Ubiq­ui­tous prob­lem

Records of nearly 8 mil­lion pa­tients ex­posed: HHS

Modern Healthcare - - The Week In Healthcare - Joseph Conn

Mem­bers of Congress are of­fi­cially on no­tice of a wide­spread se­cu­rity prob­lem with med­i­cal record-keep­ing in the U.S. health­care in­dus­try. The Of­fice for Civil Rights at HHS dis­closed last week that more than 30,500 breaches of per­sonal health in­for­ma­tion in­volv­ing fewer than 500 records each were re­ported to the of­fice be­tween Septem­ber 2009 and the end of 2010. Those small breaches af­fected a to­tal of about 62,000 in­di­vid­u­als.

The numbers were in one of two re­ports de­liv­ered to Congress on breaches of med­i­cal records, as well as en­force­ment of the pri­vacy and se­cu­rity rules of the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act of 1996. The re­ports came two days be­fore it was re­ported that the names, di­ag­no­sis codes and other med­i­cal in­for­ma­tion of about 20,000 emer­gency depart­ment pa­tients of Stan­ford Hos­pi­tals & Clin­ics were posted to the Web a year ago by a ven­dor’s sub­con­trac­tor.

The Amer­i­can Re­cov­ery and Rein­vest­ment Act of 2009, which amended HIPAA, re­quires HHS to pro­duce an­nual re­ports about vi­o­la­tions of the pri­vacy rule, be­gin­ning within one year of pas­sage, but these were the first to be is­sued.

The breach re­port said the med­i­cal records of roughly 7.9 mil­lion peo­ple were ex­posed in more than 30,750 to­tal health­care-re­lated se­cu­rity breaches dur­ing the 16-month pe­riod.

The stim­u­lus law re­quires that or­ga­ni­za­tions promptly re­port breaches of 500 or more records, and ba­sic in­for­ma­tion about them is pub­lished on the agency’s web­site, so data on these larger breaches has been read­ily avail­able.

The smaller breaches need only be dis­closed to the Of­fice for Civil Rights once a year.

The breach re­port counted 252 larger breaches, which af­fected about 7.8 mil­lion in­di­vid­u­als. These big breaches in­cluded some whop­pers, each com­pro­mis­ing the pri­vacy of more than 1 mil­lion peo­ple. As of last week, 314 breaches had been posted to the web­site, in­volv­ing nearly 11.7 mil­lion records.

Lisa Gal­lagher, se­nior di­rec­tor of pri­vacy and se­cu­rity for the Chicago-based Health­care In­for­ma­tion and Man­age­ment Sys­tems So­ci­ety, said the breach re­port had lit­tle new in­for­ma­tion, which she has been track­ing and an­a­lyz­ing to in­clude in brief­ings with the in­dus­try. “There is a huge aware­ness is­sue still.”

The Of­fice for Civil Rights needs to do a much bet­ter job of ed­u­cat­ing data users that breaches are a se­ri­ous prob­lem, she said.

Stan­ford spokesman Gary Mig­dol said in an e-mailed state­ment that the Palo Alto, Calif., sys­tem took im­me­di­ate ac­tion when the breach was dis­cov­ered Aug. 22. “A full in­ves­ti­ga­tion was launched and Stan­ford Hos­pi­tal & Clin­ics has been work­ing very ag­gres­sively with the ven­dor to de­ter­mine how this oc­curred, in vi­o­la­tion of strong con­tract com­mit­ments to safe­guard the pri­vacy and se­cu­rity of pa­tient in­for­ma­tion.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.