MedCity Influencers

Protected Health Information – How secure is it?

With the expansion in Health Information Exchange across the country along with instant availability of medical records, it is becoming harder to secure protected health information (PHI) of patients. This is why the provision of robust data security and confidentiality safeguards are of paramount importance to patients, providers and vendors alike.   Under the HIPAA […]

With the expansion in Health Information Exchange across the country along with instant availability of medical records, it is becoming harder to secure protected health information (PHI) of patients. This is why the provision of robust data security and confidentiality safeguards are of paramount importance to patients, providers and vendors alike.

 

Under the HIPAA Privacy Rule, PHI is defined as: “Information that is created or received by a covered entity and relates to the past, present, or future physical or mental health of an individual; providing payment for health care to an individual; and can be used to identify the individual. It excludes health information in employment records held by a covered entity in its role as employer”. A covered entity could be any medical practice, clinic or a large scale hospital that falls within the ambit of CMS.

The HIPAA Privacy Rule governs information such as individually identifiable information, financial information including credit card numbers, certificate or license numbers, vehicle identification numbers, device identifiers and serial numbers, URLs, Internet Protocol (IP) addresses, biometric identifiers and photographic images. Any technology or medium used to create, store and transmit patient data electronically is covered under this rule, such as personal computers which have internal hard-drives, external portable devices, magnetic tapes, removable storage devices, smartphones and PDAs.

A majority of patients are in favor of Electronic Medical Records and Health Information Exchange but are concerned about the privsacy of their healthcare data. Patients are primarily concerned about unauthorized disclosures of their information including PHI through EMR’s and Patient Portals. Any unwarranted disclosure of such information amounts to a HIPAA violation, which results in hefty fines and penalties for the disclosing party.

In order to avoid any incident where patient information is disclosed to a third-party organization or any healthcare organization without the patients consent, medical practices and their policies need to be in accordance with the privacy and security rule of HIPAA. If this does not happen then the patients will be resistant to reveal their sensitive information or will make it harder for organizations to access their personal medical data, which would make it difficult to achieve a national Health Information Exchange system.

In view of the above, organizations can give considerable control of health information to the patients themselves or they can try and avoid isolating patient’s sensitive information from the rest of their health records.  Instead, they can try and enhance the security of the integrated medical records system via concrete procedures of authentication, audit, control access and other important security protocols. This would effectively increase the security level of confidential information and ensure that the provider can see every piece of information needed to make an accurate decision about the patient’s condition and treatment plan.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.