Top healthcare privacy and security myths debunked

Myths and misconceptions continue to create confusion and uncertainty around what’s true when it comes to healthcare security.

A major source of this confusion is the Health Information Portability Access and Accountability Act (HIPAA) Omnibus Ruling of 2013, which specifically called out electronic Protected Health Information (PHI). Previously, PHI had been treated in a more generic sense. The ruling also shined a spotlight on Meaningful Use regulations. With so much conflicting information, it’s important to know fact from fiction so that you can properly protect your patients, staff and hospital by selecting the right ways to securely capture, access and share data. Knowing the difference between reality and myth can mean the difference between sound organizational security and an extensive data breach, which brings to mind the massive hacking breach1 that Anthem Inc., the country’s second largest health insurer faced, affecting more than 80 million people.

So why not take the time to clear things up a bit?

With rising concerns and conflicting information, it’s challenging to know which steps to take first to protect your data. That’s why we’ve delved into the top myths about your healthcare privacy and security:

Who has the right to access patient information?

Myth: A patient’s agreement to give their providers the right to access their health information in turn gives those providers the right to share that patient’s health information with others.

✔ Fact: According to health information rights2, as owner of their healthcare information, patients (or their designee(s) should know at all times who is accessing and sharing their healthcare information, which includes private data such as Social Security numbers, medical history and date of birth. Patients have the right to restrict access to this information to whatever extent they choose. Properly and securely capturing, accessing and sharing data can make it easier to keep tabs on exactly who is and who should be coming into contact with patient information. 

If I opt out of Meaningful Use (MU) do I still have to perform risk assessments?

Myth: Providers who opt out of Meaningful Use don’t have to perform healthcare information security risk assessments and are safe from risk assessment penalties.

✔ Fact: Providers who have opted out of Meaningful Use “don’t have to perform risk assessments as part of MU alone; however risk assessments are still required under HIPAA regulations to be performed annually.” According to the American Medical Association3, if a security breach takes place against a hospital or provider that hasn’t performed a risk assessment, the organization or provider may be subject to steep fines and other financial penalties. Providers can also be charged if a failure to perform such risk assessments is discovered during an audit. Successfully meeting security risk compliance through monitoring the movement of information within your data flow can help you to confirm information is being securely transferred internally and externally.

Who has to undergo HIPAA privacy and security training?

Myth: Only workers directly connected to patient care have to undergo HIPAA privacy and security training.

✔ Fact: According to the US Department of Health & Human Services, each and every person working in a hospital — from executives to the janitorial staff — must have HIPAA training, along with documented proof of such training. Organizations are responsible for defining these policies and procedures and must provide updated versions when changes or clarifications to the regulations are implemented. All employees must also be able to answer questions correctly during periodic updates in order to prove that they are familiar with the latest regulations and policies. Making sure staff is properly trained and aware of all current regulations can help you protect information that is being shared within your organization, as well as outside of your organization.

Are mobile devices a secure platform to store private health information?

Myth: Patient healthcare information such as medical records and patient billing information can be securely entered into and stored on your personal mobile device.

✔ Fact: According to hhs.gov, while certain mobile devices sold by healthcare-specific vendors have been cleared for provider use under HIPAA and other federal regulations, most private phones do not provide the level of security required by federal regulations and could lead to stolen information. The best way to store, transfer and access data is through protected and approved communication systems that have been closely examined to make sure data is flowing securely and efficiently.

With the vast amount of personal information that hospitals and providers are responsible for, it’s imperative that you take the time to protect your patients. The Office of Civil Rights provides access to free HIPAA enforcement training to get you started. Another good place to start is by simply understanding what common misconceptions surround privacy and security so you can make improvements within your data management strategy.