Exposure of Protected Healthcare Information, Breach Notification, and Data Quality
You are probably familiar with the fact that over the past few years there have been some new laws passed regarding health care reform. One law in the HITECH legislation requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” What this effectively means is that if there is a case where some amount of protected health information (PHI) is inadvertently released, the organization that allowed that release is mandated to “provide notification of the breach to affected individuals, the Secretary (of Health and Human Services), and, in certain circumstances, to the media.”
In other words, you lose protected data and you have to report it to the Department of Health and Human Services.
Interestingly, a list of the breaches involving 500 or more individuals is made available at this web site. I downloaded the file, which listed 249 breaches, to examine it a little more carefully. Here are some things I found:
• 135 of 249 breaches involved theft (most frequently of a laptop or a hard drive)
• 54 breaches involved a laptop
• 52 involved “unauthorized access” usually involving paper records or emails
• 36 involved “loss”
Unfortunately, only 39 of the records contained additional supporting text about the event of the breach. However, those that are there do provide some insight into gaps in existing procedures, such as:
• “An employee left an external portable hard drive containing electronic protected health information in a vehicle that was stolen.”
• “The business associate mailed a package to the covered entity that was supposed to contain a backup data tape and compact disc (CD) containing protected health information, but the tape and the CD were not in the package.”
• “The business associate incorrectly updated the contract holders’ addresses resulting in the mailing of protected health information to incorrect recipients.”
• “The covered entity failed to adhere to its own policy to shred protected health information (PHI), and a third party found patient PHI in a paper recycling container behind the covered entity’s building.”
These are just a few examples, but they do shed a little light on potential root causes for a breach. Having scanned the whole data set, I can surmise that the most frequent cause of a breach in non-adherence to governance policies regarding artifacts that are likely to be stolen, such as laptops and hard disk drives. To what extent are oversight processes in place to monitor what devices are taken in and out of a facility and how the information on those devices is protected? Some of these breaches are just sloppy work (so, what did happen to the backup tape and CD that were supposed to be in the package?).
Also, you gotta watch those emails…Perhaps there is some method to automate a scan of any outbound email for data values that have the characteristics of PHI? There are definitely some data policy, and consequently, some data governance opportunities here.
And one example was interesting from a data quality control standpoint: incorrectly updating contract holder addresses resulted in mailing information to incorrect recipients. Here is a good example where a flawed process regarding location information allows incorrect data into the system. At some point downstream, a mailing is sent out to the wrong individuals. I wonder what the time lag was between when the update was made and the breach occurred. For all you know, it could have been days, weeks, perhaps even months. On the bright side, it is good that the organization was able to do the analysis and determine the root cause.
In any event, I don’t think this is the only situation in which the breach notification rule will be triggered by a data quality problem. Reducing the risk of having to notify the government, and potentially even the local media outlets about exposing protected information might be enough of an incentive for covered entities to review their data quality assurance processes for protected healthcare information.