Various types of online social networks are apparently the “next big thing” in relationships, and they are changing the nature of human interactions. But social networks also pose a major threat to the PHI Covered Entities (CEs) and Business Associates (BAs) are entrusted with.

Peer-to-Peer Networks Expose PHI

Researchers at Dartmouth College probed peer-to-peer (P2P) networks recently to try and determine the extent to which private medical data is exposed on these networks. Over a two-week period, what they found was shocking…

• A spreadsheet from an AIDS clinic with 232 client names,including Social Security numbers, addresses and birth dates.
• Databases for a hospital system that contained detailed information on more than 20,000 patients, including Social Security numbers, contact details, and insurance records, along with diagnosis information.
• A 1,718-page document from a medical testing laboratory containing patient Social Security numbers, insurance information, and treatment codes for thousands of patients.
• More than 350 megabytes of sensitive patient reports from a group of anesthesiologists.

According to the article above…

In all, researchers found hundreds of documents revealing sensitive information on tens of thousands of patients.

The full Dartmouth report is also available as a PDF download (858 Kb).

Personal Social Networks Are Another PHI Threat

P2P networks are different creatures than what are sometimes called “personal social networks” (PSNs). Personal social networks include sites like MySpace and Facebook, where people go (usually) to meet and fraternize with other like-minded people.

Exposure of PHI on personal social networks has already been identified as a growing problem. Increasingly, people are use their MySpace, Facebook, and other social network pages to vent their gripes about their doctors and their medical care.

So here are some critical questions you should consider…

• Do you know if you or your practice has been mentioned (positively or negatively) in any of your patients’ social network pages?
• What would you do if you found your patients’ PHI exposed on such sites? What could you do?
• How extensively are your employees using social networks? Are patients being discussed? Is any PHI being disclosed?
• Do you have a written policy regarding personal social networks, P2P networks, and similar online social channels?

It’s later than you think on this front. Your patients, vendors, and the crooks out there are likely farther along than you are in dealing with these issues. The HIPAA implications are enormous, especially with the ARRA’s new Breach Notification rule kicking in shortly.

Overall, the most important question you need to answer is:

Where’s your PHI?

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Whether it’s from stolen laptops, rogue wi-fi hotspots, employee snooping, or determined hackers, data breaches and losses are skyrocketing. The problem is so acute, that even organizations that track data breaches are amazed at the scope of the data breach problem.

Medical Records Have Financial Value to Criminals

Why is this happening in such a big way? The answer is money. Medical records, and other comprehensive personal records like mortgage applications, have financial value to criminals. Criminals buy and sell people’s personal records on underground websites and channels because those records are used to create false identities and commit fraud.

The attractiveness of medical records to criminals is one of the main reasons why the HIPAA regulations require such strong protections for PHI. Covered Entities think their records are just paper. But to criminals, medical records are gold.

Foreign crime syndicates see the potential payoff from I.D. theft. And even common street gangs are, in some cases, turning away from drugs and prostitution and moving into I.D. theft.

HIPAA Requirements are Only a Starting Point

Remember, HIPAA’s Privacy and Security Rule requirements are only a minimum “floor” of protection that every entity should have in place no matter what. It also takes effective training, awareness of how criminals work, and due diligence to prevent data breaches. And you can be sure of one thing: prevention is easier and much, much cheaper than dealing with a data breach. Be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

It seems an Acton, Mass., family doctor closed his practice suddenly and had hundreds of patient files in storage.  The doctor was apparently evicted from his office as he was being pursued by state regulators for practicing without a license! As a result, the records in storage were in limbo, and were nearly auctioned off to the highest bidder, along with equipment and miscellaneous items belonging to the “doctor.”

This incident has a happy ending, as a local hospital has stepped up and offered to “rescue” the records. But not every case like this ends on an upbeat note. This kind of situation is created more often by careless Covered Entities who simply toss un-shredded records in the trash.

HIPAA Requires Destruction Before Disposal

Let’s be crystal clear here folks: HIPAA regulations require PHI to be destroyed before it is disposed of; and its is a HIPAA violation to dispose of PHI that has not been destroyed or rendered indecipherable. And HHS released new guidelines (PDF download) in 2009 on PHI destruction.

Don’t fall into such an obvious trap! Make sure your entity has a clear policy and procedures on PHI disposal and destruction. Train staff on the policy and procedures, and be certain your policy is followed consistently every time. This is a preventable HIPAA violation – be careful!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.