Data breaches: Another opportunity for bad publicity

Hospitals and other healthcare providers have been under the microscope this year due to security breaches involving patient data. However, slowly but surely, data breaches at health insurers are starting to make the news as well--and health plans need to be proactive in setting up systems to secure their massive amounts of data, advises Dr. Barry Chaiken, MPH, chair of the Healthcare Information and Management Systems Society (HIMSS). "Health plans are not the most popular people in the word, so they need to be very careful about breaches in privacy and security."

Last month, Blue Cross and Blue Shield of Tennessee revealed that up to 1 million patients could be impacted by the theft of 57 computer hard drives that were encoded but not encrypted, reports the American Medical News. Earlier this year, the Connecticut state attorney general filed a lawsuit against Los Angeles-based Health Net Inc., after an unencrypted portable data drive containing information about 446,000 enrollees and physicians was lost--a lawsuit that marks the first state effort to use the HITECH Act to enforce HIPAA privacy laws, according to the American Medical News. And just last week, in a much more mundane but still news-making case, the New Mexico Human Services Department notified 9,600 members of its Medicaid members of a potential data breach when an unencrypted laptop was stolen from a health plan subcontractor, reports the New Mexico Business Weekly. (Common theme: Encrypting data is a very good idea!)

Health plans face a double-whammy on the security front and need to prevent data breaches related to patients' financial/claims data and personal health information (PHI), as well as provider data such as provider identification numbers (which are often tax ID numbers), points out Chaiken. And unlike hospitals, which might have thousands of records, health plans may have millions of records at risk. Health plans face a tremendous challenge because they have data coming in from myriad sources. "That means there is often a different process based on where the data comes from. They are mixing paper and electronic--that's also an issue," he says.

So health plan data security processes are "much more complex" than required for hospitals, notes Chaiken. For example, health insurers need to create physical (e.g., visual or auditory) barriers to protect PHI on-site and train all their employees to protect the information. Health insurers also need to have surveillance tools that protect data on unattended desktop computers. "You don't want people hunting and pecking for their neighbors' medical records, which could not only happen in a hospital but also could happen at a health plan," says Chaiken.

Health insurers need to create an overarching plan that addresses data security across the organization instead of just developing security plans for each department or division, says Chaiken. "I very much believe that organizations have a culture. Cultures come from the top down. If the senior people say that privacy and security is important, and they tell people why, and it is a strategic initiative that comes from the highest level of the organization, then people go out and execute it and protect the information. If the people who are on the front lines doing the work are not given the tools to protect themselves and ensure the privacy and security, then it is not important. So it has to come from the top and be a part of the culture of the organization." - Caralyn