With recent news stories about NSA programs breaking sophisticated encryption codes and state-sponsored cyber terrorism, questions about the security of digital information cannot be far from the minds of any medical billing and coding professional. Especially since the 2009 Health Information Technology for Economic and Clinical Health Act, which can conveniently be condensed into the acronym HITECH Act, modified HIPAA’s Security Rule to now require that any unauthorized access to protected health information be reported to both patients and the government, and if the problem persists these HIPAA breaches may result in fines and/or a prison sentence.
The ears of any medical billing and coding professional should now be sufficiently perked. Okay, if your computer gets hacked chances are you will not have US Marshals knocking on your door with an arrest warrant, but the implications of this relatively new law with the real threats that accompany modern technology are real issues for those who do their medical billing and coding work on a computer that has access to a network, the internet, or any other kind of wireless connections.
Concerns Not Hypothetical
These concerns are not just hypothetical either. In April of 2012 it was revealed that foreign computer hackers gained access to patient information, including social security numbers and personal medical records, of potentially 780,000 people whose files were maintained within the Utah Department of Health. That same month the Atlanta hospital system’s Emory Healthcare announced that it had misplaced several backup hard disks containing the sensitive protected health information of approximately 315,000 patients, resulting in a lawsuit seeking damages in the hundreds of millions of dollars.
People can weigh for themselves which is more of a headache: sending out 780,000 notifications to individual customers or paying millions of dollars in settlements and fines with possible jail time. However the technological advances which opened this Pandora’s Box of new problems can also serve as the key to lock that box back shut, specifically with an encryption key.
The 2009 HITECH Act states that if information is stored as an encrypted file, general security breaches of a server, network or personal computer do not need to be reported, assuming the encryption key is not among the files that have been compromised. And with a little technological know-how, encryption programs can be downloaded for free off the internet or purchased and managed by a third party for anything from a one time fee to monthly subscription costs.
Although not required under HIPAA regulations, encryption programs are undoubtedly the safest way to store and transport protected health information. However it is also a sure bet that most smaller medical billing and coding operations do not take advantage of encryption technology and prefer to trust they will not be the targets of hackers or subject to carelessness. In most cases this turns out to be the case if those involved have a general awareness and respect for the sensitive nature of the information with which they are dealing.
The unfortunate fact is that as long as there is protected information someone somewhere will want to steal this, and because neither computers nor file cabinets are one hundred percent secure there will inevitably be breaches.