We Still Aren’t “Getting It”!
Here we are, more than six years after the Privacy Rule deadline in 2003, and I am still trying to teach Covered Entities (CEs) and Business Associates (BAs) that Protected Health Information (PHI) is a valuable commodity to criminals. The crooks know that PHI has real, monetary value, but CEs and BAs are still learning this most important HIPAA lesson.
Until HIPAA-regulated entities really start to “get it” about the dollar value of stolen PHI, criminals will continue to have the advantage. That’s not a good situation.
It’s critical to understand that PHI (medical charts, billing files, etc.) has economic value to criminals. PHI is worth money on the international black market and is bought and sold 24 hours a day over illegal channels. More and more criminals know this and are exploiting it. Even Los Angeles’ notorious street gangs, once known for their lock on drugs, prostitution and gambling, are moving into identity fraud – the LA Times reported in 2008.
It’s easy to see bundles of records as so much paper, even when we understand intellectually that personal medical information is highly sensitive and confidential.
Try This with Real Dollars
Try this metaphor on for size: Imagine that a real US $20 bill is stapled to the inside front cover of every single file or record in your facility. Now imagine leaving piles of such “monetized” medical records simply laying around with no armed guard or other security. We wouldn’t do it. Instinctively, we know that bundles of cash deserve special protection. Unfortunately, most workers in healthcare jobs don’t automatically think that way about PHI. But PHI is equivalent to currency in the criminal mind.
In Value to Criminals: Medical Record = Wallet
In fact, much of the actual data in a person’s wallet is identical to the data in their medical records, with less clinical information of course. Name, home address, SSN, birth date, phone numbers, family contacts and pictures, banking and credit card data, allergy notices and other “first responder” medical data, etc. All these items reside in both wallets and medical records. And we know how devastating it would be if our own wallet fell into criminal hands.
Teach Your Workforce that PHI Has Value to Criminals
Some entities fear teaching this concept to their workforce because, they say: “we don’t want to give them any ideas!” They’re afraid that telling employees that PHI is worth money to criminals will tempt employees to go out and find crooks to sell PHI to. I believe that’s a mistaken view. Banks are filled with workers who all know their product is ‘valuable’, and banks take security appropriate steps to manage that risk – at least, most of the time!
Use Human Nature to Help Protect PHI
If I accidentally left my own wallet in your HIPAA-regulated facility, any honest employee that found it would know automatically – instinctively – to do two things right away:
- Notify Mr. Weintraub that his wallet was obviously misplaced and has now been found.
- Lock up the wallet and keep it safe while in posession of it.
If you see parallels here between 1.) Breach Notification; and 2.) Securing and Protecting PHI, then you deserve kudos. Because that’s exactly what’s what this is all about.
If your workforce knew that PHI is worth money to criminals, they would instinctively protect it, much as bank employees instinctively protect the cash they work with. To a healthcare workforce that’s ignorant of this, PHI may be sensitive, personal, and confidential – but it’s still only so much data, so much paper.
But to criminals, PHI spells “CASH!”
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
0 Comments until now.
Comment!