host of personal and financial information on the HealthCare.gov site before signing up for a health plan. This information is at risk of unwanted disclosure as it is shared among government agencies and health insurers. At the same time, domestic and foreign cyber-attacks are on the rise for private and public databases, with hacking threatening to compromise data on the exchanges.
The government is taking steps to reduce exposure. But how can hospitals better protect patients’ personal data? First, hospitals should keep only the minimum necessary patient information required to transact business. And second, they should store patient information in as few Web-enabled locations as possible.
These two steps will reduce unauthorized revelations through unintentional and intentional employee actions, technical system errors and criminal attacks. The main sources of data breaches continue to be employee misconduct, errors and negligence, such as stolen or lost computing devices. Hospitals and other healthcare providers have a responsibility to address these concerns in their compliance protocols.
But the problem is much larger than hospitals, most notably affecting the insurance industry. The cost of healthcare has increased noticeably with known breaches to government websites and other insurance-related databases.
Attacks on websites remind everyone to remain vigilant: patients and their healthcare providers; government agencies; and business organizations that act as intermediaries or otherwise have access to this information, like hospitals and their vendors.
For example, the inadvertent release of a patient’s Social Security Number, address and/or date of birth can be more problematic than theft of credit card information. Indeed, the patient can cancel the credit card, but identity thieves use the Social Security Number to open fraudulent bank and credit accounts under the person’s name.
Hospitals are no longer simply caregivers – they are key depositories of sensitive personal and financial information. Compliance with HIPAA helps avoid penalties, government audits, and the imposition of corrective and remediating steps. But in order to secure patient information, providers must aim to exceed, not just meet, HIPAA standards.
Anderson & Quinn, LLC is a renowned law firm based in Rockville, Maryland, providing individuals, businesses, corporations, and healthcare institutions with the legal and litigation support they need.