Data Breach Rules: the 'Octomom' Example

November 13, 2009
3 Comments

Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare Innovation & Technology Congress this week reminded me of why this is still a controversial issue.

To review, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.

That may sound reasonable and fair. We don't want to put too great a reporting burden on covered entities. But in a presentation on privacy and security issues, Deven McGraw, who leads the Health Privacy Project at the Center for Democracy and Technology, mentioned the case of the data breach at Kaiser Permanente Bellflower Hospital in Los Angeles, where earlier this year a California Department of Public Health investigation found that 23 employees at a number of Kaiser facilities with access to EMRs unlawfully breached the privacy of a patient who gave birth to octuplets.

In that case many people lost their jobs and Kaiser was fined $250,000 under stringent new state laws that went into effect Jan. 1. But McGraw's point in mentioning this breach was that the people who accessed the records were Kaiser employees, so the type of internal investigation that HHS envisions may very well determine that there was no financial or reputational harm done in that case. Yet I think most people would agree that if two dozen people who have no need to see your records are gawking at them, you deserve to be informed about it.

You may not have George Clooney or Britney Spears staying at your hospital anytime soon. But if they do show up, do you have controls in place to protect against snooping into their electronic files by curious employees?

Topics

Comments

Thanks David,

I am always surprised when employees snoop, not because they snoop but because almost every case I know of, the employees state that they were aware that they were violating privacy and confidentiality rules, that they were aware that their snooping actions were traceable and that they were aware that snooping could cost them their job. Invariably, when asked why they snooped, they say "I couldn't help myself". Curiosity, it turns out, is a powerful human drive.

On a somewhat more serious note, I am concerned over a harm standard that is being set without a time frame or time limits. It is not too hard to imagine a plausible scenario where there is no immediate, or even forseeable, "risk of reputaional, financial or other harm" at the time of the assessment, but where at some future point in time or in some different or unexpected or unanticipated context, there is real harm.

Must HIPAA-covered entities regularly review all unnotified privacy breaches to insure that a breach never goes from insignificant to significant risk?

More generally, what if the nature of the risk changes over time, must HIPAA-covered entities communicate this to the victims of a breach?

These are not simple questions and where privacy and confidentiality are concerned, if a situation can occur, no matter how bizarre, it will eventually occur.

Marc,
Thanks for your comments. I hadn't thought of the time element you mentionthat a breach could seem benign initially but become harmful later. Tough question. But from the presentations I have seen on this topic by consultants, it sounds like a lot of hospitals haven't yet done the audits, training and encryption work they need to do in order to defend themselves against breaches. And the penalties and publicity are going to start hurting a lot more.