Data Breach Rules: the 'Octomom' Example

July 20, 2011
Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare

Last month, I wrote an item about HHS' new interim final rules on data breach notification. Something I heard during a panel at the World Healthcare Innovation & Technology Congress this week reminded me of why this is still a controversial issue.

To review, HHS has established a harm standard that a breach does not occur unless the access, use or disclosure poses "a significant risk of financial, reputational, or other harm to an individual." In the event of a breach, HHS' rule requires HIPAA-covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the health providers are not required to tell their patients that their health information was breached.

That may sound reasonable and fair. We don't want to put too great a reporting burden on covered entities. But in a presentation on privacy and security issues, Deven McGraw, who leads the Health Privacy Project at the Center for Democracy and Technology, mentioned the case of the data breach at Kaiser Permanente Bellflower Hospital in Los Angeles, where earlier this year a California Department of Public Health investigation found that 23 employees at a number of Kaiser facilities with access to EMRs unlawfully breached the privacy of a patient who gave birth to octuplets.

In that case many people lost their jobs and Kaiser was fined $250,000 under stringent new state laws that went into effect Jan. 1. But McGraw's point in mentioning this breach was that the people who accessed the records were Kaiser employees, so the type of internal investigation that HHS envisions may very well determine that there was no financial or reputational harm done in that case. Yet I think most people would agree that if two dozen people who have no need to see your records are gawking at them, you deserve to be informed about it.

You may not have George Clooney or Britney Spears staying at your hospital anytime soon. But if they do show up, do you have controls in place to protect against snooping into their electronic files by curious employees?

Sponsored Recommendations

Improving Workplace Safety and Patient Care in Behavioral Health

In 2023, Vail Health enhanced safety in their behavioral health clinic, but the impact went beyond their expectations. Read their case study to see how prioritizing workplace ...

Transforming Hospital Capacity Through Smarter Patient Progression Strategies

Helping patients move seamlessly through every stage of their care, from admission to discharge, is critical to ensuring patient safety, improving outcomes, and optimizing capacity...

Beyond the AI Buzz: How Clinicians Can Leverage AI for Value-Based Success

Watch on-demand to explore the impact of implementing AI in primary care settings to reduce burnout and thrive in value-based care. Including practical takeaways on driving clinician...

Building the Connected Hospital: Bridging Operational Gaps Through Technology

Join industry leaders to explore how advanced technologies like RFID, AI, EMR, and ERP systems are transforming hospitals into connected ecosystems that enhance efficiency, streamline...