Protecting patient privacy and data security.

n engl j med 368;11 nejm.org march 14, 2013 977 about a celebrity patient who had been admitted for pregnancy complications. A nurse, filling in at the reception desk in the early morning hours, answered the phone and, without attempting to verify the callers’ identities, transferred them to the duty nurse caring for the Duchess of Cambridge. The duty nurse then provided them with confidential patient information.1 The Australian DJs broadcast the phone call, considering it a humorous prank, but as the world knows, it had disastrous consequences. How confident are U.S. hospitals, nursing homes, and physicians’ offices that their staff would appropriately deny patient information to an unknown caller? Too often, unauthorized people succeed in extracting protected information from health care providers. Invasion of privacy also affects noncelebrities, when anyone seeks health information the patient has not chosen to share. More often, though, scam artists seek patients’ billing information for financial gain. The patient’s insurance identifier is then used by an uninsured person to obtain medical services or by a fraudulent health care provider to bill for medical services that were never rendered. Data security breaches and medical identity theft are growing concerns, with thousands of cases reported each year. The Centers for Medicare and Medicaid Services (CMS) tracks nearly 300,000 compromised Medicare-beneficiary numbers.2 The Office for Civil Rights has received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.3 Beyond privacy concerns, breaches of health information security exact a weighty financial toll and endanger patients. Abuse of insurance identifiers drains money that would be better spent funding legitimate health care services. When Medicare and Medicaid overpay for services, taxpayers bear those costs. When private insurers overpay, policyProtecting Patient Privacy and Data Security