Health Data Breaches: Hazy HIPAA Laws, Crazy Outcomes

Posted on December 28, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

You’ve no doubt heard it. The healthcare industry has the dubious distinction of having had the three of the top six IT related security breaches this year. This article in the Healthcare Finance News quotes figures published by the Ponemon Institute, a research organization. According to the article, there’s been a 32 percent increase in frequency of data breaches, in other words, the frequency has increased by almost a third.And it has cost the industry $6.5 billion.

But a similar story in the NY Times shows us how woefully inadequate our existing data protection laws are (This story also quotes the numbers from the same Ponemon Institute study). An employee from a Massachussetts eHealth Collaborative lost a laptop containing 13,687 records. Each of those records contained some combination of a patient’s name, SSN, birthdate and other identifying information. Now, by law, healthcare organizations are required to report breaches involving 500 or more patients and the Department of Health and Human Services.

However, says NYT, Micky Tripathi, the non-profit’s president and CEO, soon figured out “just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected. His team spent hours poring over a backup of the stolen laptop files. Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.”

The NYT story also points out another strange loophole that came to the aid of the non-profit – the entities responsible for protecting patient health are the providers, not contractors such as Mass. eHealth.

“In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.”The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.””

So of the 14,000 or so patients affected, Micky Tripathi’s non-profit only needed to notify 998 people. Of these, only one organization had patients more than 500 in number, requiring a mugshot report on the HHS wall of shame, and an offer of free credit monitoring from Mass eHealth.

In the end, the cost of credit monitoring services to Mass eHealth was a mere $6000 though the article says the non-profit ended up spending close to $300,000 in the aftermath. I wonder if this includes the cost of the necessary sleuthing involved and so on. If this is the case, the numbers are incidental expenses; the money spent directly on the breach itself was a fraction of that.

Compare this to the $1 million fine incurred by Mass. General Hospital for the loss of 192 patient records left by a negligent employee on a subway train.

With these numbers in mind, here are my takeaways from these stories:
Who is responsible for what breach is not clear enough. I had to re-read the definition for covered entities to make sure that Mass eHealth doesn’t fall under it. If the law takes such a lax attitude to IT contractors – who BTW provide the bulk of the IT infrastructure at many hospitals – where’s the incentive for anyone to do things differently?
There’s a crazy penalty structure in place. A hospital losing 192 records resulted in a million dollar fine. A non-profit losing 998 records incurred $6000 in expenses. So if you’re a hospital, you’re better off with contractor negligence than your employees/equipment being the responsible party.
Rules can be creatively interpreted.
There’s not enough negative fallout for data breaches for healthcare/HIT organizations to do things differently. Say, if in addition to the notice on the HHS wall of shame and fines, there were other repercussions like, I don’t know, a digital time-out of sorts for both contractors and healthcare organizations, maybe healthcare and IT would begin to care more.

John’s Comment: This is definitely an interesting case. With the new HITECH laws I can’t imagine how this doesn’t fall under the Business Associate agreement which would require that they follow the HIPAA laws just like any provider. The article does say that contractors aren’t responsible, but that seems like bad legal advice given by the contractor’s lawyer. I’m not a lawyer, but I’ll have to email a healthcare lawyer friend of mine to have him comment on this case as well.

It’s also worth noting that all of the breaches mentioned above have been through laptops or other devices left behind. None of the major breaches have been a hacker getting into an EMR or EHR system. Everyone likes to blame the EHR software for privacy issues, but so far they haven’t happened. They will one day, but the bigger privacy issue is still unsecured devices and human breaches (ie. staff looking at inappropriate records).