Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare Innovation & Technology Congress this week reminded me of why this is still a controversial issue.
To review, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.
That may sound reasonable and fair. We don't want to put too great a reporting burden on covered entities. But in a presentation on privacy and security issues, Deven McGraw, who leads the Health Privacy Project at the Center for Democracy and Technology, mentioned the case of the data breach at Kaiser Permanente Bellflower Hospital in Los Angeles, where earlier this year a California Department of Public Health investigation found that 23 employees at a number of Kaiser facilities with access to EMRs unlawfully breached the privacy of a patient who gave birth to octuplets.
In that case many people lost their jobs and Kaiser was fined $250,000 under stringent new state laws that went into effect Jan. 1. But McGraw's point in mentioning this breach was that the people who accessed the records were Kaiser employees, so the type of internal investigation that HHS envisions may very well determine that there was no financial or reputational harm done in that case. Yet I think most people would agree that if two dozen people who have no need to see your records are gawking at them, you deserve to be informed about it.
You may not have George Clooney or Britney Spears staying at your hospital anytime soon. But if they do show up, do you have controls in place to protect against snooping into their electronic files by curious employees?