ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Spotlight On: How Safe Are Your "Electronic Medical Records" From Hackers?

Updated on May 9, 2014

Your Electronic Healthcare Records

Source

What is HIPAA?

HIPAA is an abbreviation for the "Health Insurance Portability and Accountability Act of 1996."

What does it do for you?

HIPAA protects any AND all your personal identifying health information which is either held in a file or transmitted in any form of media, whether electronically, paper, or orally.

What does "personal identifying health information" cover?

This is information that contains your past, present or future mental or physical health condition, the type of health care you receive, the payments you make for it or receive regarding your health care provider, your demographics which is your name, age, social security number, address, phone number, birth date and any other information which can directly lead back to you personally.

Who has to abide by HIPAA rules?

Anyone who requests your personal identifying information is required to safeguard it and provide you with written HIPAA rules (usually requiring your signature) which they are required to provide at every instance or transaction. These entities may include but not limited to:

  • Your physicians and specialists, includes any healthcare provider under their supervision such as Nurse Practitioners and Physician Assistants, his/her office and medical personnel,
  • Hospitals and nursing homes and their employees, also includes maintenance and housekeeping employees
  • Your healthcare insurance plan and their employees (no exceptions)
  • Healthcare clearinghouses (companies who are transcribers or interpreters of healthcare data, charts and reports including laboratory and imaging tests which is transcribed from either dictation, from handwritten notes or from laboratory printout) and their employees (no exceptions)
  • Pharmacies and their employees (no exceptions)
  • Medical supply houses and their employees (companies who provide you with durable goods and medical supplies such as diabetic supplies)
  • Many but not all medical research facilities who conduct research using humans and their data


Linked story of another hack

This link has an interesting story from March 2012 that I can't recall ever hearing about. It was in Utah when social security numbers and other personal info was hacked.
This link has an interesting story from March 2012 that I can't recall ever hearing about. It was in Utah when social security numbers and other personal info was hacked. | Source

Your Medical Privacy At Risk

As previously stated in my hub Spotlight On: Doctors Office Visits - Do You Get Your Money's Worth? , all health care providers are required to transfer patient medical records from paper to electronic health records (EHRs). This is because in July 2010, the CMS (Centers for Medicare and Medicaid Services) created the Medicare and Medicaid Electronic Health Record Incentive Program, which was written as part of the HITECH Act of 2009 (Health Information Technology for Economic and Clinical Health).

There are even some very attractive monetary incentives to get physicians to do it. These incentives pay them up to the end in the year 2021, at the latest. (see graphics below)

The financial program payouts will be received only if

  • the healthcare provider can show "meaningful use," which in essence means that as long as each healthcare provider shows he has mastered each step of the EHR program in how to use the program, and
  • who falls under the 30% rule for Medicare and the 20% rule for Medicaid, will receive the bonuses when they come into compliance on each step of the program, as outlined in my other hub.

As much as everyone was concerned about HIPAA in the 1980s, which became a law in 1996, and required more revisions in 2005, very little thought and emphasis went into implementing HIPAA protection into this program.

As new events come to light, it seems that protecting your medical privacy was not as important and getting this program under way ASAP. I guess they wanted to make sure the money incentives didn't run out before they put too many rules into the program.

A Hacker's Dream

Requiring medical practices to be on all EHR (electronic health records) systems puts us all at risk of cyber criminals. Since we've had to protect our credit card and bank information so fiercely, how will we ever protect our medical information when we have to trust it in the hands of otherwise incompetent, inexperienced, non-computer savvy people, like our doctors? Most know medicine, not computers.

Some practices have done away with paper charts altogether which in my opinion is silly. Even the most inexperienced computer person knows to keep paper copies of important documents after entering them into a computer.

Unfortunately, having "live online" patient information has provided a wonderful environment for cyber-criminals to exploit patients, mostly because this new EHR program did not safeguard your personal information as you yourself would do on your own personal computer with virus protectors, firewalls, malware scanners and other programs to deter invaders.

The firewalls and other technology safety measures were not in place to protect the records at the same time the mandate was issued to health care providers to get on the ball with the transfer of paper records to enter into their own computers.

Many computer savvy professionals predicted long in advance that criminals will see electronic patient records as a great opportunity for hacking and theft, even to the point of selling records for profit.

Well, it came to pass.

Referring to a SANS Healthcare CyberThreat Report dated February 20, 2014, the FBI's Cyber Division issued a memo confirming that three vulnerable information technology companies were hacked by cyber criminals, who sold each patient record to parties who normally would have no business knowing a patient's personal medical history.

The report did NOT mention accessing Obama's healthcare.gov website and I find that really interesting since, to me, that is the site which would be the hacker's dream, given the supposed high numbers of people who flooded the website so it crashed several times due to overuse.

Regarding the links in the above paragraph: Because in my past experience, the FBI has routinely re-classified documents after de-classifying or issuing them as un-classified, I took a screenshot of the above referenced FBI memo to have for posterity. Screenshot follows this paragraph.

FBI report 4 8 2014, two pages - links are disabled to clicking

Links are NOT live to click
Links are NOT live to click
Links are NOT live to click
Links are NOT live to click

FYI only from other hub: Incentives paid to healthcare providers to convert over to electronic recordkeeping

Medicare payments to healthcare providers for going over to all electronic recordkeeping
Medicare payments to healthcare providers for going over to all electronic recordkeeping
Medicaid payments to healthcare providers for going over to all electronic recordkeeping
Medicaid payments to healthcare providers for going over to all electronic recordkeeping
Who qualifies for the financial incentives
Who qualifies for the financial incentives | Source

Qualifying For Incentives for Electronic Health Recording

If you read this in the other hub, skip to next section.

The qualification schedule was written into law as such:

80 percent of physician practices or medical institutions (see chart below for qualifying entities) providing services or treatment in practices

  • whose income comes from at least 30% of their patients on MEDICARE or
  • whose income comes from at least 20% of their patients on MEDICAID

must convert over to all electronic charting by the end of 2013 and the remainder 20 percent to come into compliance by the end of 2014. While doing this, they must still maintain paper charting for up to ten years or until 2021.

There are exceptions. Of Course! After all, this is government we are talking about here.

Updated info:

  • A healthcare provider, practice or health center can include "other needy individuals" even if they don't have Medicaid or Medicare to be able to qualify for the incentives you see in the chart below.
  • This includes patients who get free care from a healthcare provider, or reduced costs based on a sliding scale determined by the person's ability to pay per income brackets or medical assistance from Medicaid or other government program, including Children's Health Insurance Program.

EHR has "gaping holes in security"

Johns Hopkins  technical director of the University's Information Security Institute, said he has "never seen an industry with more gaping security holes." talking about EHR system
Johns Hopkins technical director of the University's Information Security Institute, said he has "never seen an industry with more gaping security holes." talking about EHR system | Source

So ... what was the extent of the hack?

According to a Forbes report dated February 20, 2014, NORSE (a threat intelligence vendor who identifies threats for governments and private industry) issued their report which was analyzed by Barbara Filkins who works for SANS as an analyst and healthcare specialist. It states:

"The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.

During the sample one year period [09/2012 to 10/2013], the Norse threat intelligence infrastructure – a global network of sensors and honeypots that process and analyze over 100 terabytes of data daily – gathered data. The intelligence data collected for this sample included:

49,917 Unique Malicious Events
723 Unique Malicious Source IP addresses
375 U.S.-based health-care related organizations were compromised

A SANS examination of cyberthreat intelligence provided by Norse supports these statistics and conclusions, revealing exploited medical devices, conferencing systems, web servers, printers and edge security technologies all sending out malicious traffic from medical organizations. Some of these devices and applications were openly exploitable (such as default admin passwords) for many months before the breached organization recognized or repaired the breach. -- Barbara Filkins – SANS Analyst and Healthcare Specialist"

I don't know about you, but that should have been a fireworks in the sky, all out red alert, super blast to all the news stations in order to get the word out to warn people that their medical records have been infiltrated and are no longer safe.

The public should have been told to be on the alert for unusual changes in their everyday use of credit cards, PIN numbers, online banking and other online accounts that act suspiciously as if maybe they were being used by someone else, or someone else was speaking for or as them, or possibly impersonating them in different venues.

I don't like the words "malicious" or "compromised." Those two words alone in any report regarding people's personal data should have been made public in a big way, not buried in with the Evening News the way so many other things get buried these days.

The only report I saw was at the following link on April 19, 2014, which was 10 days after the hub I wrote warning of the Heartbleed bug.

Obamacare Enrollees Urged to Change Passwords Over Heartbleed Bug A little bit offered, a little bit too late.

Paper records should always be kept as backup in case anything happens to electronic records. While they can also be a security breach, history has shown less of a breach with paper than the track record so far with electronic records
Paper records should always be kept as backup in case anything happens to electronic records. While they can also be a security breach, history has shown less of a breach with paper than the track record so far with electronic records | Source

So......how much do hackers get paid for YOUR information?

According to the FBI's information regarding records hacked from one hospital website and a stolen physician laptop, the hackers' going rate right now is $50 per chart. However, the bigger the chart, the higher the payout rate. The more well known the patient, the higher the payout rate too. Who says it doesn't pay to be famous? Unfortunately, the wrong people are getting paid in this instance.

Dr. Steven Waldren, an information technology expert and a physician strategist with the American Academy of Family Physicians said that organizations that are the most attractive to hackers are small community hospitals and small physician offices. He cites that they really don't hve the money to make investments in securing patient data like larger hospitals do.

Referring to the charts below (which were also featured in my last hub on this subject) I wholeheartedly take issue with that statement since the high incentives paid to practices with 30% Medicare patients from 2001 to 2016 and for 20% Medicaid patients until 2021 more than amply provides funds that can be used toward protecting their medical records against invasion by viruses and cyber criminals.

I think what is lacking here is pure and simple. Health provider education. It is another case of government dictating what we have to do to keep up with the times, paying large amounts of tax dollars to implement it and basically throwing people into the system without educating them on the how and wherefores to do the actual work.

It is akin to government assuming that healthcare providers already have basic computer knowledge, assuming they already know how to protect their personal computer from invasion - so why waste time on the education process and just whisk them all into the mandated "everyone has to be on electronic recordkeeping by the end of 2014?"

It is ridiculous and it is totally irresponsible of the government mandating them to comply and of healthcare providers not even taking simple precautions to safeguard your personal information.

When HIPAA came into effect, people actually lost their jobs for violating patient confidentiality if even one little piece of your personal information escaped their lips, for example, your diagnosis or your medication list.

Computer safety programs were installed in hospitals who were already using electronically generated reports (Faxed or emailed) which were heavily laden with the HIPAA statement either at the beginning, end or a full page of HIPAA mumbo jumbo that patients are still required to sign today when they go to the doctor's office, a testing facility or enter as inpatient to a hospital. Do they read it? No, because it has become acceptable practice to assume our personal information is safeguarded by HIPAA and we have the opportunity to seek retribution if they violate the HIPAA laws.

So what will happen when a hospital gets hacked or another physician's laptop is stolen?

The same thing that has happened ever since lawyers became popular ... lawsuits.

On April 25, 2014, there was a financial settlement of $1,975,200 in the case of stolen laptop computers which resulted in a breach of HIPAA guidelines. At fault were Concentra Health Services in Springfield, Missouri and from QCA Health Plan in Arkansas.

So....what do the hackers do with your information?

On Wednesday, April 23, 2014, the FBI warned healthcare providers (the report does not say exactly WHO or HOW they warned them) that their cyber-security systems are vulnerable to attacks by hackers who are searching for personal medical records and insurance data.

They went on to cite that health data is more valuable to hackers on the black market - even more than credit card numbers - because the details can be used to access anyone's bank account and even get prescriptions for controlled substances ....drugs. They do this by impersonating people with diseases in order to get prescriptions.

Other hackers are solely interested in medical information for financial gain - to submit claims to insurance companies on behalf of a patient for payment of treatment and ongoing care. Insurance companies find this feasible because the billed claims are not questioned because the patient diagnosis and information matches the treatment.

And there are still other hackers who are interested in a patient's information to make it easier to get away with Identity Theft so they can open new accounts, which may or may not hold ill gotten gains from financial payments from insurance claims as mentioned in the previous paragraph.

Health information is organized into packages called "fullz" or "kitz" on underground rings where they can get as much as $1000 if the "package" contains a complete set of documents regarding a victim's personal information, all of which are counterfeited over and over again.

FBI spokeswoman Jenny Shearer said that a breach of healthcare information takes a long time for victims to figure out that someone accessed it and even longer to figure out HOW it was accessed because the information is used in so many different ways.

A group surgeons practice had their internal client network hacked, medical records were held for ransom

This is why it is so important NOT to use an Internal Client-Network and to use a Cloud server. Hackers infiltrated the server where e-mails and electronic medical records were stored, ultimately held patient records for ransom. It was not paid.
This is why it is so important NOT to use an Internal Client-Network and to use a Cloud server. Hackers infiltrated the server where e-mails and electronic medical records were stored, ultimately held patient records for ransom. It was not paid. | Source

What your healthcare provider can do to protect you

As much as these articles featured in the links let you think that you are at the mercy of your physician (in more ways than one), there are some things they can do to protect you.

The hard part is getting them to do it.

Copy and paste this next section to a Word Document, and DO NOT be afraid to hand it to EACH of your doctors and their Office Managers. These are measures that your healthcare provider can do - even if he is a private practitioner with no other healthcare providers in his offices. Each statement addresses your provider directly.

1. Keep software up to date with "patches" that are offered by the vendors of the software EVERYONE IN YOUR OFFICE uses. It will plug up the holes that hackers use to access your computer, laptops, smartphones, faxes and other electronic systems (internet and interoffice email, databases, online accounts).

2. Only install the applications you need to use to store and update patient data, and for transcription and billing practices on your office computers (including any laptops and Smartphones that travel out of the office or between offices). There is no need for recreational programs which most likely have to be downloaded from an external website.

3. DO NOT allow employees to use any type of "instant message" program or inter-office email system on YOUR equipment which has to travel over internet lines.

4. DO NOT allow employees to visit websites or access personal email using any of YOUR office computers, smartphones or laptops. Emails disguised as professional can turn out to be Paypal scams, Nigerian scams, Password update scams, and other sites engineered to coerce the user to enter personal information to access what looks like professional or company website.

5. DO NOT allow any employee to copy patient data to a "take home laptop" or any laptop which "travels between your office locations."

6. Invest in a program that encrypts data on your computers, laptops, smartphones and other mobile devices.

7.Talk to your billing software vendors and your EHR (Electronic Health Records) vendor about whether there are periodic updates to your present equipment and programs.

8. Make rules and stick to them for yourself and all your employees for "physically securing" mobile devices and laptops while they are in a vehicle. Encourage safe care practices, like using the trunk or keeping the device with them at all times.

9. For a wireless network in your office which is needed to transmit documents and files electronically, ask your software vendor (ask several) about the best programs they can offer to keep your patient data safe.

10. If you have an EHR system that runs on a client-server network IN your office, consider changing to a Cloud system and put a password on it. If you choose not to use an outside vendor to maintain and protect the Cloud server, change the password weekly to keep data safe.

An "in office client-server network" is very difficult for your business to keep patient data secure because you can't be observant 24/7. While a Cloud based system may look tempting for hackers because of the volume of information stored on it, especially if the information is from multiple offices or healthcare practices, it is easier for the vendor you use to protect that system because he has more personnel and resources to keep it safe.

This link will lead to a site which offers free training materials for healthcare providers to safeguard patient information, especially on mobile devices.

On April 25, 2014, there was a financial settlement of $1,975,200 in the case of stolen laptop computers which resulted in a breach of HIPAA guidelines. At fault were Concentra Health Services in Springfield, Missouri and from QCA Health Plan in Arkansas. You could be next if you don't have at least minimal safeguards in place to protect your patient records.

Opinion Poll

Do you get frustrated when you hear about security breaches of personal information?

See results

Final thoughts

Your social security number has become your identifying number to locate you and your records anywhere in the world.

And it is not even a secret anymore.

Update: 4/30/2014 - 4PM PDT

Most efforts to protect it will be in vain. Here's what I do to help do my part and I offer it as a suggestion to readers.

Use index cards to keep your personal information on, so when you have eyes over your shoulder or have a queue behind you waiting their turn, you can hand the index card to the person you want to provide certain information and make sure you get it back when they are done with it.

Try not to repeat any of your identifying information out loud so it is overheard.

Keep several index cards - one with healthcare info and one with social security number, date of birth and one credit card.

If you pay for healthcare visits with credit card, try to keep one credit card for those payments and list it on your healthcare index card so you don't have to jockey credit cards around to change the info on your index cards.

Remember: All anyone needs is your social security number, your phone number or your insurance company name to identify you when similar names to yours shows up in online searches.

About the video which follows:

Skip the last 15 seconds because the video person got carried away with very loud emotion. Please take about seven minutes to view this entertaining but very important video by Identity Theft Expert Robert Siciliano.

He details some interesting facts (some of which I have previously presented in my Password Protection and ATM Shoulder Surfing security hubs, some which are new information and some which bear repeating) on more ways your pertinent information is accessed, then used to change your bank, credit card and social network passwords on various accounts. He puts a face to one thief in the beginning of the video whose stats are shocking.

Thank you for reading my article. Your opinions are welcomed and your sharing of this article is appreciated so others can be made aware.

"Must See" Shocking (really) Video on Identity Theft Expert by Expert Robert Siciliano

Thank you for not copying my article.

Source

Copyright Notice

© Rachael O'Halloran. April 29, 2014 All Rights Reserved.

No part of this article may be reproduced without prior permission from the author. Use the following link to refer to this article. Do Not Copy. TYVM

http://rachaelohalloran.hubpages.com/hub/Spotlight-On-How-Safe-Are-Your-Electronic-Medical-Records-From-Hackers

© 2014 Rachael O'Halloran

Comments

Submit a Comment

  • billybuc profile image

    Bill Holland 3 years ago from Olympia, WA

    Great information and suggestions. We can never be too careful in today's world. Thank you for this.

  • WillStarr profile image

    WillStarr 3 years ago from Phoenix, Arizona

    I have an appointment today with my doctor. They want me there 45 minutes early to fill out the paperwork required for the new system.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #billybuc

    It was a lot to digest, so thank you for reading :)

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #WillStarr

    We can only hope once they get their act in gear that safety of electronic records, early arrivals and long waiting room times (see other hub) will all get better with time. It can't get much worse.

    Thanks for reading.

  • FlourishAnyway profile image

    FlourishAnyway 3 years ago from USA

    I have opted out of my doctor/hospital system's online patient communication system for security reasons. They're still keeping the information in the database, but I don't want links going back and forth. I'll just call them for test results, prescription refills, simple questions, etc.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #FlourishAnyway,

    Ok, naturally I have a few questions. lol

    Do you sign the HIPPA statement? If so, this allows transmitting of your EHR and test results.

    If not, then what happens when you go to a doctor and your test results need to be accessed immediately while you are sitting in front of the doctor?

    What happens when you want to change doctors and one doctor must forward your chart to another?

    While I believe opting out is a good measure, I can't help but wonder if opting out isn't a full time job keeping on top of medical entities to make sure they don't share your info.

    With serious illnesses like Cancer, Leukemia, stroke, MS and Lupus to name a few, I believe it is as important as ever to protect medical records from the wrong eyes. If we had stronger laws in place years ago, I have a few friends and a husband who would not be out of a job because of shared information going to the wrong people. Even awordlover's experience she documented on a hub is a nightmare in abuse of shared information. My husband had a stroke, went thru months of rehab and was given approval to go back to work and he couldn't get hired by anyone because the knowledge was out there - he was a risk..

    So while I think opting out is a good idea, I can't help but wonder if opting out truly is what it means because somewhere there has to be information in a database if only to say 'this patient opted out.'

    Policing the medical community to safeguard any type of information belonging to us - as you can see from this hub - is a losing battle because whether it is paper or EHR, someone will find a way to get the info if they want it bad enough. We can only hope it doesn't devastate our lives in employment, financially, or physically.

    Thank you for your comment, and although I will understand if you don't want to answer any of my questions, I hope you will. :)

  • DDE profile image

    Devika Primić 3 years ago from Dubrovnik, Croatia

    In Croatia the doctor usually contacts the patient or the patient is called upon for test results. An informative hub and you made such important points here even with hospital records one has to be so careful.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #DDE

    We are called to be given test results here in USA too, but some doctors have the $$$ in their eyes and insist on patients coming back to their office to get their test results in person. Others won't even speak about it on the phone because of being overheard in their environment and still others don't care one way or the other.

    I work in healthcare and I'm still surprised at how much information I am given when I go out to people's homes for Hospice care. I know as much about them as they know about themselves and do I need to know all of that information? No. I don't need to know all their childhood diseases, their surgeries from long ago, and their genealogy health history if all I am providing is end of life care. But because it is in their records, it all goes with the chart that the provider sees (whomever that is - nurse, doctor, NP or PA) whether all of the info pertains to that level of care or not.

    Thank you for your comment. If you ever decide to write a hub about the health care system in your country, I'd be interested to read your hub about it.

    Rachael

  • breakfastpop profile image

    breakfastpop 3 years ago

    You did a fantastic job explaining this problem. I don't believe any of our information is safe in today's world. Right now, as I write this, somebody somewhere is trying to hack into something! Voted up all the way except beautiful and funny.The entire situation is ugly and it makes me want to cry!

  • WillStarr profile image

    WillStarr 3 years ago from Phoenix, Arizona

    Just look at all the 'closely guarded' secrets Bradley Manning and Edward Snowden (two low ranking guys!) were able to easily steal. Thousands of low ranking people will necessarily have easy access to our medical records, so our security is non-existent.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #WillStarr, I agree with you. Security is a big business in today's world and unfortunately the pendulum swings both ways:

    1) those who try to keep some semblance of security safeguarding our records, our everyday activities and ways to keep security measures updated and,

    2) those who worry their days away looking for ways to crack those efforts.

    Thank you for revisiting this issue.

    Rachael

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #breakfastpop

    I agree that any and all of our personal information is at risk every day.

    Security (personal and national) is just a figment of governmental imagination which they have implanted into the minds of citizens, trying to brainwash them into believing they have their best interests at heart.

    They don't.

    The Heartbleed bug is a good example. It was in place for two years and wasn't revealed to the public until April 9th. It was admitted that the bug had been in place that long and only discovered by an observant analyst.

    How observant was he/she that they didn't notice it for two years?

    And, how was it known that it was in place for two years if they didn't know about it in the first place? Something is very fishy about that whole incident.

    To label it a bug is another anomaly. If something invasive takes personal information away from you, it is a hack. Pure and simple.

    Calling it a bug was just another way to stave off public alarm so that a big stir wouldn't be caused with people flooding credit card and bank websites to change their passwords and security questions.

    Our security is always in jeopardy and it has been proven over and over again, every time there is a breach of databases and when homegrown and international spies are exposed for stealing government secrets.

    It all revolves around security and the old saying "You can't be too safe" is very true.

    Security is certainly an issue many people need to worry about as more and more of our identifying information is breached or circulated with other records. In my opinion, our security will always be up for grabs to the next best hacker. Thank you for voting so nicely, for your compliments, and for your views.

    Rachael

  • breakfastpop profile image

    breakfastpop 3 years ago

    Dear Rachel,

    You are quit e welcome. I am going to share your hub with my followers. It is vital for people to get up to speed about this matter.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #breakfastpop, Thank you. I believe sharing is one of the best ways to promote hubs. TYVM

  • fpherj48 profile image

    Paula 3 years ago from Beautiful Upstate New York

    The hard core facts of reality is: NOTHING is private and NO ONE is safe or protected. This is tough to accept, but it is the plain simple truth. You know it, I know it and everyone else does or should!

    What one can't see or hear or experience personally, they can go to FB, any blog, twitter, or random social network site. Maybe do a "people Search" where for a few bucks you are privy to every last thing about any one.

    The "people" who transfer our "private data" into electronic files ...well, guess what? They're human beings. LOTS of human beings.

    It is 100% foolish and naïve to think for one moment that our info is private. The mere assumption is ludicrous.

    I stood in line, behind a patient at the front desk in a small medical office...all 6 chairs were occupied. The person/receptionist asked for the following information from the woman in front of me: Name, address, phone #, Insurance Co and Membership ID # Current medications, Surgeon's name, next of kin, date of last physical, mammogram and colonoscopy.......At one point I looked at the people seated and every one of us had a look of disbelief on our faces!! HIPPA laws? Privacy?? Are you kidding me?

    This is a joke. I not only hold the receptionist responsible......how dense was the woman providing her private info out loud in an office full of people??? Sometimes people just do not THINK!!

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #fpherj48

    I have experienced the same type of incident you describe in a doctor's office and at the outpatient desk of health care facilities. To remedy having to speak out loud, I keep several index cards with pertinent information I need to provide in order to continue getting healthcare services or information I need to provide in different arenas - for example in a bank or other financial institutions.

    One index card has nothing but healthcare data most often requested, one index card has just name, address and phone number, another has same with social security number and date of birth, etc. I am selective about who I give it to and I'm exceptionally careful about speaking to answer.

    As I said in my article, it is only one way to do our part to safeguard our information. By no means is it entirely safeguarded, nor will it ever be.

    I agree with your comment and thank you for reading my article and voicing your opinion.

    Rachael

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    This hub has been updated as of 4/30/2014 at 4PM PDT

  • AliciaC profile image

    Linda Crampton 3 years ago from British Columbia, Canada

    This is very interesting and scary information, Rachel. Your hub is very important for everyone. We all need to be aware of the security - or lack of security - involving our medical records.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #AliciaC

    It will only get scarier as time goes on and as breaches continue to occur. We cannot depend on other entities to safeguard our information so it is best that we do all we can on our part to keep it close to the vest.

    My index card method is not the best system but at least it is something to have in place, which is better than nothing. Each time I use it, that is one less time I have to say out loud anything I don't want the people behind me in line or people in the waiting room to hear.

    Thank you for reading my article and for your comment.

    Rachael

  • vkwok profile image

    Victor W. Kwok 3 years ago from Hawaii

    These days, there are just too much danger of our personal information being stolen.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #vkwok, Yes there is. It is best to do our own part in keeping our info close to us and be careful whom we share it with.

    Thank you for reading my article,

    Rachael

  • carrie Lee Night profile image

    Kept private 3 years ago from Northeast United States

    Interesting hub :) I work for a large medical group that is part of a hospital organization and I can honestly say the IT department works very hard everyday to secure patients personal health care information. It is necessary to mention nothing will be 100% safe. This is the cost of technology . Just want to add the correct spelling is HIPAA not HIPPA.(I have made this boo boo before too :) Thank you for sharing such an important issue facing healthcare.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #carrie Lee Night,

    I can't believe I did that, not once but 14 times! I wasn't even thinking about it, just kept making the same error over and over again. Thank you for pointing it out, I just edited it all and fixed each one.

    I agree. Our records and information will never be 100% safe.

    Thank you for reading my article, and for helping me with quality control. lol

    Rachael

  • teaches12345 profile image

    Dianna Mendez 3 years ago

    With all the identify theft these days, it is yet another concern when we consider the safety of our health records. The HIPAA laws do help to prevent lots of illegal activity and help keep confidentiality. Great coverage on this issue.

  • RachaelOhalloran profile image
    Author

    Rachael O'Halloran 3 years ago from United States

    #teaches12345

    Thank you for reading my article. HIPAA can only do so much, human error accounts for most of the violations of our privacy and as long as we are all human, there will be breaches. Thank you for commenting. :)

Click to Rate This Article