Over the last few years HIPAA privacy laws have changed the way that the medical industry can communicate with the patient as well as the requirements of technology vendors that may share patient information. From pharmacies no longer allowed to announcement prescription pickup availability in overhead systems to tightening encryption levels in technology, the attempts made were to reduce the number of potential data sharing breaches.
The medical arena is one of the well-known verticals that contain in-depth, and personal information; typically including social security numbers. For appropriate and required patient treatment, the data is often shared with a variety of specialists. Technology vendors that participate in this ‘sharing’ must comply with rigid and repeatedly tested communication methods, and yet with all of these variables set in place, breaches still occur.
Finding the loopholes in data breaches is a specialty service. In the standard business world, even with highly sophisticated firewalls and IT staff monitoring the status, it can take up to three months to detect a breach. By that time, the criminal acts have been committed and the critical patient data is already being shared and sold on the dark net. Many of these breach conditions occur outside of the normal protection realms and HHS has established a level of protection for the medical institution who has attempted to take precautions:
“ . . [The] potential exists for an individual’s health information to be disclosed incidentally. . . HIPAA Privacy . . . does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.”
The secondary level of ‘incidental breach’ has become a touchy area. This involves discussion of a patient medical condition or prescription medication in any way that others could be aware. At one time, pharmacies could make a phone call to a patient and leave a voice mail message announcing that the prescription was available for that individual for pickup, now the voice mail can only allude that a prescription is ready for someone at this phone number. In-person patient consultations must be done in a segregated area or in hushed or quiet tones so that no one else around can hear the interchange. Even such things as floral deliveries in a hospital environment have changed. At one time, these could be delivered directly to the patient in a hospital room and yet now, to protect patient identity, all floral arrangements are left at a front desk without disclosure of a room number or even confirmation that the patient was in the hospital.
Some of the prescription pickup HIPAA rules have actually created problems for a patient. This occurs when a patient cannot be in attendance to pick up their own medications and instead, sends a neighbor or family member. A majority of the pharmacies have loosened their own personal rules on this front, so that a patient can get their meds, but it is still a violation of the HIPAA guidelines.