By Cathy A. Sloane, Esq.
Published in the November/December 2006 Issue of the Canton/Akron Edition
MD News Magazine
Did you catch the headlines in April when Aetna Inc. announced that a laptop containing social security numbers (SSNs) and other personal information of 60,000 beneficiaries was stolen from an employee’s car? Did you follow the story in May as the U.S. Department of Veterans Affairs dealt with the loss of a laptop holding personal information on 26.5 million veterans? How about the media reports involving healthcare conspiracy fraud and dumpster-diving identity thieves? Surely your patients did, and perhaps you are experiencing the fallout.
Not surprisingly, patients learn about healthcare security breaches and become wary of their providers. Studies show that distrusting patients often adopt “privacy-protective behavior.” Such behavior includes challenging the type of information asked of them; giving incomplete or inaccurate information; asking that certain facts not be written in their charts; and even avoiding care that may be disclosed to their families or employers. Ultimately, these protective behaviors erode your ability to give quality care.
What are some practical approaches for dealing with these fears in the office?
- Talk with your patients about what you do to protect their privacy.
Let patients know about your safeguarding policies and procedures. The HIPAA -mandated Notice of Privacy Practices, standing alone, is probably not enough to dispel fears. Train your staff to use phrases like: “To protect your privacy, we (do this and this).” - Re-evaluate and limit the amount of collected information.
Determine what information is actually needed for what purpose. Increasingly, SSNs are being removed from driver licenses, insurance cards, and other forms of identification to decrease opportunity for theft. If your office is still asking for the patient’s SSN, your staff should be prepared to say why the SSN is needed; how the SSN will be used; who has access to the full SSN; what will happen if the patient refuses to give the SSN; and what law requires that the patient give the SSN. Displayed SSNs should be truncated in the same manner as credit card receipts (e.g., XXX-XX-1432) or reformatted to protect confidentiality. - Identify and deal with suspicious behaviors before a crime is committed.
You will recall from high-profile cases that security threats come, too often, from within the organization. Solicit patient feedback and listen keenly to staff concerns. Investigate complaints and consistently apply sanctions, as needed, to maintain your security measures.
Although statistics suggest that identity crimes are growing rapidly, you can ease your patients’ fears by demonstrating that your office has a robust security system in place for patient protection.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.