Ironically, the best way a company can protect their client/employee/patient personal information is to ask more questions about the individual. The more information a business has about their clientele, the better able they will be to protect that individuals personal identification information. Thus, as security experts, we are faced with a conundrum: Protecting client information requires more information about that individual person, and yet creates greater risk for potential unauthorized exposure. Is it an invasion of privacy to ask a customer/client/patient questions which will allow company personnel to better ensure that the individual with whom they are speaking with is actually who they say they are? But then again, is that information anybody’s business?
Sue A. Blevins, wrote an article for The Christian Science Monitor entitled "Who is reading your medical files today?" In the article, Ms. Blevins raises legitimate issues regarding healthcare notification laws under the Health Insurance and Portability Accountability Act of 1996, otherwise known as "HIPAA". Ms. Blevins postulates that HIPAA has too many loopholes for public health officials, healthcare providers, insurance, and data clearinghouse providers to bypass, and consequently, our private patient information is being provided, AT COST, to third parties with whom we have not consented too the release, or even had knowledge of it.
The American Civil Liberties Union, ACLU, contends that there are many far-reaching effects which can be extremely serious if privacy is not taken more seriously by our lawmakers and courts. Among other things, a lack of privacy can: (1) foster making personal health information a commodity that businesses sell and trade in the marketplace, which in turn will interfere with doctor-patient relationships; (2) reduce the trust consumers’ have in the healthcare system and institutions; and (3) adequately protect themselves from bad, lost, stolen, or misused data.
Ms. Blevins’ Op-Ed encourages readers to contact their legislators to establish stronger privacy rights at the federal level, but how can that be accomplished when the best way to protect one’s personal identification information, or PII, is to get more information? More laws alone are not the answer, industry specific adoption of standard practices and policies need to be addressed within each industry (i.e. healthcare, insurance, banking, etc.).
To read more of Ms. Blevins’ article, please click here: Who is reading your medical files today?