Much of the knowledge stolen in an organization takes the form of tacit knowledge that is used regularly but not necessarily in a conscious fashion. This paper covers what is in the medical records, what is not covered by HIPPA, what constitutes fraud and abuse, who has access, how to protect records, how patients get access to records, what rules and laws apply, and how to protect/secure electronic health records. Identity theft is discussed and what patients need to do to prevent it from happening. There are penalties and fines for computer fraud and abuse. Employee internet usage is monitored to protect patient records and company records.
Records are accessed through intranets and extranets. This paper will determine if security measures are efficient and suggest a plan for information systems to address potential identity theft issues. Introduction Much of the knowledge stolen in an organization is information that is used regularly but not necessarily in a conscious fashion. Health Insurance Portability and Accountability Act (HIPPA) only protects medical information that is kept by health care providers, health plans, and health clearinghouses, and those entities must conduct specific electronic transactions to be covered under HIPPA.
This paper covers what is in the medical records, portability of records, identity theft, fraud and abuse, access points, employee monitoring, security measures, and how to avoid identity theft. This knowledge will help people protect the privacy of their medical records. Medical Records There is a need to make people aware of their medical record privacy. The need to inform them which information is covered under HIPPA, information that is not covered under HIPPA, and how to protect that information.
Patients need to know what is in the medical records, who have access, how to get their own records, what rules and laws apply, and electronic health records. Medical records begin when a patient sees a health care provider of any type. The charts can contain medical history, lifestyle, family history, results and findings, medications, and genetic results. Privacy Rights Clearinghouse (2012) states, “In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures”(para. ). Not all medical information is protected by HIPPA. In addition, employers may be self insured and that information is not protected. Privacy Rights Clearinghouse (2012), “Medical information that is not covered by the federal privacy rule might be found in your financial records, your child’s school records, and/or your employment files” (para. 8). Financial statements can include medical transaction information in their descriptions that are not protected by the privacy act. This medical information could be stolen.
There are many people that can access medical records due to the patient signing a form when they visit the doctor’s office that allows affiliated personnel to access records as needed. Therefore, patients should discuss confidentiality of their records with their health care provider. HIPPA requires all health care providers to give patients access to their medical records. Providers are allowed to charge a fee for the records but not for searching and retrieving the records. Patients have the right to look at the HIPPA regulations to see how they apply to them and their medical records.
Individual states also have laws in place regarding medical records, although they do not supersede HIPPA. Electronic health records (EHR) were enacted by President Bush in 2005 and must be in effect by the year 2015. The EHR system will enable non-primary physician and emergency health care providers to access a patient’s health record electronically to provide immediate health care. Portability of Records Today, identity theft and who is responsible for preventing it are the biggest challenges faced by medical and financial organizations who keep social security numbers and perform financial transactions (via credit card, or example). The “protected health information” and the roles that patients, healthcare providers, and government regulators play in making sure this information is kept safe are the issue. It is the physician’s or healthcare worker’s responsibility to keep patient information, privacy, and confidentiality safe and secure from unauthorized people.
This is covered under the Health Insurance Portability Act (HIPPA) of 1996. According to the Radiological Society of North America, Inc. (2012), “Patient privacy refers to the right of patients to determine when, how and to what extent their health information is shared with others” (para. ). This information is to only be shared with healthcare providers, and related professionals that have patient permission to access said information. According to the Radiological Society of North America, Inc. (2012), “Methods of protection must include considerations for timely and easy access to clinical information by the authorized healthcare professionals” (para. 7). If the healthcare providers can’t access the information, it could cause delays in patient treatment due to the fact that they can’t see results and past history of the patient.
Healthcare professionals are working with scientist to come up with a way to secure patient’s information and data. They are creating policies and procedures, making new standards, exploring new technologies, and educating healthcare providers and patients. According to the Radiological Society of North America, Inc. (2012), “If you believe that your personal health information (PHI) has been accessed or used inappropriately, report your concerns to your physician or administrative staff of the physician office or hospital immediately”(para. 10). Patients should let their physician know if they feel their information has been compromised.
HIPPA requires all complaints to be investigated by healthcare providers and a report must be made about the complaint, investigation, and results. It is important for patients to know who has access to their records and how their care is affected if physicians cannot access their records in a timely manner. They also need to know what to do if they feel their information is being used by unauthorized individuals because it can affect their healthcare. Fraud and Abuse The theft of medical information from medical records is fraud and abuse and is protected under federal law.
These federal laws are Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), and other federal laws address computer crimes and punishments for these crimes. The legislation helps deter computer crime. WGBH educational foundation (2012) states, “The Computer Fraud and Abuse Act (CFAA) [18 U. S. C. Section 1030] makes it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause either damage or economic loss” (para. 6). It is important to know that information transferred over the internet is protected under the U.
S. Constitution. Legislation has been passed such as the CFAA to deter unauthorized use, abuse, and theft of this information. The CFAA is an act that states a person cannot have knowledge of or perform the act of distributing computer code and putting it in place or introduce a virus to computers engaged in interstate commerce. A person that does this can be fined or serve prison time. An article from WGBH educational foundation states that computer code is protected under the First Amendment: U. S. courts have established that most original computer code is intellectual property … U.
S. law treats code in the same manner as it treats books, musical recordings and other creative activities… are protected under the First Amendment of the U. S. Constitution. (WGBH educational foundation, 2012, para. 2) The ECPA protects against unlawful interception of wire communications. This includes, emails, communication sent over computer lines, and stored emails and information. Violators are committing a federal crime. Economic Espionage Act (EEA) makes it a federal crime to take, download, receive, or possess trade secret information obtained without the owner’s authorization.
The Wire Fraud Act prohibits anyone from using the internet to commit fraud to obtain money or property. The Identity Theft and Assumption Deterrence Act (ITADA) criminalizes identity theft. Identity theft is when someone knowingly transfers or uses the identification of another person to break the law, which is a violation of federal law (WGBH educational foundation, 2012, para. 17). ITADA addresses restitution and relief for the victims. These crimes are a federal crime with stiff penalties and prison sentences for those who commit the crimes. Access Points
Corporations for the sake of ease provide access to data from multiple points both inside and outside the organization. According to Rainer and Watson (2012), “business computer systems are accessed through intranets and extranets” (p. 256). Users gain access to intranets by entering the workplace and passing through physical controls such as a guard, front door, ID system. Once the computers are accessed the users must go through an access control system such as authentication, access password, or personal id, to gain access to the system. “Access controls are used for authentication and authorization of users” (Rainer & Watson, 2012, p. 56). Authentication identifies the user requesting access to the system. This can be done by using biometrics, ID cards, smart ID cards, tokens, voice recognition, signature recognition, passwords, or paraphrases. Authorization determines which programs the user has access to. The company sets which levels of access the user has privilege to use. Extranets are when users access the company computer systems through the internet via a pc, Smartphone, or ipad. This can pose security issues because this type of information transfer is not secure. This system uses an encryption access password that must pass through a firewall.
The firewall is there to prevent the intrusion of malware and is a communication control. Medical records are accessed by both intranets and extranets and both systems have the possibility of being breached and patient information being stolen that results in identity theft. Employee Monitoring Workplace privacy and employee monitoring can be done through using new technologies that are made available through computer programs and video surveillance. The employer is legally permitted to monitor all internet activities performed on the job and needs to inform employees of their rights as well.
Employers have the right to monitor employees’ usage of company property. They do this to insure workplace privacy. Employers can monitor workplace activities such as telephone, computer, electronic email, voice mail, postal mail, social media, and video monitoring. This causes conflict between the employees and employers. Privacy Rights Clearinghouse (2012) states, “The conversations you have with co-workers are subject to monitoring by your employer in the same way that your conversations with clients or customers are” (para. 12).
Employee conversations can be monitored if they are around a device that is recording conversations. Conversations can be heard through phone conversation and phone head sets. Anything said in the workplace that is derogatory toward the company can be used against the employee. If employers know the employee is on a personal call they must immediately stop monitoring the call. Employers can request phone records from any company phone lines. Employers can monitor all company computers and all activities done on those computers.
Privacy Rights Clearinghouse (2012), “If an electronic mail (e-mail) system is used at a company, the employer owns it and is allowed to review its contents” (para. 20). Employers can view personal emails of employees for any content that is written about the company on their computers. The information mentioned in work emails and conversations in the workplace can be used against the employee on their evaluations and lead to termination in some cases. Monitoring is done by software programs that are developed for this purpose. An employer can also look at the computer screen itself to see what the employee is doing.
Employers are not obligated to let the employee know they are being monitored. Voice mail and postal mail are handled the same way because they also belong to the company. Social media monitoring is done to make sure an employee does not leak sensitive information about the company. This monitoring can be done by the company itself or outsourced to a third party. Video monitoring is usually done by the employer to prevent theft. Monitoring employee internet usage can be done by physically watching the employee, and there are also programs that can be used for this purpose.
The programs also address the best way to approach these practices. Strohmeyer (2011) states, “Everything your team does on company time, and on company resources, matters” (para. 3). Organizations need to monitor the internet usage by their employees because internet usage affects productivity and consumes the organizations time and resources. There is also the possibility of putting company records in jeopardy by unauthorized users. Employees could give medical information about a patient to an unauthorized party or use this information to commit medical identity theft.
Strohmeyer (2011) states, “You can install a web-hosted system that combines software on the PC with remote monitoring services to protect your computers and enforce compliance with company policies” (para. 7). There is monitoring software that can be used including end point security, malware protection, policy enforcement, and asset tracking to track internet usage. Software is installed, user id’s and passwords are set up, and IT monitors employee usage. The best way to go about monitoring employee usage is to be up front with the employees.
Employers should ensure that employees know the policies for internet usage and that all usage is tracked and monitored. It is important that everyone in the organization knows how personal internet usage affects the business. There is also easy and simple software that can be used to monitor the computers at work that protects the organization’s information and monitors employee computer use. Security Measures Electronic Health Records (EHRs) consist of patient’s personal and medical information that can be accessed by healthcare providers. EHRs require a higher level of security.
It also expands on the type of security systems offered to organizations. AHIMA e-HIM Work Group on Security of Personal Health Information (2008) states, “They have a legal, moral, and ethical duty to protect all clinical and research information by ensuring that security and privacy safeguards are in place” (para. 1). As health care professionals it is the employee’s duty to know the laws and protect the patient’s privacy. There are categories that identify which ones have high risk potential and the types of existing computer programs that can handle the job of protecting the patient’s medical records.
The security of high-risk information in EHRs and the roles health care providers and patients play in it are an important standard in health care organizations. This is needed in order to protect patient privacy and to adhere to high standards within the organization. Categories that warrant tighter security measures are patient type and identification, diagnosis and condition, procedure and testing, and consent and custody. There are security features to consider.
Patient type and identification is a security issue because there must be a secure way to identify patients with their account within a facility or between facilities when accessed remotely. Also, there are security issues in some high profile individuals such as a celebrity, domestic violence or child abuse. A record hold could be used so that only certain individuals can access those records. AHIMA e-HIM Work Group on Security of Personal Health Information (2008) states, “Highly sensitive health data involve certain conditions, tests, and records of vulnerable or high-profile patients and minors” (para. ). The law provides special protection for certain cases such as mental health records, HIV/AIDS, substance abuse, chemical dependency, patient right to revoke authorization, and acute care environments. All of these conditions have special requirements before records are released. The organization must have the security in place that does not allow the release of these records until requirements have been met. Abortion, family planning, and genetic tests are another area that requires special conditions because the patient may be scrutinized and harassed by the public.
Patients that are unable to sign consent forms and wards of the state are examples of people that need special conditions met. Each of these highly sensitive cases in the EHR system needs to have security features in place that are specific for their case. This insures the privacy of the patient’s medical records. These features can range from role-based security, VIP status indicators, ability to assign an alias, ability to restrict physician access, ability to block notes and results, and ability to track those who have accessed and released information. Avoid Identity Theft
There are different ways identities are stolen and steps to deter theft of identities. Mancilla and Moczygemba (2009) state, “ Medical identity theft is defined as “when someone uses an individual’s identifying information…without the individual’s knowledge or permission, to obtain medical services…by falsifying claims for medical services and falsifying medical records to support those claims” (para. 2). Healthcare providers must make consumers aware that there is identity theft going on for the purpose of stealing their medical information for fraudulent medical care and medical claims.
There are some steps on how to avoid being a victim. MIB Group (2012) states, “While theft of your identity would likely impact your credit and run up some medical bills for uncovered services or co-pays in your name, it could also result in the addition of erroneous data into your medical file”(para. 2). Identity theft is not just stolen credit card numbers anymore. Thieves are stealing complete identities of other people. They are stealing medical record information such as insurance identification numbers. They are using this information for themselves to get medical work done and to make false medical claims and get paid for them.
This causes financial issues for the victims and it could cause them to get false medical results which could affect their medical treatment. Patients need to guard their insurance identification numbers. Patients should contact their physicians if they think anyone has accessed their records. This will help stop identity theft. MIB Group, Inc. , All Rights Reserved (2012), “Insist that your healthcare providers check your ID when they request your health plan card and request they do the same for all their patients”(para. 17).
Admission and registration procedures and policies are the best ways to prevent medical identity theft. Medical identity theft is on the rise. In order to identify why this is happening online surveys, telephone interviews, and on-site observations were conducted. The results of these studies show which identification procedures need to be upgraded and who is responsible for making sure patients are identified. There are programs for the computer that can be purchased for the purpose of identifying patients and also retraining of the staff members that can be done to help prevent medical identity theft.
Online survey results showed that when patients register online that 91. 9% of reporting facilities asked for identification when the person came to the facility to be admitted. When a patient shows up with no identification 59. 5% of reporting facilities said they still saw the patient. No one surveyed used a biometric identifier. Telephone interview results showed that emergency rooms show the greatest amount of identity theft due to the fact that they are required to provide emergency treatment in most situations regardless of identification.
Mancilla and Moczygemba (2009) state, “The one consumer who was not asked to produce a photographic identification was known to the admission associate from a previous healthcare registration” (para. 24). It is important for patients and health care providers to understand what identity theft entails. Patients need to understand when they are asked for their identification that it is for their protection. Health care workers must be diligent in asking for identification even if they know the patient so as not to become complacent about it.
There are some facilities that have started using photo identification storage as a way to identify patients when they come in. Time constraint, cost of biometrics, and wide use of social security number are other issues that contribute to identity theft. On-site observations found that sites were not consistent in asking for patient’s identification. Again, these acute care facilities also admit patients without identification. Staff was observed telling patients not to take anything with them to the hospital when they are getting admitted so most patients do not take their identification. Conclusion
In conclusion, it is important for people to know which organizations HIPPA covers because they will know if their information is protected by law. These organizations include health care providers, insurance companies, and health clearinghouses. It is also important to know what is not covered under HIPPA such as financial, employer, and school records. Patients do have control over who has access to their records. Everyone should know his or her rights as a patient. The patient has the right to confidentiality between physician and patient and the right to say who can have access to their medical and personal information.
Physician’s have a legal obligation to make sure all electronic medical records are safe and secure and to investigate any possibilities of breach of those medical records. There are several different legislations that have been passed to deal with computer fraud and abuse. The penalties range from stiff penalties to prison time. They also address restitution and relief for the victims. Technology is advancing quicker than the laws can keep up with the crimes. It is hard to punish these criminals because most internet crimes cross state lines.
Most states cannot enforce their laws across state line. There is still room for improvement and more uniform laws that can apply nationwide in order to get the computer crimes under control. With the EHR system being implemented constantly there needs to be strict security measures in place to make sure the information is protected. There are some conditions that warrant higher security measures than others. Health care workers need to be able to identify them and deal with them accordingly.
The best way to save an organization time and money and secure medical records is to monitor employee internet usage. Employers monitor employee’s’ usage of company property to make sure productivity of the employees does not fall below the expected level due to use of company property for personal use. This can be done by physically watching the employee and installing and using software programs for this specific task. Employers also do this to make sure that the company’s information stays secure. Any machine owned by the company can be monitored with or without notice to the employees.
The best way to deter employees from using the internet for personal use is to make them aware of the internet usage policy and that all employees will be monitored on the computers. This causes conflict between the employees and employers because employees feel like they have no personal space. Employees do not want to feel like their every move is being monitored. Employees are usually okay if they know the rules about usage of company property and know what their boundaries are. The more aware the consumers are of what their medical records are and what they contain in them will combat theft.
They can avoid being a victim by being proactive. Medical identity theft is on the rise because there are no set rules enforced when identifying patients. The results from several surveys show inconsistencies when staff members are admitting patients and identifying patients. Many acute care facilities take patients without proper identification and service them. Many of the computer systems are not equipped with proper identification software. Consequently with proper software programs installed and new policies, procedures, and retraining of staff there could be more control over medical identity theft.