3 ways HIM professionals protect patient data

View all blog posts under Articles

Different ways HIM professionals protect patient dataData is critical in healthcare organizations for identifying, diagnosing and treating patients. Without medical records and other personal health information, providers would not know how to effectively care for a patient – and may not even know exactly who it is that they need to treat. And yet, this sensitive information, though essential, creates a number of challenges for healthcare organizations. When handled improperly, this data, instead of providing benefits, can put patients at risk, make medical groups a target for cyber attacks and create financial dangers for care groups.

To help ensure that patient information and other protected data is handled properly, healthcare organizations are now hiring health information management professionals to oversee the data needs of their groups and enable other employees to follow proper procedures.

The following are three specific ways that HIM professionals work to protect patient data:

1. Maintain HIPAA compliance and PHI security

HIM professionals play an important role in managing the flow of health care information. This involves not only overseeing what comes in through electronic health records and other information portals, but how the information is released as well. Much of the latter process is closely regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which provides specific rules for the safeguarding of medical information.

Failure to comply with HIPAA rules and regulations regarding this information not only puts patient privacy at risk – it can carry a hefty price for a healthcare organization. In April 2017 the U.S. Department of Health and Human Services announced that wireless health services provider CardioNet agreed to a $2.5 million settlement regarding potential noncompliance with HIPAA Privacy and Security Rules. The suit was initiated in 2012 when an employee’s laptop was stolen from the person’s car. The device contained electronic protected health information of 1,391 individuals. After investigating, the HHS Office for Civil Rights determined that the company’s risk analysis and risk management processes at the time were insufficient.

HIM professionals play an important role in ensuring that organizations follow HIPAA guidelines to protect patient information and avoid costly penalties. This may involve putting on seminars or other training sessions to equip providers and other staff members with the information they need to handle protected information properly, or analyzing current organizational policies to ensure that they follow necessary guidelines.

HIPAA compliance is not the only regulatory guidance by which HIM professionals must abide. There is a lot of information in healthcare that is not protected under HIPAA, but is still sensitive and must be protected to ensure the privacy and security of patients. The American Health Information Management Association reported that other regulations that have impacted privacy and security in healthcare include the American Recovery and Reinvestment Act of 2009 (ARRA) and Modifications to the HIPAA Privacy, Security, and Enforcement Rules,  the Health Information Technology for Economic and Clinical Health Act; Final Rule.

2. Protect from outside threats

Though cyber attacks are a growing threat across all industries, they are particularly prevalent in healthcare.  According to Becker’s Hospital Review, these data breaches accumulate a financial toll of about $5.6 billion each year to the industry.

A report by cybersecurity defense firm TrapX found that healthcare breaches increased by 63 percent from 2015 to 2016. The top 10 breaches alone compromised more than 12 million records.

Though these attacks can take a variety of forms, cybersecurity threats that currently are common in healthcare include the following:

  • Malware: In a malware attack, malicious software is created and distributed with the the intent to damage a computer or its data.
  • Ransomware: As with malware, ransomware also compromises a computer or data, but the key to regaining the information is withheld until some kind of ransom is paid to the attacker.
  • Phishing attacks: These attacks are attempts to gain sensitive information, such as passwords or credit card information, through some form of electronic communication, such as emails, that appear to be credible.

An additional growing threat unique to healthcare, according to TrapX, is the hijacking of medical devices, such as dialysis machines, CT scanners, infusion pumps and medical ventilators.

“Through our ongoing research, TrapX Labs continues to uncover hijacked medical devices (MEDJACK) that attackers are using as back doors into hospital networks,” Moshe Ben-Simon, co-founder and vice president of services at TrapX Labs said in a press release. “Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data. Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it. The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices.”

HIM professionals work to combat these threats by advocating for proper solutions to protect EHRs and other sources of private information in the workplace. In most healthcare organizations, HIM departments typically collaborate closely with IT staff members to ensure that firewalls and other defensive strategies are in place and being used correctly by providers and other employees.

3. Influence standards and laws

To truly protect patient data, healthcare organizations need to have policies in place to minimize the chance that information will be compromised. Members of the HIM department are often responsible for creating and maintaining these types of standards, which aid providers and other employees in handling data properly to protect patient privacy and security.

HIM professionals can also have an influence that extends far outside a single healthcare organization. Rules and regulations related to HIM are created at state and federal levels to protect patients throughout the U.S. This is becoming increasingly important as groups strive to create interoperable systems to manage patient information.

Membership in organizations such as AHIMA give HIM professionals opportunities to influence best practices and standards for the entire industry, helping to ensure that quality care and security is provided to the public.

To take the next step in pursuing a career in HIM, consider enrolling in the University of Illinois at Chicago’s online Bachelor of Science in Health Information Management or Post-Baccalaureate Certificate in Health Information Management.

“Because online education and educational technologists that support online distance learning are so accessible and so easily adaptable to change, we are able to deliver world class education and quickly translate our research and industry experience into curriculum, so our curriculum can remain cutting edge, up to date, and most relevant to career opportunities that students plan to pursue,” said Jacob Krive, Clinical Assistant Professor at UIC.

To learn more about whether an online HIM program at UIC is right for your career, visit the admission page today.

Recommended reading:

The job market post-graduation for HIM careers

7 leadership qualities developed in an HIM program

Current trends in the health information management field 


HealthIT.gov, “Guide to Privacy and Security of Electronic Health Information”
Health IT Security “The Role of HIM Professionals in HIPAA Compliance”
Ahima.org “Health Information Management Professionals Are Uniquely Qualified as Privacy and Security Officials”
Beckers Health IT “The Top 5 Cybersecurity Threats Hospitals Need To Watch For”
TrapX Security ” Healthcare Breaches Increased 63 PERCENT Year-Over-Year; Medical Device Hijacks and Ransomeware On The Rise
HHS.gov “$2.5 Million Settlement Shows That Not Understanding HIPAA Requirements Creates Risk”