This post also appeared in The Tennessean, where Concept Technology has a bi-weekly feature in the Business section.
“Let’s talk health care.”
That short sentence has sparked some of the most engaging social, economic, ethical and political conversations over the past few years, and the conversations keep on coming. You’d be hard pressed to find someone who hasn’t attended a networking event, read an opinion piece or spent a night at the family dinner table tackling the issue of health care within the last month.
In the technology sector, the health care conversation always comes back to security. As a general advocate for online and electronic privacy, I strongly believe it’s your and my right to keep our health information private.
As a business leader, I understand that “right” isn’t a given, but something organizations have to work at every day to keep up with evolving technology and compliance. Keeping PHI (Protected Health Information) safe requires a managed IT process and data handling policies.
The Health Insurance Portability and Accountability Act of 1996 places limits on how your health information can be used and shared. HIPAA at first lacked enforcement provisions, so in 2009, the federal government enacted the Health Information Technology for Economic and Clinical Health Act, which gave HIPAA teeth by enacting audit provisions and nasty monetary penalties.
According to the U.S. Department of Health and Human Services’ data on HIPAA breaches affecting 500 or more individuals, 52 percent of PHI breaches are caused by theft. The second-most likely cause of a breach is unauthorized access or disclosure (17 percent).
Understandably, mobile technology has thrown a wrench into HIPAA compliance. Fifty-five percent of the devices involved in HIPAA breaches affecting 500 or more individuals were mobile (laptops, tablets, smartphones, etc.), followed by desktops (22 percent), network servers (17 percent) and email (6 percent).
So what can we do about this? Organizations can work with a security expert to assess and mitigate their compliance risks, and consumers can help protect their information as well.
Here are three things you can do:
- Don’t share your health information with organizations not covered by HIPAA. HIPAA regulates health care providers and insurance companies, but it doesn’t cover all organizations billing themselves as “health” entities these days. For example, if you’re using applications like WebMD or MyFitnessPal and posting health problems on the apps message boards, you need to understand that this information isn’t protected by HIPAA.
- Protect your home computers. If you use your home computers to store or access health information online — or if you’re using email to discuss a health issue — be sure these devices and applications are protected with strong passwords. Your passwords should be at least eight characters long and include special characters, letters and numbers, with a mix of upper- and lowercase. Never auto-save passwords, and be sure to change them every 90 days.
- Don’t forget your paper files. While this column focuses on technology, decidedly nontech things like hospital bills, insurance statements and prescription drug bottles can put your private information at risk as well. Before you discard, shred these paper files.