Hungry Hungry HIPAA

Hungry Hungry HIPAA illustration

Published June 5th, 2013 by Leveraging Logic
Written & illustrated by Micah Kearns

Health care providers had better watch out. There’s a beast lurking in the shadows waiting for a slip up, and then it’ll pounce and gobble up thousands, or even millions of dollars of your money. It’s the hungry, hungry HIPAA, and it’s got an eye on you.

The Department of Health and Human Services (HHS) has been levying fines against health care providers at an increasing rate, as a punishment for violations of the Health Insurance Portability and Accountability Act (HIPAA), which aims to protect the privacy and security of individually identifiable patient health information. As the rate of data breaches increases, HHS has been sternly ratcheting up the pressure to comply with HIPAA measures. Sensitive information on a lost USB drive, stolen laptop, or unsecure server can now mean a million dollar fine, weeks of mitigation, time- consuming audits and thousands of angry patients.

At first, only large data breaches attracted notice and were subjected to large fines, such as the $2.25M levied against CVS Pharmacy in 2009 for improperly disposing of patient records. But smaller and smaller data breaches have been catching the attention of HHS, as they attempt to curb the steady leak of sensitive information. Recently the first fine was levied against a health care provider for a breach affecting less than 500 patients. As electronic medical records replace paper documents, hackers continue to outpace the security measures that are meant to protect the sensitive data they contain. Using Social Security numbers and dates of birth to identify patients only adds to the vulnerable data being stored, risking more with every breach.

Sensitive information is hard to protect when transferred between facilities, when stored on servers and when disposed of. A solution would be to remove sensitive identifying information, and replace it with an anonymized unique patient identifier on every patient document. The identifier would then link the document to the patient’s account, which would be stored separately. Segregating data this way would drastically reduce the vulnerability a data breach, and ensure that medical records remain anonymous except to those who need them.

Utilizing fingerproofs that cannot be lost, stolen or borrowed and linking them with the unique patient identifier would save the healthcare industry millions, if not billions of dollars every year. There would be a decrease in regulatory fines, a decrease in patient misidentification, and a decrease in medical fraud, all which should be attractive propositions for any healthcare provider that’s concerned about their bottom line as well as quality of patient care.