Health Care Data Gets Around

Compared to medical record theft, the theft of chiropractic patient records isn’t much of a problem…yet. But because most chiropractic patients are also medical services patients, doctors of chiropractic may have an ethical responsibility to help their own patient/clients understand the risks they are currently facing by having their PHI in someone else’s hands–anyone’s–including, at some point, possibly yours. Think you and your patients are exempt? And how about your own personal health data?

The problem of health care data insecurity is enormous. As detailed in this article and others, since 2009, more than 1,149 health care covered entities and business associates have reported data breaches affecting more than 41 million Americans. On top of that, Anthem BlueCross suffered a data breach last year that exposed Social Security and other personal information of 80 million individuals, and 11 million more were exposed in the Premera breach reported earlier this year. More than 60% of covered entities with responsibility for PHI data security are not in compliance with federal standards, yet only 7% were even audited in 2014.

Why is this such a problem? The short answer is, securing data isn’t easy. Specific data can be encrypted, but many encryption codes can be broken, and most covered entities have such complicated (and often necessary) systems of access and permissions that keeping PHI secure isn’t easy. And even when covered entities have done the right thing, their business associates are often the weak link–as was true in the Premera breach noted above, similar to the Target credit card data breach in 2014 (a heating and cooling contractor was the entry point for the Target data loss).

One of the more important things doctors of chiropractic may be able to do to assist their patients with data security is to follow some of the guidance on the blog (disclosure: this is one of my consumer-facing health care education efforts). See in particular these posts:

There is also a very technically-worded form letter your patients can download and present to their health care providers that asks some pointed questions about the entity’s understanding of their own degree of compliance with federal standards. That letter is available here. The more people ask questions about their own PHI data security, the more those responsible for their security will have to take notice.

For doctors of chiropractic, one of the more important questions you need to consider asking is of your own business associates: your billing and coding services, data warehouses, cloud-based EMR/EHR vendors, and those hosting your own records and data if not on the cloud. The form letter listed above applies to you, too, as any covered entity or business associate you entrust your personal and patient/client data to is subject to the same security and reporting compliance requirements as hospitals, clinics, health systems and medical offices.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *