Improper disclosure of medical records occurs due to many reasons such as improper maintenance of the records, data security breach, unauthorized access and so on. Though physicians and other providers are not restricted from sharing the healthcare information required to treat patients, the HIPAA rule holds that healthcare providers, health insurance companies and others involved in administering health care should not share personally identifiable medical information without the express consent of the patient. Lawyers utilizing medical review services must ensure that they are partnering with an HIPAA-compliant medical record review company. All covered entities including hospital administrators and doctors have to obtain the written authorization of the patient if they need to share healthcare data with life insurance companies or some other external organizations or individuals. Lawyers requesting medical records, whether that of their own client or those of an adversary must submit a form that is HIPAA-compliant. HIPAA is applicable to any information held or transmitted via any form or media-paper, electronic and oral.
Dangerous Breaches Even in the Face of Strict Regulation
Why are medical records so sensitive? They contain highly confidential information such as one’s medical history, family medical history, lifestyle information, lab test results, medications prescribed, procedures undergone earlier and other related information.
In a recent shocking incident reported, the private health records and contact information of around 1.5 million Americans have been posted to Amazon’s cloud services. There is no clue as to how the breach occurred and the number of affected patients is unconfirmed. Personally identifiable information such as names, addresses, phone numbers, biological health information and current medications were among the details exposed. The software company that was notified of the breach has warned its affected customers and started an investigation into the matter.
Medical security breaches continue to be a serious concern in America putting people at considerable risk. Cyber attacks on protected health information have increased 125% since the year 2010, as per a recent study by ID Experts, a data security firm. At least 100 million files are estimated to have been compromised in 2015 with the Anthem, Carefirst, Premera and Excellus breaches.
What is really troubling is that this sensitive data may stay online, available to the public for an unpredictable period if undetected. In spite of the government regulators strengthening oversight by requiring public reporting of such breaches and imposing hefty fines, medical data breaches continue to occur highlighting the vulnerability of electronic data. Stolen laptops, unencrypted medical records, mailings sent to the wrong destination, missing files, hacked networks, errant emails and so on are some of the major reasons that lead to breaches. In some of the cases medical facility employees are responsible for compromising patient details. Stringent legislation is vital to crack down on hospital record snooping cases, especially in this age of electronic health records.
The Medical Identity Theft Catastrophe
Medical identity theft is one of the dire consequences of PII or personally identifiable information breach. When a person’s identity is being used by a stranger to obtain healthcare, his/her health information becomes mixed up with that of the perpetrator making it literally fatal for the person concerned, especially if the mix-up results in the removal of an allergy information or a change of blood type. Another issue is when one may need an urgent medical procedure, and comes to realize that it has already been obtained by the impostor and therefore not available.
If a confidentiality breach is revealed related to medical records, the HHS has to be informed of the same and a request for an investigation must be made. If the HHS finds any HIPAA violations, it may warn or discipline the agency responsible for the leak, or bring the matter to the notice of the Department of Justice for prosecution.
The law of each state provides victims of medical record breaches and identity theft with the right advice in keeping with the person’s particular situation and jurisdiction.