US Pharm. 2011;36(4):1.
No, I'm not talking about visitors from another planet; I'm talking about people who are out to steal our privacy. I sometimes get the feeling that someone is always looking over my shoulder whenever I have to give out my Social Security number, enter a pin number for my ATM account, use a debit card, or delve into many other areas of my privacy that once felt secure. And that goes for filling out health history forms in a physician's office or providing my intimate health information to some bored clerk who takes my medical history while admitting me to the hospital. Somehow I don't feel that my privacy is being protected in a doctor's office when the person behind the desk pulls my information form off the clipboard and inserts it into a file folder that can easily be accessed by just about anyone who works in the office or, worst case scenario, that is not locked up at night and can be seen by the cleanup crew that comes in hours after the lights are turned off. But wait, that couldn't possibly happen in the case of hospital admissions, could it? Yet, they immediately input everything you tell them into their computer database so that it can be retrieved by just about anyone who wears a name tag or has a password, and we all know how secure passwords are. Some say HIPAA is a joke, but no one is laughing.
While the U.S. Department of Health and Human Services (HHS) stopped short of calling HIPAA a “joke,” the agency apparently didn't think it was a very effective law either by virtue of the fact that the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed. This law allows the HHS secretary to impose civil monetary penalties for violations. Before HITECH, the secretary could not impose a penalty of more than $100 for each HIPAA violation or $25,000 for all identical violations of the same HIPAA provision. Under the HITECH Act, penalties are tiered, with a maximum penalty of $1.5 million for all violations of an identical provision. While the actual fines are based on whether or not there was “willful neglect,” fines could range between $10,000 and $50,000 per violation.
So I thought this law would make me feel better about my privacy, particularly as it relates to my health care records, right? Well, that security blanket was rudely ripped off when I read about a recent study conducted by Kaufman, Rossin & Co., one of the largest independent accounting firms in Florida. It uncovered that the personal health information (PHI) of millions of individuals had been compromised as a result of 166 data breaches during HITECH's first year. Just 7 months after the law was passed, the study revealed that 500 individuals who breached data had been reported to HHS. But here is the kicker: Those breaches represented 4,905,758 individuals whose PHI had been compromised! The largest of those incidents exposed 1,220,000 individuals as a result of the theft of an unencrypted laptop. I wonder if it was the same laptop used by the woman who recently admitted me to the hospital for surgery? While the vast majority of breaches were associated with unsecured computerized hardware such as desktop computers, laptops, and portable electronic devices, other breaches involved paper records, postcards, mailings, and CDs.
What this tells me is that it is incumbent on every pharmacist to remain vigilant about enforcing HIPAA privacy regulations, and that patients must be their own advocates regarding the privacy of their medical records. In the final analysis, when it comes to medical record privacy, we are probably not alone.
To comment on this article, contact editor@uspharmacist.com.