For most patients, HIPAA will simple be something mentioned in conversation – if at all – in the flurry of signing forms when getting treatment. However, it is a very important piece of documentation, and it is worth being informed about. HIPAA is a very complex document, and most healthcare professionals will have to receive dedicated training to understand it and its reach. We are not suggesting such extensive training for all patients. Rather, we encourage all patients to inform themselves on the basics of HIPAA, why it is important and how it affects you.
What does HIPAA protect against?
Regrettably, many people will have had some experience with a breach of data privacy, be it lost cards stolen personal details. This puts the individual at heightened risk of becoming a victim of fraud. The same can happen when healthcare data is stolen: protected health information (PHI), the kinds of data that HIPAA protects, can reach extraordinarily high values on the black market. This makes them a lucrative target for cybercriminals. Additionally, healthcare data has a longer “lifespan” than other stolen details. Credit cards are easily cancelled and reissued once the owner expects fraud: not so with social security numbers.
With this data, they can commit healthcare fraud by taking social security numbers and mismatching them with health records to create a “new” person. They can also fraudulently claim on another’s health insurance, or take credit card details to commit financial fraud. All of these things will make it more difficult for the individual to access healthcare or health insurance in the future, until fraud is proven.
These criminals can target healthcare organisations via a number of methods. They can use blunt-force hacking, which targets servers to gain access to large swaths of PHI. They can also gain a backdoor into networks by phishing, sending targeted emails asking for login details from employees. These emails appear to come from an authoritative source, tricking the recipient. In other scenarios, they may just steal electronic devices that store the PHI.
How does HIPAA help?
Many of the above scenarios can be prevented if organisations properly follow HIPAA guidelines. HIPAA emphasises regular risk assessments, enabling employees to spot points of weakness and take actions to reinforce their defences. The HIPAA Security Rule requires all PHI to be encrypted, so even if a network is hacked or a device is stolen the PHI will still be unreadable.
The Office for Civil Rights, who oversee HIPAA enforcement, also put a strong emphasis on employee training. This can help phishing attacks, as employees will be more able to recognise suspect emails. Importantly, all employees will know when PHI can be disclosed, how it should be handled and what to do if a breach occurs.
One important aspect of HIPAA that we have thus far failed to mention is this: HIPAA protects patient privacy. As well as guarding against fraud, this means that a patient’s medical history is kept confidential, only disclosed to authorized individuals if the need arises. Thus, the patient has agency to decide who knows about his or her health.