Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Health Data Breaches: Hazy HIPAA Laws, Crazy Outcomes

Posted on December 28, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

You’ve no doubt heard it. The healthcare industry has the dubious distinction of having had the three of the top six IT related security breaches this year. This article in the Healthcare Finance News quotes figures published by the Ponemon Institute, a research organization. According to the article, there’s been a 32 percent increase in frequency of data breaches, in other words, the frequency has increased by almost a third.And it has cost the industry $6.5 billion.

But a similar story in the NY Times shows us how woefully inadequate our existing data protection laws are (This story also quotes the numbers from the same Ponemon Institute study). An employee from a Massachussetts eHealth Collaborative lost a laptop containing 13,687 records. Each of those records contained some combination of a patient’s name, SSN, birthdate and other identifying information. Now, by law, healthcare organizations are required to report breaches involving 500 or more patients and the Department of Health and Human Services.

However, says NYT, Micky Tripathi, the non-profit’s president and CEO, soon figured out “just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected. His team spent hours poring over a backup of the stolen laptop files. Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.”

The NYT story also points out another strange loophole that came to the aid of the non-profit – the entities responsible for protecting patient health are the providers, not contractors such as Mass. eHealth.

“In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.”The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.””

So of the 14,000 or so patients affected, Micky Tripathi’s non-profit only needed to notify 998 people. Of these, only one organization had patients more than 500 in number, requiring a mugshot report on the HHS wall of shame, and an offer of free credit monitoring from Mass eHealth.

In the end, the cost of credit monitoring services to Mass eHealth was a mere $6000 though the article says the non-profit ended up spending close to $300,000 in the aftermath. I wonder if this includes the cost of the necessary sleuthing involved and so on. If this is the case, the numbers are incidental expenses; the money spent directly on the breach itself was a fraction of that.

Compare this to the $1 million fine incurred by Mass. General Hospital for the loss of 192 patient records left by a negligent employee on a subway train.

With these numbers in mind, here are my takeaways from these stories:
Who is responsible for what breach is not clear enough. I had to re-read the definition for covered entities to make sure that Mass eHealth doesn’t fall under it. If the law takes such a lax attitude to IT contractors – who BTW provide the bulk of the IT infrastructure at many hospitals – where’s the incentive for anyone to do things differently?
There’s a crazy penalty structure in place. A hospital losing 192 records resulted in a million dollar fine. A non-profit losing 998 records incurred $6000 in expenses. So if you’re a hospital, you’re better off with contractor negligence than your employees/equipment being the responsible party.
Rules can be creatively interpreted.
There’s not enough negative fallout for data breaches for healthcare/HIT organizations to do things differently. Say, if in addition to the notice on the HHS wall of shame and fines, there were other repercussions like, I don’t know, a digital time-out of sorts for both contractors and healthcare organizations, maybe healthcare and IT would begin to care more.

John’s Comment: This is definitely an interesting case. With the new HITECH laws I can’t imagine how this doesn’t fall under the Business Associate agreement which would require that they follow the HIPAA laws just like any provider. The article does say that contractors aren’t responsible, but that seems like bad legal advice given by the contractor’s lawyer. I’m not a lawyer, but I’ll have to email a healthcare lawyer friend of mine to have him comment on this case as well.

It’s also worth noting that all of the breaches mentioned above have been through laptops or other devices left behind. None of the major breaches have been a hacker getting into an EMR or EHR system. Everyone likes to blame the EHR software for privacy issues, but so far they haven’t happened. They will one day, but the bigger privacy issue is still unsecured devices and human breaches (ie. staff looking at inappropriate records).

Healthcare Data Security, Healthcare Breaches, and EMRs

Posted on October 10, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

We’ve posted about it earlier on this blog as well, and it’s a point worth reiterating – most data breaches are not the result of hordes of internet hackers out to get your computer system, they’re due to human errors or negligence.

Here are some recent cases of patient data that has emerged from EMRs in unexpected places:
Lost in Break-In: By now, we’ve all probably already shaken our collective heads over the Tricare data breach involving data for 4.9 million military patients. Scientific Applications International Corp. (SAIC), one of Pentagon’s principal contractors, was the outfit that was responsible for the data loss, which was stolen from a break-in into a SAIC employee’s car. The data was contained in backup tapes, and contained information such as SSN, addresses and phone numbers of patients, and personal health data.

There are several perplexing things about this story – a) the statement on Tricare’s website claiming nothing important was really lost: “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure” per this story.
b) SAIC’s success with HHS contracts – SAIC was awarded a lucrative $15 million contract by HHS, despite the breach.

Posted on a Homework Help forum: According to this NYT story and its follow-up, patient records (names, diagnosis codes, account numbers, admission codes) from emergency visits for a six month period at Stanford Hospital, CA, were posted online. Supposedly, a Stanford vendor sent the data to a prospective contractor as part of a testing exercise. The contractor posted it all online, on a website offering tutoring help no less, without realizing it was actual patient data. The story says Stanford had the data removed from the website, and reported the breach to federal and state authorities, as well as the patients. Stanford is arguing that none of its staff has done anything wrong, and that it severed its relationship with the contractor. To me, this is the proverbial buck being passed.

Lost in the Subway: The first NYT story mentions how the paper records of 192 patients left on a subway by an employee of Massachusetts General Hospital in Boston. The hospital has agreed to pay a $1 million federal fine for HIPAA violations.

So to summarize some lessons learned from these data breaches:
Loss of paper records is worse than the loss of electronic records: This should be obvious to anyone who’s not a schoolgirl with a fancy diary guarded by a lock.

Your data is only as safe as your weakest link: If you’re farming out your data to vendors, then you have to know what policies your vendor has in place. If your vendor subcontracts further, then you have to keep going down the line till you are reasonably assured of data safety. When the hammer falls, it is *you* who will be coughing up the fines.

Prep with Data-handling Policies and Procedures that you and your staff religiously follow: The data was lost in very human ways – data left inside a car, posted by an untrained contractor. This just means you need to have robust, and enforced, policies in place for how patient data is handled by your employees. Maybe in your company this means that your employees can’t take work home, or that they must clear their workspaces of any patient data before they leave. Decide what makes sense in the context of your business, and maybe hire someone to enforce these rules.

Give kickbacks to HHS: If you’re in the business of contracting with the government, seriously figure out how SAIC has managed to stay in HHS’ good books. I wish I were kidding with this one.

850,000 Doctors Possibly Hit By Data Breach from a BlueCross BlueShield’s Stolen Laptop

Posted on October 8, 2009 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Another example of a lost laptop storing sensitive information:

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.

The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.

Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

The association updates its file of BlueCard network physicians weekly, Smokler said. An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said.

“We are re-evaluating that protocol and how we prevent this from happening again,” Smokler said.

This is why we’ve required and checked that our EMR software doesn’t store any PHI on our computers. It’s all stored on the server.