Do you know if your doctor or medical provider is adequately protecting your private medical information? Do you even know what questions to ask in order to find out? Fortunately, there is one simple question you can ask your doctor, dentist, chiropractor, or any other medical provider to gauge how seriously they take patient privacy. I will share this question at the end of the article, but first, you should understand just how valuable your medical records are to criminals and why you are at real risk.
As a technology consultant, I have taken many questions from my medical clients regarding compliance with HIPAA, the federal law that among many things, requires the protection of patient medical records. Given that technology is integral to medical record keeping, it isn’t surprising that my clients are asking me for advice. Unfortunately, I have not studied the pages upon pages of legalese that the HIPAA law and its various amendments encompass nor am I qualified to offer advice on legal matters. So while I can offer advice on specific technologies that can help with HIPAA compliance, it is ultimately the responsibility of the medical provider to ensure that they are protecting the medical information for their patients. There are many other factors to HIPAA compliance than just technology and I understand the frustration many of my clients feel when dealing with such a enormous law that in many cases is vague and unclear.
Regardless of HIPAA, the fact is that your medical records are extremely valuable commodities to information criminals. Protecting our medical records should be a priority for all of us. Unfortunately, most people have no idea just how valuable their medical information can be so they make no effort in talking to their medial providers regarding the provider’s patient privacy practices. Additionally, even many medical providers have no idea how valuable this information can be and it puts their patients at risk of a data breach.
Many small medical practices think they are safe because they believe criminals aren’t likely to bother with them. However, according to Jim Moore, certified HIPAA professional and a 30-year veteran in healthcare practice consulting, criminals are in fact targeting small practices because they realize that many small medical providers are lax on their patient privacy practices. He says that given the high value of even one person’s set of medical records, a data breach at even a small town medical practice can be a windfall for criminals. Worse yet, because they think they are not targets, many small medical practices are willfully ignoring HIPAA and not implementing strong patient privacy protections.
As a patient, our medical providers ask us to sign “HIPAA forms.” Many patients think that is all that is necessary for a practice to be HIPAA compliant! If one were to ask their medical provider if they are HIPAA compliant, most would probably answer that they are. This is not because the medical provider is being dishonest, but because the HIPAA law is so broad many providers only have a rudimentary knowledge of what is actually required for compliance. So instead of asking if your provider is HIPAA compliant, you should ask instead to speak to their “privacy officer.” HIPAA requires every single healthcare office to have a privacy officer, whose responsibility it is to create and enforce patient privacy protection policies and practices. If your medical provider does not know what a privacy officer is or does not claim to have one, this is probably a solid sign that the office is not actually HIPAA compliant and likely does not have adequate privacy protection practices. This is also a great question to ask potential medical providers BEFORE you become their patient. If the practice does in fact have a privacy officer that’s good news. The acting privacy officer can be the doctor themselves, but more likely one of their staff, or even an outsourced provider. You can then ask the privacy officer if they have some sort of certification to prove they are HIPAA compliant or have them explain to you what steps they take to ensure your medical records are secure. Hopefully they provide answers that make you trust their competence. However, if your provider does not have a privacy officer, or if their answers to their patient privacy practices are not satisfactory, it is up to you if you choose to continue to remain a patient or find a medical practice that does adequately protect their patients’ private data.
A special thanks to Jim Moore, certified HIPAA professional, for much of the information in this article. Additionally he has offered to answer any questions you may have regarding the protection of your medical records. If you have any questions about this article, please feel free to comment below.