Recent incidents involving UCLA Health System and Wellpoint, Inc. are once again demonstrating just how much bad press a security breach can bring to a health care organization. But for an example of a situation that you REALLY don't want to be in, I'm going to go back a few more weeks to the March 21 State Department announcement that the passport files of Barrack Obama, Hillary Clinton and John McCain were improperly accessed by three contractor personnel.
"Passportgate" did not involve theft or misappropriation of personal information -- it involved inappropriate access by personnel who were apparently unable to resist the temptation to take a peak at the records of the presidential candidates. The incident also did not implicate HIPAA -- the primary privacy law applicable to these records appears to be the federal Privacy Act of 1974, which generally governs the privacy of individual information maintained by federal agencies. But the vital lesson that health care organizations can learn from Passportgate is that you must have systems in place to ensure that incidents involving inappropriate use or disclosure of personal information come to the prompt attention of responsible parties. The State Department had audit processes in place to flag access to the records of these sorts of high-profile individuals. They had evidence that the passport records had been improperly accessed in January, February and March of this year. However, appropriate State Department officials did not learn of the incidents for months after the audit-trail flags had been tripped.
In this new era of state security breach notification laws, FTC security enforcement actions and class action lawsuits, organizations must not only detect, but also respond, promptly to security breaches. For example, let's assume that the laptop of a hospital employee containing thousands of patient Social Security numbers is stolen. The employee's supervisor is aware of theft but doesn't think that it's a big deal. Two months later, the hospital's privacy officer finally learns of the laptop theft, just as the hospital is discovering that many of its patients are being victimized by identity thieves.
Under most state security breach notification laws, the hospital would have been required to notify the victims of the security breach in the most expedient manner possible.
The hospital is then faced with the unpleasant prospect of being legally required to report to its patients an incident in which it has clearly failed to comply to comply with the applicable legal standard. The hospital (in the form of the employee's supervisor) had knowledge of the breach, but failed to promptly notify patients in a manner that might have averted the outbreak of identity theft. And that is the situation that no health care organization wants to be in ….