Electronic health records (EHR) improve the safety, communication, and efficiency of patient care. Most healthcare systems in the United States have adopted some form of electronic health records as part of their global operational plan. As patients become more tech-savvy and expect interoperability between health-related platforms, institutions must consider the importance of privacy and confidentiality. Being able to maintain the confidentiality of protected health information is as important to your brand reputation as your logo and marketing materials.
Importance of Electronic Security
Hackers are everywhere. They attempt to gain access to banking institutions, credit card companies, and even attach skimmers to gas pumps to collect account information one card at a time. On the black market, your social security number is worth about 10 cents, and your credit card number will go for 25 cents. However, a fully intact EHR is worth hundreds or even thousands of dollars to a hacker. Why such a vast difference, you ask?
One EHR is a landmine of information. It contains your demographics such as your name, place of employment, social security number, residence history, the names of relatives, and financial information. Sensitive data like cancer diagnoses or the presence of infectious diseases can be obtained and used as ransom against you for money. You might even think that you’re safe when using certain sites or companies, such as a private STD testing provider. However, it’s critical to understand that data is still vulnerable. If this sensitive data is hacked, the person on the other end of the computer has details about your life and medical records that you can’t change as quickly as calling the bank or social security office.
Finding the Breech
Between 2009 and 2018, nearly 60% of the health records in the U.S. have been stolen, exposed, or disclosed without permission. The government collects statistics on breaches under newer regulations and publishes data each year to reveal the severity of the issue. You might be imagining dark rooms full of hackers when you think about these numbers, and this is partially true. In 2018, 43.29% of all healthcare data breaches were hacking/IT incidents. However, just over 39% of all breaches were due to unauthorized access or disclosures by healthcare staff.
Most patients believe that their health information is safe in the hands of healthcare employees. Doctors, nurses, and therapists receive training in school and from their employer about the importance of privacy. Sometimes employees are careless or even downright nosey and go searching for information about a patient. Other possible ways information is breached include staff such as nurses misusing social media, non-professional staff being assigned incorrect levels of access, or the entire healthcare system making decisions that put patient’s private records in jeopardy.
Privacy and Brand Reputation
Many healthcare companies think of health privacy, EHR maintenance, and brand reputation as separate business functions. However, when health care companies must disclose breaches or pay million dollar fines, patients pay attention. In 2018, the University of Texas MD Anderson Cancer Center paid a civil monetary penalty of $4,348,000 for impermissible disclosure of electronic private health information and the lack of encryption. Anthem, Inc., one of the leading health benefits companies in the United States, agreed to a $16 million settlement in October of 2018 for risk analysis failures, insufficient review of system activity, and other types of health data breaches.
The issue of breaches isn’t one of “if it happens,” but rather, “when it happens.” Because of this, most healthcare organizations create policies and procedures that help them to mitigate damages. But, even the most comprehensive systems can only go so far when dealing with the repercussions. Prevention is always the best remedy.
Know Best Practices
Whether you’re an entrepreneur looking for brand reputation management or a large healthcare corporation, instituting best practices for confidentiality is critical. Provide comprehensive training to all staff so that they know how to handle private data. This should include safeguards against sharing sensitive data with coworkers and others who don’t need to know unless necessary for work duties. Another protection strategy is to teach all employees to close computer programs that contain private information when not in use and lock electronic systems anytime they walk away.
While most breaches happen with electronic data, paper charts, faxes, and other printed materials still pose a risk and should be included in your best practices. HIPAA compliant shredding is an essential process to teach your employees. Here are a few types of documents that are covered under HIPAA laws:
- Forms with name, data, geographic identifiers, or phone numbers.
- Medical record numbers.
- Information such as fingerprint, retinal scans, or other biometric identifiers.
- Social security numbers, account numbers, or other identifying account numbers.
Planning Ahead
Your institution’s brand reputation management procedures should synchronize with your electronic health record privacy practices. Whether a consumer is searching for your recent survey results, fines you’ve paid, or your social media presence, it should all flow together to provide an overall reputation that keeps private patient data how it’s supposed to be — private. Use this information to create a plan for your company that integrates your brand reputation and privacy policies to keep patient data safe and your company performing well.