Healthcare Technology Featured Article

June 19, 2017

What Hospital Administrators, Staff and Patients Get Wrong About HIPAA

Patients see media reports about hacking incidents at hospitals, doctors’ offices and other healthcare organizations and rightly worry about the safety of their personal information. The recent global ransomware incident that affected the National Health Service in the UK and others was only the latest in a string of malware attacks perpetrated against healthcare organizations worldwide.

As a matter of fact, the Department of Health and Human Services reported that WannaCry ransomware still threatens our nation’s hospitals, and that two large multi-state hospital delivery systems “are continuing to face significant challenges to operations.”

Patients have an ally in the fight to protect their privacy and personal data: The Health Insurance Portability and Accountability Act — HIPAA — provides robust privacy standards to govern the handling of sensitive patient data. It functions as a Patient Bill of Rights, but unfortunately, most patients don’t realize that, and too many healthcare organizations don’t meet their HIPAA obligations.

Because too few providers fully understand their obligations under HIPAA, and too few patients act on the protections it offers, patient data is at grave risk. The Identity Theft Center notes that, just in the first three months of this year, more than 80 healthcare breaches occurred, exposing information from over 745,000 patients. Nearly 60 percent of the reported breaches happened at a healthcare organization.

Last year, healthcare data breaches compromised more Social Security numbers than any other industry, according to Healthcare Informatics. Employee error or negligence was responsible for most data breach incidents, and since healthcare information is valuable to hackers, the healthcare industry will remain a top target. Here are five ways healthcare organizations inadvertently expose data:

  1. Sign-in sheets: Many offices still use sign-in sheets, where patients record their names upon arrival at the doctor’s office. Every patient who signs in can see the names of other patients on the sign-in sheet, which is a HIPAA violation. It’s unlikely to cause much harm, but it’s a noncompliant practice, as is exposing patient names to nonauthorized personnel via a computer screen.
  2. Poorly designed practice management or EHR software: Many practices use practice management or electronic health record (EHR) software that requires all employees to use a browser, which puts vital health data at risk. Practices that don’t limit employee access to email also put patient data at risk. Doctor to patient emails must be encrypted unless the patient authorizes otherwise in writing.
  3. Inadequate data security: Patient data must be encrypted by the practice management software or monitored by a security professional whether it is at rest (i.e., on a server) or in motion (i.e., in transit via email, etc.). If a practice can’t house all sensitive information on a single database (including emails, faxes, etc.), or if they maintain patient data on numerous computers inside and outside the office, every device must be monitored by an employee who serves as a HIPAA privacy officer. Too many healthcare organizations do not comply with this practice, putting patient data at risk.
  4. No Business Associates Agreements: Healthcare providers work with third-party organizations to accomplish many tasks, and often, data sharing is a necessary part of the business relationship. But in these scenarios, it’s important for the healthcare provider to safeguard patient data by ensuring that business associates understand and comply with obligations. Too many neglect that responsibility.
  5. Platforms vulnerable to ransomware: As underscored by the recent “WannaCry” ransomware attack, healthcare organizations are vulnerable to having their data hijacked by cybercriminals, who demand a ransom to decrypt files. Data stored on Windows and Linux servers onsite and at remote server farms is uniquely vulnerable. Mac operating systems and macOS-native practice management and EHR software has not fallen victim to ransomware attacks, demonstrating that Mac is a safer platform.

Patients who want to be proactive about protecting their data should ask providers what steps they take to safeguard patient information, keeping these vulnerabilities in mind. And healthcare providers, administrators and staff should make sure their organizations are HIPAA compliant. Compliance not only protects data for the patients’ sake, it reduces the possibility the organization could be fined.

HIPAA contains robust provisions to protect sensitive patient data. But until all administrators, staff and patients understand how the legislation works — the responsibilities it designates to providers and the privacy assurances it offers to patients — that protection will remain illusory.

About the Author

Mark Hollis, CEO and co-founder of MacPractice, Inc., developer Mac and iOS native MacPractice software with 30,000 users, was practice management consultant to more than 600 practices in the New York Metropolitan for 25 years before cofounding MacPractice in May 2004.

Edited by Alicia Young
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By Special Guest
Mark Hollis, CEO and co-founder of MacPractice, Inc. ,


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]