Protecting patients medical data.

On December 4, 2012, two Australian radio DJ s called London’s King Edward VII’s Hospital, identified themselves, in fake British accents, as Queen Elizabeth and Prince Charles, and asked about a celebrity patient who had been admitted for pregnancy complications. A nurse, filling in at the reception desk in the early morning hours, answered the phone and, without attempting to verify the callers’ identities, transferred them to the duty nurse caring for the Duchess of Cambridge. The duty nurse then provided them with confidential patient information The Australian DJ s broadcast the phone call, considering it a humorous prank, but as the world knows, it had disastrous consequences.

How confident are U.S. hospitals, nursing homes, and physicians’ offices that their staff would appropriately deny patient information to an unknown caller?

Too often, unauthorized people succeed in extracting protected information from health care providers. Invasion of privacy also affects non-celebrities, when anyone seeks health information the patient has not chosen to share. More often, though, scam artists seek patients’ billing information for financial gain. The patient’s insurance identifier is then used by an uninsured person to obtain medical services or by a fraudulent health care provider to bill for medical services that were never rendered. Data security breaches and medical identity theft are growing concerns, with thousands of cases reported each year. The Centers for Medicare and Medicaid Services (CMS) tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective action.

Beyond privacy concerns, breaches of health information security exact a weighty financial toll and endanger patients. Abuse of insurance identifiers drains money that would be better spent funding legitimate health care services. When Medicare and Medicaid overpay for services, taxpayers bear those costs. When private insurers overpay, policyholders face higher premiums and co-payments. The most obvious toll on the individual beneficiary is financial liability for services that are fraudulently obtained in the beneficiary’s name. The beneficiary may also run up against service limits when he or she later seeks reimbursable medical services.

And identity breaches can deliriously affect the quality of care. Incorrect information can infiltrate the beneficiary’s medical record and corrupt later medical decision making. Beneficiaries have been wrongly labelled as diabetic or HIV-positive when people with those conditions obtained services using a beneficiary’s medical identity. Pharmacists have rejected beneficiaries’ legitimate prescriptions and suppliers have refused to furnish needed wheelchairs when records have incorrectly shown that the beneficiary recently received the items in question.

Health care providers should better protect patients’ privacy and medical data. Traditionally, hospitals posted notices in elevators and cafeterias warning staff members not to discuss patients in public areas. The risk of electronic eavesdropping further complicates health care providers’ responsibility to protect patient privacy. In a series of compliance audits undertaken by the Office of Inspector General (OIG) of the Department of Health and Human Services, government auditors sitting in hospital parking lots with simple laptop computers could obtain patient information from unsecured hospital wireless networks.

Health care providers should follow best practices to ensure that computer networks are more secure. As progress continues toward the development of a national infrastructure for electronic health information, security of electronic data becomes increasingly important. Firewalls, strong security protocols, antivirus programming, and password protections are essential. Too often, health care professionals undermine password protection, remaining signed in under their usernames on multiple computers when the devices are out of their immediate control. The minor convenience this practice affords comes at the cost of greatly endangered data security. Automatic, timed logouts and employee training can address this problem. Similarly, attention to data security must not stop at the clinic doors; health care professionals should follow secure procedures when using portable electronic devices and home computers (see Steps to Protect and Secure Information When Using Mobile Devices).

Some patient data are stolen, whereas other data are volunteered by or elicited from helpful staff members or even the patients themselves. The OIG has warned Medicare and Medicaid beneficiaries about common scams perpetrated to obtain their insurance information. Health care providers should also educate staff members about protecting patient information. At times, people call physicians’ offices or hospitals posing as referring physicians, specialists, pharmacies, vendors, friends, relatives, or insurance representatives. Providers must teach their staff to authenticate such calls and release only information to which the caller is entitled.

Patients can be important partners in protecting privacy and combating identity theft. Providers and insurers can help educate patients to protect themselves. The OIG encourages health care providers to print multiple copies of the brochure it developed advising patients on ways to avoid falling prey to medical identity theft.

Insurers can also do a better job of protecting patient information. Ideally, all insurers would adopt best practices that experience has proven effective. For example, Medicare and many private insurers send beneficiaries explanation-of-benefits statements or other notices whenever a service has been charged to their insurance policies. Beneficiaries are encouraged to review these statements, even if no out-of-pocket payment is owed, since review affords an early opportunity to identify misuse of insurance benefits, such as claims submitted by a provider the beneficiary never used or for a service the beneficiary never received. Unfortunately, most state Medicaid programs do not routinely send such statements to beneficiaries, forgoing one effective tool for identifying security breaches early.

Federal law affords American patients strong privacy protections. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act established legal mechanisms to ensure privacy and security of medical identity and protected health information. HIPAA created transactional security requirements for the exchange of certain health information and regulated its disclosure. HITECH expanded HIPAA in a number of ways, including by requiring notification of victims of breaches of protected health information held by HIPAA-covered entities and vendors of personal health records. Unfortunately, however, practice often falls short of intended statutory protections.

CMS and the OIG have collaborated to create instructive educational materials offering best practices for promoting privacy and data security. It is crucial that patients and health care professionals work together to safeguard patient information and prevent security breaches. Patients and providers deserve greater assurance that the next time a health care professional answers the phone and it’s “London calling,” the inquiry will be handled properly and patient privacy and health data will be adequately protected.

 STEPS TO PROTECT AND SECURE INFORMATION WHEN USING MOBILE DEVICES.*