Here we are, more than six years after the Privacy Rule deadline in 2003, and I am still trying to teach Covered Entities (CEs) and Business Associates (BAs) that Protected Health Information (PHI) is a valuable commodity to criminals. The crooks know that PHI has real, monetary value, but CEs and BAs are still learning this most important HIPAA lesson.

Until HIPAA-regulated entities really start to “get it” about the dollar value of stolen PHI, criminals will continue to have the advantage. That’s not a good situation.

It’s critical to understand that PHI (medical charts, billing files, etc.) has economic value to criminals. PHI is worth money on the international black market and is bought and sold 24 hours a day over illegal channels. More and more criminals know this and are exploiting it. Even Los Angeles’ notorious street gangs, once known for their lock on drugs, prostitution and gambling, are moving into identity fraud – the LA Times reported in 2008.

It’s easy to see bundles of records as so much paper, even when we understand intellectually that personal medical information is highly sensitive and confidential.

Try This with Real Dollars

Try this metaphor on for size: Imagine that a real US $20 bill is stapled to the inside front cover of every single file or record in your facility. Now imagine leaving piles of such “monetized” medical records simply laying around with no armed guard or other security. We wouldn’t do it. Instinctively, we know that bundles of cash deserve special protection. Unfortunately, most workers in healthcare jobs don’t automatically think that way about PHI. But PHI is equivalent to currency in the criminal mind.

In Value to Criminals: Medical Record = Wallet

In fact, much of the actual data in a person’s wallet is identical to the data in their medical records, with less clinical information of course. Name, home address, SSN, birth date, phone numbers, family contacts and pictures, banking and credit card data, allergy notices and other “first responder” medical data, etc. All these items reside in both wallets and medical records. And we know how devastating it would be if our own wallet fell into criminal hands.

Teach Your Workforce that PHI Has Value to Criminals

Some entities fear teaching this concept to their workforce because, they say: “we don’t want to give them any ideas!” They’re afraid that telling employees that PHI is worth money to criminals will tempt employees to go out and find crooks to sell PHI to. I believe that’s a mistaken view. Banks are filled with workers who all know their product is ‘valuable’, and banks take security appropriate steps to manage that risk – at least, most of the time!

Use Human Nature to Help Protect PHI

If I accidentally left my own wallet in your HIPAA-regulated facility, any honest employee that found it would know automatically – instinctively – to do two things right away:

1. Notify Mr. Weintraub that his wallet was obviously misplaced and has now been found.
2. Lock up the wallet and keep it safe while in posession of it.

If you see parallels here between 1.) Breach Notification; and 2.) Securing and Protecting PHI, then you deserve kudos. Because that’s exactly what’s what this is all about.

If your workforce knew that PHI is worth money to criminals, they would instinctively protect it, much as bank employees instinctively protect the cash they work with. To a healthcare workforce that’s ignorant of this, PHI may be sensitive, personal, and confidential – but it’s still only so much data, so much paper.

But to criminals, PHI spells “CASH!”

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Yours truly took a long needed mini-vacation last weekend to Yosemite National Park – my first-ever visit to spectacular Yosemite. My 55th birthday was last weekend, and the idea was to get away from the pressures, the meetings, the calls — away from HIPAA — for a few days to clear my head.

So there I was, driving into Yosemite valley in the rental car, awestruck at the raw beauty, the magnificence, the splendor… the ARRA (American Recovery and Reinvestment Act)?

Yes readers, in the midst of the Yosemite wilderness, imagine my surprise when I rounded a curve in the steep road and saw this…

ARRA at Work in Yosemite

I was dramatically reminded, as people in the HIPAA world easily forget, that the ARRA is accomplishing much more than expanding HIPAA. There, in the wilds of Yosemite, was the ARRA, funding road and infrastructure improvements to one our greatest national parks!

So the next time somebody asks you what the ARRA has achieved, point to HIPAA expansion, breach notifications, tougher sanctions… and yes, Yosemite!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Various types of online social networks are apparently the “next big thing” in relationships, and they are changing the nature of human interactions. But social networks also pose a major threat to the PHI Covered Entities (CEs) and Business Associates (BAs) are entrusted with.

Peer-to-Peer Networks Expose PHI

Researchers at Dartmouth College probed peer-to-peer (P2P) networks recently to try and determine the extent to which private medical data is exposed on these networks. Over a two-week period, what they found was shocking…

• A spreadsheet from an AIDS clinic with 232 client names,including Social Security numbers, addresses and birth dates.
• Databases for a hospital system that contained detailed information on more than 20,000 patients, including Social Security numbers, contact details, and insurance records, along with diagnosis information.
• A 1,718-page document from a medical testing laboratory containing patient Social Security numbers, insurance information, and treatment codes for thousands of patients.
• More than 350 megabytes of sensitive patient reports from a group of anesthesiologists.

According to the article above…

In all, researchers found hundreds of documents revealing sensitive information on tens of thousands of patients.

The full Dartmouth report is also available as a PDF download (858 Kb).

Personal Social Networks Are Another PHI Threat

P2P networks are different creatures than what are sometimes called “personal social networks” (PSNs). Personal social networks include sites like MySpace and Facebook, where people go (usually) to meet and fraternize with other like-minded people.

Exposure of PHI on personal social networks has already been identified as a growing problem. Increasingly, people are use their MySpace, Facebook, and other social network pages to vent their gripes about their doctors and their medical care.

So here are some critical questions you should consider…

• Do you know if you or your practice has been mentioned (positively or negatively) in any of your patients’ social network pages?
• What would you do if you found your patients’ PHI exposed on such sites? What could you do?
• How extensively are your employees using social networks? Are patients being discussed? Is any PHI being disclosed?
• Do you have a written policy regarding personal social networks, P2P networks, and similar online social channels?

It’s later than you think on this front. Your patients, vendors, and the crooks out there are likely farther along than you are in dealing with these issues. The HIPAA implications are enormous, especially with the ARRA’s new Breach Notification rule kicking in shortly.

Overall, the most important question you need to answer is:

Where’s your PHI?

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.