Why It Is Important to Utilize HIPP-compliant Medical Record Review Service

As a personal injury attorney handling hundreds of medical records for medical record review, you need to be extra cautious regarding the confidentiality of these documents. More importantly, if you happen to use medical record review services, it is your onus to make sure that they have reliable security measures in place to protect the medical information you entrust them with, and are HIPAA-compliant. When you deal with confidential health information, you may need to become an actual "business associate" under HIPAA and HITECH Acts and this carries specific obligations and compliance measures. Failing to meet the required standards may lead to serious penalties.

Confidentiality and privacy concerns become more significant in the context of medical identity theft that is alarmingly on the rise. An identity thief can receive medical care and services that include medical instrumentations and prescription drugs fraudulently using another person’s name and insurance information. Of course, experienced attorneys help their clients hold identity thieves and other parties accountable for their actions. However, medical identity theft creates a dangerous situation because the notes made on the victim’s medical records will be that of the thief, and it may lead to inappropriate and even fatal medical decisions in the future.

Let us consider why medical identity theft is increasing and what makes the medical industry vulnerable to cybercrime.

Why Cybercrime Is Increasing

Medical records that are shared among doctors, hospitals and other care providers are covered by the HIPAA Act, but what about the information shared among app developers, financial institutions and others? This is not covered by any regulation.

• Consumer Reports’ research conducted in 2015 revealed that 91% of Americans surveyed were of the opinion that their consent should be required whenever health information is shared.
• This shows that people are really worried about how their health information is shared among various agencies because any careless action could lead to medical identity theft and fraud.
• Healthcare information of patients stored on laptops, smartphones and flash drives is very vulnerable because it can be compromised if these devices are lost or stolen.
• Studies show that medical fraud costs victims an average of $13, 500 and hundreds of hours to set right. Worse still, how to retrieve the sensitive medical information that is out there in the public sphere?

Cybercriminals are even threatening hospitals and other healthcare facilities. Take the recent ransomware attack against the Hollywood Presbyterian Medical Center in Los Angeles, CA. Their computer systems were locked up by ransomware in early February. As a result, it became impossible to carry out procedures such as CT scans and patients had to be taken to nearby medical facilities for treatment in some cases. Access was denied to patient data, important documents and email. The hospital paid $17,000 in bitcoins to regain access to its data, and this was done in the best interest of restoring normal operations, according to the president of this medical center. Healthcare insurance providers such as Anthem and Premera Blue Cross have also been targeted by hackers, resulting in massive breaches of PHI (Protected Health Information).

Why Steal Another’s Identity?

Why do cybercriminals steal the identity of another?

• Studies by leading researchers show that these criminals steal important details such as PHI, social security numbers, credit card information and PINs, and banking credentials which can be sold for $1500 or even more on the black market.
• This information is used not only to obtain medical services and commit insurance fraud, but also to create professionally forged and customized social security cards, drivers’ licenses, passports, insurance membership cards and credit cards.
• PHI can be sold to pharmacy companies and hospitals that may want to target patients with specific health conditions.
• Researchers say that PHI could be used even to forge passports and visas. This could have serious consequences.
• It is found that in more than half of the identity thefts, family members are involved. An uninsured person may use a relative’s or friend’s insurance identification card to obtain treatment.

Medical information is very attractive to cyber thieves because it has an enduring value. Unfortunately, for the victim this information is non-recoverable and poses a serious threat in the hands of criminals and fraud. Their healthcare details become mixed up with the perpetrator’s, which can have devastating consequences.

Ensure PHI in Your Hands Is Protected

As mentioned at the outset, law firms and attorneys handling work that involves PHI (medical records, lab results, insurance information etc.) for covered entities under HIPAA come under the "business associate" classification. Therefore they also become regulated by HIPAA and will be held liable for any violation under the Act.

• To ensure compliance, sign business associate agreements (BAA) with agencies you partner with and who may have access to sensitive health information.
• Perform a risk assessment and have in place physical, technical and administrative safeguards to protect against any possible data breach.
• Law firms handling such work must make sure that their outsourcing vendors such as a

medical record review company and sub-contractors also comply with the Privacy Rule.

Managed Outsource Solutions (Mos) has providing value-added medical record review services for the medico-legal industries.