HIPPA & Data Theft: The Ongoing Fight
In 1996, the Health Insurance Portability and Accountability Act, HIPPA, became federal law. The Tennessee Department of Health website has, perhaps, the clearest definition of HIPPA: “The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information, and help the healthcare industry control administrative costs.”
For the purpose of this blog, we will concentrate on the dialog stating "protect the confidentiality and security of healthcare information".
Those are not many words, but they have many implications. HIPPA describes healthcare information as protected health information or "PHI".
According to HIPPA, PHI contains the following information about a patient, a patient’s household, and the patient’s employers:
- Dates relating to a patient. These can be birthdays, dates of medical treatment, admission and discharge dates, and even dates of death.
- Telephone numbers, addresses, including city, county or zip code, fax numbers, and other contact information.
- Social Security numbers.
- Medical records numbers.
- Finger and voice prints.
- Any other uniquely identifying number or numbers.
That is a lot of information to protect.
Furthermore, PHI can describe a disease, diagnosis, prognosis, or condition of an individual, and can exist in various media, such as voicemail, email, or fax messages.
Despite the good intentions of HIPPA, the great volume of information which has to be protected invites all types of criminal activity, especially computer crime. On top of this nefarious list are identity thieves and social engineers, as well as other computer criminals.
Huge profits can be made by the buying and selling of stolen medical information.
In my next blog post, we will examine how HIPPA attempts to protect PHI, as well as what entities must comply HIPPA.