4 Big Mistakes Doctors Make in Protecting Patient Data

Paul Cerrato, MA


June 29, 2016

In This Article

The Financial Fallout Can Be Devastating

Unencrypted laptops, phishing scams, weak passwords, and outdated antimalware programs are only a few of the ways that attackers can gain access to patient information. While researching my book, Protecting Patient Information: A Decision-Maker's Guide to Risk, Prevention, and Damage Control (Syngress/Elsevier, 2016), several other mistakes also came to light. For example, some physicians find it convenient to work at a nearby café that offers free Wi-Fi. These Internet access points, although they may be convenient, are very insecure. Even careless faxing can bring on a HIPAA fine if sensitive PHI falls into the wrong hands.

Be careful, too, about whom you share PHI with. Most practices work with business associates, including attorneys, IT consultants, and accountants, who may have access to PHI. If any of these businesses experiences a breach, there's a good chance you'll share the blame if you don't take reasonable precautions, which include a properly worded contract and proof from the business that it has performed a risk analysis that looks for weaknesses in its computers.

Although all of these vulnerabilities can result in expensive government fines, fines are only the beginning of your troubles if you experience a PHI breach. You may also be required to have a third-party forensic evaluation performed to determine how the breach happened, which can cost between $200 and $2000 per hour.

And while we're on the subject of money, you'll also have to notify patients and employees that their personal information is now at risk and pay for some type of credit monitoring to minimize their risk for identity theft—another expensive proposition.

Also, factor in the cost of legal services. If the PHI breach affects more than 500 individuals, the HIPAA regulations require you to inform the local media. Once the newspapers publicize the mishap, the odds of a class action lawsuit increase exponentially. Plus, your reputation will probably suffer, which can translate into fewer new patients and many older patients finding a safer place to seek care.

The consequences of a patient information breach, both in dollars and cents and in damaged reputation, can prove devastating to medical practices large and small. Although plugging security holes in your computer network isn't a foolproof way to prevent a breach, it will certainly reduce the odds of it ever happening.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.