NORMAN — Recent trips to the doctor’s office have once again led me to question the security of my private medical and financial information. While most people turn a blind eye to how patient records are handled by their favorite doctor or hospital, the security of such records has never been more important.
It’s my observation that, while most doctors, nurses and secretaries have at least heard of the Health Insurance Portability and Accountability Act (HIPAA), many of them aren’t really aware of what is required by the law and a shocking number of health professionals couldn’t seem to care less.
HIPAA basically states that doctors, nurses, office staff, insurance agencies, attorneys, secretaries, vendors, and anyone else who handles patient data must ensure that names, addresses, telephone numbers, social security, credit card, insurance, bank account and other identifying numbers that make their way onto computers must be protected from loss, corruption and unauthorized access.
Computers should not be left unattended in unlocked rooms. Anti-theft measures should be in place. Computers and file systems should be password protected, and particularly sensitive files should be encrypted. Antivirus and antihacker measures should be in place. Patient data stolen by thieves or hackers, destroyed by accidents such as a storm, or damaged by a computer virus has lost its privacy, integrity, and has become unavailable. All three situations can be considered violations, incurring non-compliance citations.
Case in point is Providence Health & Services, a Seattle, Washington-based health care organization, which was once punished to the tune of $100,000 for lax security policies. An investigation by the U.S. Department of Health and Human Services revealed that Providence had experienced the loss or theft of numerous laptop computers, CDs and backup tapes that contained the private medical records of over 386,000 Providence patients. Sadly, none of the lost or stolen information was encrypted or password-protected. Providence is also being forced to implement a rigorous security program designed to stop such unconscionable losses.