Digital Devices Create Privacy Challenges

Abner — Sun, 23 Aug 2009 22:31:38 +0000

It seems like every new cellphone model these days comes with a camera. And many, like the Apple iPhone, also contain audio recorders. In fact, it’s getting hard to find digital devices that don’t record images, video, or audio. But for Covered Entities (CEs) and Business Associates (BAs) trying to protect PHI, these devices create serious privacy and security challenges.

“Reasonably Anticipated” Threats

HIPAA requires CEs and BAs to protect PHI against all “reasonably anticipated” threats. The problem is, many CEs and BAs don’t know how serious the “digital device” threat is to their PHI. On the other hand, HIPAA entities can’t claim that these threats couldn’t be “reasonably anticipated”, because this issue is being covered in the general, technical and medical media increasingly often.

So what’s a concerned CE or BA to do?

What Can Be Done?

The first step is to research the potential for abuse in your organization. You should be able to answer the following questions:

How and where are digital devices and recordings being used in your facility now?
How will you deal with employees and physicians’ use of digital devices for recording images, video, and audio?
How will you deal with patients and visitors using these devices?
What are the legitimate recording uses, if any, for such devices in your facility?

Based on the answers to these questions, you should create clear policies and guidance for the workforce, patients and visitors. Policies should be circulated to everyone and employee “sign-offs” should be obtained to establish workforce “agreement” to abide by the policies. Consider having patients sign a form laying out the rules and restrictions on recording with digital devices. And consider posting signs in patient and visitor areas that say “No Photography Allowed”, “Recordings Prohibited”, or something similar.

A Variety of Approaches

CEs and BAs today are taking a variety of approaches to digital devices and the recordings they can produce, including:

Banning all cameras, camera-phones, and audio recording devices from the premises. (Very hard to enforce.)
Banning digital devices from patient-care areas. (Easier to enforce, but still problematic.)
Establishing clear policies and restrictions on usage, but not banning the physical presence of relevant digital devices. (More realistic, but still difficult to enforce, as many devices are small and can be used surreptitiously.)
Ignoring the problem or deferring the issue till “later.” (The riskiest approach of all.)

No “Magic Bullet”

There is no “magic bullet” solution for the privacy and security challenges posed by digital recording devices. Nevertheless, CEs and BAs must attempt to address these challenges somehow, even if only to demonstrate to a judge or jury — after a breach — that they were not guilty of “willful neglect”. Remember, HIPAA violations that involve “willful neglect” carry new investigative and penalty requirements under the recent ARRA expansion to HIPAA. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

An Epidemic of Medical Records Breaches

Abner — Sun, 23 Aug 2009 21:57:58 +0000

Where will it end? It seems that incidents of medical records breaches are still on the rise, with no end in sight.

Whether it’s from stolen laptops, rogue wi-fi hotspots, employee snooping, or determined hackers, data breaches and losses are skyrocketing. The problem is so acute, that even organizations that track data breaches are amazed at the scope of the data breach problem.

Medical Records Have Financial Value to Criminals

Why is this happening in such a big way? The answer is money. Medical records, and other comprehensive personal records like mortgage applications, have financial value to criminals. Criminals buy and sell people’s personal records on underground websites and channels because those records are used to create false identities and commit fraud.

The attractiveness of medical records to criminals is one of the main reasons why the HIPAA regulations require such strong protections for PHI. Covered Entities think their records are just paper. But to criminals, medical records are gold.

Foreign crime syndicates see the potential payoff from I.D. theft. And even common street gangs are, in some cases, turning away from drugs and prostitution and moving into I.D. theft.

HIPAA Requirements are Only a Starting Point

Remember, HIPAA’s Privacy and Security Rule requirements are only a minimum “floor” of protection that every entity should have in place no matter what. It also takes effective training, awareness of how criminals work, and due diligence to prevent data breaches. And you can be sure of one thing: prevention is easier and much, much cheaper than dealing with a data breach. Be careful!