Skip to content Skip to navigation

Disasters on Paper

September 26, 2010
by Mark Hagland
| Reprints
Who says every PHI data breach is going to be electronic?

Within the past two weeks, another new data breach involving identifiable protected health information (PHI) has emerged. This time, the breach occurred at the Martin Luther King Jr. Multi-Service Ambulatory Care Center in Los Angeles. According to media reports and the Privacy Rights Clearinghouse, in this case, a janitor at the care center removed 14 boxes of patient records and sold them to a recycling center. The records had names, genders, dates of birth, addresses, medical record numbers, and financial batch numbers on them, and involved patients who had accessed services at the ambulatory care center between January and October of 2008. Those patients affected received notices of the breach last week.

This was the thirteenth healthcare-specific data breach documented by the Privacy Rights Clearinghouse in the past month. What’s more, a quick glance at that organization’s website shows that some of the most prestigious and respected healthcare organizations in the country are on that breach list, along with state and local governments, universities, manufacturers, life insurance companies, and grocery store chains. And don’t forget some spectacular recent breaches that have affected the Pentagon and other organizations.

It’s no wonder healthcare CIOs are scared out of their wits these days; this kind of thing is now virtually routine. What’s especially interesting in this particular case is that it appears the breach involved was unintentional and unconscious; an employee simply wanted to make money off recycling paper documents. The fact that paper was involved is also interesting, because as much as CIOs are (rightly) focused on the tremendous potential for electronic breaches of patient data, in this case, clearly, piles of paper were just sitting around at a patient care facility waiting to be misappropriated.

The fact is, breaches of the security and privacy of patient data are incredibly likely these days. And experts are telling us that it’s likely a matter of when, and not if, the next breach takes place at your organization.

My sense, from talking with the experts in this area, is that rather than believing we can totally prevent any breaches, the more realistic approach is to consider where and under what circumstances the most likely breaches might occur, and to carefully tailor one’s strategic data security plan accordingly. Sadly, statistically speaking, the greatest chances of a data breach are generally internal (though with many possible exceptions). Not surprisingly, then, a well-developed strategy that takes advantage of the latest in access monitoring and audit trails is likely to be one of the more successful of strategies. At the same time, as the recent Los Angeles example attests, it’s clear that the chances of paper-based breaches remain high as well, and no data security plan should ignore that sphere.

I’d be very interested to hear from readers on this broad, critical topic. We certainly will continue to cover multiple aspects of this issue going forward. In that regard, please make sure to check out Managing Editor John DeGaspari’s important feature on data security breaches in the October issue of the magazine, beginning on p. 32. John talks with CIOs and industry experts about some of the latest learnings and trends in this critical area.

 

Topics

Comments

Paper records can, indeed, present as much of a challenge as can electronic health records - sometimes even more of a challenge. Health care providers need not only a system but, if they are overwhelmed these days (and who could blame them?), they may need an outsource provider whose job it is to perform release-of-information more efficiently and securely can the staff itself can. Such companies act as a Business Associate and pride themselves on having current, accurate training on all laws and methods by which PHI can be kept secure. They can handle paper, electronic, and hybrid records in a confidential manner because that is their only business. Providers need to be aware that, without specialized knowledge, this type of breach will occur.

Mark Hagland

Editor-In-Chief

Mark Hagland

@hci_markhagland

www.healthcare-informatics.com/blog/mark-hagland

Mark Hagland became Editor-in-Chief of Healthcare Informatics in January 2010. Prior to that, he...