April showers bring May flowers. But April has also brought with it a downpour of data breaches in direct violation of the Health Insurance Portability and Accountability Act (HIPAA) that could lead to a proliferation of penalties in the months to come. With the widespread implementation of electronic health record (EHR) systems, centralized information could expose a greater number of patient records to improper and malicious access. A recent rash of violations prove that threats are manifold, both from within and without.
First, we reported on the breach of protected health information (PHI) in Utah by the Department of Technology Services (DTS), which was migrating information to a new server whose password authentication systems were improperly configured. Next, we covered the inside job at Memorial Healthcare System in Florida where two employees conspired to steal patient information in order to file false tax returns.
In the past week, two more breaches have come to light. On April 20, Emory Healthcare in Georgia announced that it had lost 10 backup disks containing information more than 300,000 patient records, two-thirds of which contained Social Security numbers. Though accidental, the loss represents a breach despite Emory’s claims that “no actual or attempted breach” occurred — a breach of trust is a breach nonetheless.
One day earlier, April 19, the Department of South Carolina Department of Health and Human Services (SCDHHS) revealed that a Medicaid employee had illegally transferred an Excel spreadsheet to his personal Yahoo account. Nearly 230,000 Medicaid beneficiaries had their information exposed. Though SCDHHS indicates that no medical information was exposed, it doesn’t deny that SSN and other data were compromised.
So what should be done? The US Department of Health and Human Services seeks financial and criminal penalties in instances where individuals and organizations have wittingly or unwittingly shared PHI and EHRs. Just yesterday, HHS fined Phoenix Cardiac Surgery $100,000 for making patients’ appointments available on a public accessible, web-based calendar from 2005 through 2009. But what if HHS or any of its state-level departments themselves fail its constituents?
Penalties are reactionary, not proactive solutions. They follow intentionally or unintentionally criminal activities. It would seem that the connection between PHI and SSN should be severed. My genetic code and national identifier share no fundamental link, so why does my EHR contain both?
Last week we mentioned that the Massachusetts Medical Society (MMS) announced the launch of a pilot program of seven hospitals in Massachusetts called Roadmap to Reform. With the program, MMS is advocating “an alternative approach to medical liability intended to improve patient safety, increase transparency, reduce litigation, and cut costs to the health care system.” This approach stands in stark contrast to the current tort system by being aggressively in the process of disclosure, apology, and offer (DA&O) that can lead to resolving cases more quickly and positively. The DA&O system is already proving effective outside of Massachusetts.
Even though leaders in the health care industry are looking to improve post-breach reconciliation, isn’t it time for patients themselves to advocate their own kind of change?When I received my license in the litigious and civil-liberty-driven state of Massachusetts, I had the option to choose a unique driver’s license number that wasn’t my SSN. It seemed innocuous at the time, but I’m currently highly satisfied that my SSN is not a lost wallet away from disaster.
Why should we await further breaches and short-lived promises from health care organizations and government departments to monitor our identities at no cost (though there are no free lunches)? It is time for patients to demand a unique federal medical identifier. That is, unless you’re looking forward to receiving a letter informing you that not only your medical information but also your identity is vulnerable.