How should medical records and files of medical travelers be handled to prevent theft or misuse of client information?
How secure and private are your communications with your medical tourism clients?
How long should medical records and files of medical tourists be kept? As a general rule, it is customary to keep tax records and other official documents for 7 years. How long should we keep client files?
Medical tourist records, files, and original documents not secure
Recently, a plastic surgeon I work with contacted me with a problem. He needed to reach several former patients, all clients of ours, to inform them they received the French-made PIP breast implants that have caused a health scare in Europe. He had contacted most on his own by email but not the few on the list he gave me. He asked me to contact them with information about replacing these implants that were found to contain industrial-grade silicone gel and had not been medically approved. Some of these patients had been early clients of ours, dating back to 2004.
We keep client files as long as possible. Most records are electronic but we do have some paper documents with original signatures that are required by the hospitals and doctors we work with. They will not accept facsimile documents that have not been faxed, copied or scanned directly by them.
Destroy files securely and advise client
In some cases, keeping files “forever” is impractical. We now inform clients that we will not be keeping their files, that we will be securely destroying all electronic and paper records after a certain period of time, and that we will no longer be responsible for any further follow up should the need arise.
However, in doing so, we make sure that the clients take home with them a copy of ALL documentation that has been processed on their behalf. This includes a surgeon’s operative notes as well as the medical record from the hospital.
In the case of the breast implant surgery, each client has the ability to review her medical tourism file, and find for herself exactly what implants were inserted, the manufacturer and the serial number.
Privacy and security in medical tourism
A medical tourism company collects a lot of information about each client. By the time clients complete their medical tourism journeys, it has accumulated most or all of the following data about each client:
- Immediate treatment details
- Medical history including past surgery, medications, allergies, and personal habits (smoking, drinking, etc.)
- Passport number and citizenship
- Home address
- Social security number and/or health insurance number
- Credit card numbers
- Bank account details
- Family member or close friend details
This is powerful information that for the most part stored by medical tourism companies, hospitals and doctor offices and is not in the least secure.
Medical tourist information is open to theft
Medical records are vulnerable to theft by both professional and administrative staff around the world. Increasingly, electronic records are being hacked by identity thieves focused on breaking into patient data systems.
Just in the last few months:
- An Arizona cardiac surgeon is fined US$100,000 for posting patients’ clinical and surgical appointment information on an Internet calendar that was available to the public.
- Florida hospital employees have been arrested for stealing 760,000 patient records and reselling them to chiropractors and lawyers.
A security report cited in American Medical News points out that small medical practices are actually more vulnerable to data losses and theft. Security and technology companies say note that small practices are using outdated technology to protect themselves and some physicians do not encrypt their data properly or do not do it at all.
Medical travel companies, doctor practices are not secure
Medical travel companies fall into the category of small practices, yet few if any secure their client data to the extent necessary to protect them from theft.
Some theft can be stopped by encrypting data and taking other safeguards to protect patients’ electronic health information, and training employees about privacy and security.
Other security breaches happen when computing devices such as tablets, laptops and smartphones are lost or stolen. Encryption or using cloud-based electronic health records can prevent medical records on missing laptops or tablets from being compromised.
Medical Travel Quality Alliance members are encouraged to review and strengthen their privacy and security policies to better protect their client data.