- Some healthcare workers don’t follow best practices for secure healthcare data sharing, according to a survey of 1,000 US workers by Igloo Software.
Thirty percent of healthcare workers use non-approved apps in the workplace because they are easier to use, the survey found.
Around half of healthcare workers surveyed are only somewhat confident that information stored on their organization’s intranet is secure.
Fifty-three percent of healthcare professionals are only somewhat confident that a file they are accessing is the most updated version.
Far from preventing healthcare data sharing, HIPAA encourages the secure exchange of healthcare data.
“HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning,” said then-ONC Chief Privacy Officer Lucia Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn, when introducing a fact sheet on the topic.
Secure healthcare data sharing requires providers to ensure existing security requirements, such as HIPAA, are in place.
Earlier this year, HIMSS asked the ONC to clarify secure healthcare data sharing rules in its Trusted Exchange Framework and Common Agreement (TEFCA) draft and to explain how HIPAA regulations will apply. Data confidentiality and availability should be ensured in TEFCA, which addresses the secure exchange of electronic health information, HIMSS argued.
DirectTrust urged ONC to clarify privacy policies discussed in TEFCA. HIPAA regulations allow for secure data exchange but only in certain circumstances. Providers decide when it is appropriate for data to be exchanged and ensure that security and privacy controls are in place, explained DirectTrust.
Healthcare workers’ lax practices when it comes to healthcare data sharing remain a major problem when it comes to HIPAA compliance.
Another recent survey, this one conducted by Kickstand Communications for secure file sharing services firm Biscom, found that 87 percent of healthcare workers use non-secure email to send sensitive information, including PHI.
Healthcare workers are 36 percent more likely to share regulated data such as patient information and credit card information using non-secure methods such as email than those working in financial services, according to the Kickstand survey.
Most healthcare companies use secure document delivery tools, and 92 percent of employees report they have been trained on how to use them. Eighty-eight percent of healthcare employees understand how to use tools and understand company rules around security, but 10 percent admit they do not abide by them.
A majority of healthcare workers said they do whatever is easiest when it comes to transferring data, documents, or information. Close to three-quarters of respondents who work in healthcare consider email to be a secure form of data, document, or information delivery, and 64 percent said when it comes to sharing data, email is the easiest tool, according to Kickstand survey.
Healthcare workers’ methods for sharing sensitive information and the type of information that is being shared both internally and externally are concerning.
For example, more than one-third of respondents said they share sensitive data, documents, or other sensitive information internally using a cloud storage service, like Google Drive or Microsoft One Drive, or cloud sync and share service, like Dropbox.
Around 60 percent share customer data, such as names, phone numbers, and addresses, internally, and a similar percentage share regulated data, such as PHI and financial information, internally.
More than one-quarter of respondents share sensitive data, documents, and information externally using personal sync and share services like Dropbox. Less than one-quarter share sensitive data, documents, or other sensitive information using secure file transfer and file transfer protocol.
A majority of healthcare workers admit to sharing customer data externally, and a similar percentage admit to sharing regulated data, such as PHI, externally.