Data Misuse Concerns
The site in question, used by physicians for patient notes, didn’t show signs of access by any unauthorized personnel, and the patient records did not include financial information or social security numbers. However, the potential for accessing personal information such as prescriptions and medical history was still very much a possibility.
All of the impacted individuals were notified, and Boston Medical Center immediately discontinued their decade-long business association with the medical transcription company. The website was taken down the same day the incident was reported, although it’s not clear how long the patients’ unprotected data was live on the site prior to that date.
It’s clear that MDF Transcription was not following the HIPAA protocol as they should have. The fact that it doesn’t appear as if any of the information was used or accessed inappropriately, HIPAA is not just about fully realized cyber-attacks. Instead, the guidelines set in place by HIPAA are intended to be proactive and preventative, protecting not only against the misuse of data but also unauthorized access of any kind.
The Future of PHI
Ongoing discussions over protected health information (PHI) have led to a recent Blue Ribbon Panel for further discussion on how to best respond to the increasing complexities involved with privacy and security enforcement within the healthcare industry. From the Office for Civil Rights (OCR) to the Federal Trade Commission and even the Securities and Exchange Commission, a number of organizations are getting more involved with the education and enforcement of the HIPAA compliance process.
Perhaps more relevant for companies like MDF, the OCR is taking a more aggressive stance when it comes to imposing financial penalties on those organizations that have neglected to meet even baseline expectations for PHI standards and HIPAA compliance. Overall, the mood is one of very little patience toward companies that continue ignoring mandatory standards, and a heavy emphasis on the right of the individual to expect (and receive) a certain level of privacy assurance when it comes to his or her own health and medical records.