As the U.S. government continues to reel over Edward Snowden’s media disclosures, many businesses in the healthcare sector are similarly concerned with the costs of mishandling client data. Beyond the realm of data breaches, targeted medical advertising is just one example of a growing source of concern due to the risk surrounding unauthorized disclosures.
A failure to take reasonable steps to protect clients’ medical data can be excessively costly. WellPoint was recently fined $1.7 million for HIPAA violations which resulted from leaving the names, Social Security numbers and healthcare information of over half a million clients accessible over the Internet. Beginning September 23, liability will extend directly to the business associates responsible for handling clients’ medical information.
Healthcare organizations must also grapple with the prospect of targeted marketing and advertising technologies being employed to gather clients’ medical information and use it inappropriately. At its most innocuous, this is little more than Target’s now-famous delivery of maternity ads, derived from recent on-site purchases and aggregate purchasing history. More problematically, this information could be used by third parties to allow discrimination by insurers or employers. Aware of these challenges, savvy healthcare organizations must adapt to the changing landscape.
On the IT front, healthcare organizations must remain current with best practices and the evolving threats to client information security, even those (and maybe even especially those) originating from internal IT staff. Given the increasing emphasis placed on compliance by pending HIPAA regulations, in addition to existing, industry-agnostic regulations concerning data breach notification, the cost of noncompliance can prove immense.
In order to further mitigate risk, healthcare organizations must ensure that their employees, soon to be personally liable for mishandling client data, are properly trained to adhere to regulatory and security guidelines. This client-conscious training must be complemented by preventive procedures designed to limit the opportunities for improper data exposure. In the event that client information is breached, these internal processes must also provide clear guidelines for expediently notifying clients and recovering their data. Above all, healthcare organizations must seek to modernize their approach to handling member and provider information, lest they fall prey to regulatory censure, loss of client trust, negative brand impacts, and crippling fines.