Data Breach Rules: the 'Octomom' Example

July 20, 2011
Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare

Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare Innovation & Technology Congress this week reminded me of why this is still a controversial issue.

To review, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.

That may sound reasonable and fair. We don't want to put too great a reporting burden on covered entities. But in a presentation on privacy and security issues, Deven McGraw, who leads the Health Privacy Project at the Center for Democracy and Technology, mentioned the case of the data breach at Kaiser Permanente Bellflower Hospital in Los Angeles, where earlier this year a California Department of Public Health investigation found that 23 employees at a number of Kaiser facilities with access to EMRs unlawfully breached the privacy of a patient who gave birth to octuplets.

In that case many people lost their jobs and Kaiser was fined $250,000 under stringent new state laws that went into effect Jan. 1. But McGraw's point in mentioning this breach was that the people who accessed the records were Kaiser employees, so the type of internal investigation that HHS envisions may very well determine that there was no financial or reputational harm done in that case. Yet I think most people would agree that if two dozen people who have no need to see your records are gawking at them, you deserve to be informed about it.

You may not have George Clooney or Britney Spears staying at your hospital anytime soon. But if they do show up, do you have controls in place to protect against snooping into their electronic files by curious employees?

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?