Guest post written by Bob Gregg, CEO of ID Experts, a provider of computer data breach response services.
The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.
Our country loses up to $234 billion a year on healthcare fraud – acts of deception for illegal gain, usually financial. If I add that statistic to the $41.3 billion cost of medical identity theft – using another’s medical identity to obtain medical goods and services—it totals well over a quarter of a trillion dollars.
Two factors will make the problem exponentially worse.
First of all, the newly insured encompasses populations typically more vulnerable to scams and theft. This is especially true for citizens eligible for Medicaid under the federal expansion plan.
The second factor is the digitization of every American’s health record by 2014 as well as the adoption of health information exchanges. Not that long ago, a data breach in healthcare meant a nurse showed your file to an unauthorized person. With electronic health records, we now routinely see breaches of a million, three million, up to five million patients…in a single breach.
My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.
The net result: a lot of people we don’t know will have simple, unprotected access to nearly every American’s health information, including these “untapped” vulnerable citizens.
In my mind, that raises four major issues—issues that nobody wants to talk about.
- Increase in Medical Identity Theft.
Lower-income individuals about to receive insurance under the Affordable Care Act are an ideal “target market” for medical identity thieves and fraudsters. Stealing medical identities to obtain medical goods or services is shamefully easy. And victims are often enablers. The Ponemon Institute’s Third Annual National Study on Medical Identity indicates that 65 percent of individuals surveyed would share their medical identity with others. That’s like handing over your wallet to a stranger and saying, “Help yourself.”
Some say if everyone has insurance there will be no incentive to steal another person’s medical identity. That’s like saying if everyone has a job there will be no more stealing. There will always be good coverage plans, great plans, and lousy plans. If your insurance plan only covers the bare minimum, why not steal an insurance card that covers everything?
- Increase in Fraudulent Activity
Healthcare fraud covers a wide range of illegal activity, from billing for services not rendered to altering medical diagnoses to justify payment for unnecessary procedures. To combat this multi-billion dollar problem, health plans pass the cost on to patients in the form of higher premiums and rates.
They call it the Affordable Care Act for a reason; the government intends to squeeze providers with lower payments for everything, just as they have with Medicare and Medicaid. Insurance companies that are being inundated with lower reimbursements have a huge incentive to increase those billing dollars in another way.
- Increase in Data Breaches.
Healthcare data breaches are up 32 percent over last year, according to the most recent Ponemon Benchmark Study on Patient Privacy and Data Security, at an average cost of $6.5 billion. The federal government is giving providers just enough money to digitize patient records – but not a dime of funding to protect the data.
I have not talked to a single person in healthcare who does not believe the number, size, and complexity of data breaches will only continue to increase.
Electronic health records and the use of health information exchanges, as we’ve discussed, leave the door wide open for the breach of sensitive patient data. Christina Thielst, vice president at Tower, a patient experience consulting group, agrees.
“The push for efficiency to accommodate the increases in care and the move toward population health will require more investment and adoption of health IT. And, rapid shifts to adopt the technologies could actually increase breaches unless sufficient planning and safeguard implementation occurs.” She believes there is a great deal of education that needs to occur in all healthcare organizations about data security.
- Budget Constraints
Healthcare, more than any other industry, is subject to regulatory scrutiny and fines; just last week the Department of Health and Human Services’ Office of Civil Rights fined the Alaska Department of Health and Social Services $1.7 million for the breach of 2,000 patients’ sensitive data.
Compliance with privacy and security laws, however, is rarely a top priority for healthcare providers. Training employees, performing risk assessments, and implementing new security technologies all take money—money that must now be redirected to caring for millions of new patients. Additionally, now that pre-existing conditions are no longer a reason to deny coverage, many of these patients come at a higher cost.
The Bottom Line
The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.
We urge citizens everywhere to contact their congressional representatives and demand that patient privacy and data security go hand-in-hand with the adoption of more available healthcare and easier access to patient information.
After all, the exposure of a person’s most private, sensitive healthcare information is something no American can afford.