One of the more interesting stories that came out over the past week involves Affinity Health Plan, a managed care plan in New York. On April 21st, Affinity began to notify over 409,000 people that their personal data may have been released. The list of people contacted included current and former customers, employees, providers and applicants for jobs and coverage through Affinity.
Affinity had leased a digital copier from a company in New Jersey. The copier was equipped with a hard drive that saved every piece of data that went through the copier. When the leased copier was returned to its owner, the hard drive was not erased, leading to a security breach.
In thinking about the world we live in in 2010, there are very few places we can go that offer safe haven from the digital age. What many people fail to realize is that every bit of data ever transmitted in a digital format either already has been or at the very least offers the opportunity to be saved and stored forever.
I must admit that the very idea of this can be frightening. Every text message from my phone, every night spent playing computer games and every profanity-laced tirade in e-mail form that has ever been emitted from my fingertips can be accessed by someone somewhere. I guess we can scratch off a career in politics from my to-do list.
Now let’s bring this ominous fact of life into the realm of medical billing and compliance. It’s safe to say that in every office involved with protected health information, there exists the possibility of the information becoming vulnerable.
The Affinity case is a good starting-off point. The thing that really jumped out at me in this story was the idea that an unsuccessful job applicant of Affinity being contacted perhaps years later and being told “Remember all of that personal information you gave us before we flatly rejected you? It’s freely available in a warehouse in New Jersey”. When it is determined that an employee isn’t a good fit after the interview process, companies are used to sending out the standard “we’ll keep your resume on file for six months” letter and moving forward, with the company holding all of the cards. Now imagine the embarrassment of having to send out a second letter years later telling the person you never planned on seeing again that you exposed them to identity theft via the office copier.
HIPAA regulations make very clear the responsibilities of digital gatekeepers of patient information. It is best to remember that the computer screen in front of you and the servers to which it is connected are only a small part of machinery utilized on a daily basis that stores PHI for a legitimate business purpose. Take a quick look around you. Did anyone leave papers on the copier? Fax Machine? In a common area while getting a beverage? Take a moment to think about what documents you have placed in a medium offering some type of digital storage.
After that, look around your work area. Ask yourself whether in the eventuality of someone breaking into the office whether your desk is vulnerable to letting PHI fall into the wrong hands.
As a pertinent afterthought, I’ll share this. Spaces such as this included, more people are sharing their thoughts with an ever expanding worldwide audience on a variety of subjects. When someone feels passionate about a topic, it is now easier than ever before to stand on a virtual rooftop and shout extemporaneously to the world at large. It is the world unfiltered, and it’s unlike any form of communication that came before it. It brings into focus not only how many bright and talented people have been falling through the cracks for generations, but it is also demonstrating how many unhinged people once took a typing class.
While life has been simplified to a degree in the digital age when it comes to quick access to information, in the immortal words of Peter Parker’s Uncle Ben, great power also brings with it great responsibility. Take a moment to internalize the idea that hitting the delete button does not translate to the end of life in the digital age. Conversely, itis also a good idea to review what you have typed prior to hitting the Send button. Consider everything you do with anything that can be plugged in and has the ability to store data to be permanent and retrievable once it has left you. The biggest thing this story has taught me is that it should be a long time before anyone sits on a copier with their backside exposed again.