Tuesday, August 25, 2009

This is what happens if your health data gets breached

If your health data gets breached, do you know what could happen? So many patient records are becoming digitized as more providers and hospitals rely on electronic health records (EHRs) instead of paper medical charts. Recently, the Department of Health and Human Services issued new regulations regarding the notification of patients if their electronic health information gets breached. The FTC (Federal Trade Commission) also issued final rules about how consumers ought to be notified when electronic personal health record (PHR) information gets compromised.

We hear so many stories about hospitals, clinics, and health plans having problems with data security. Highly experienced can probably break into most hospitals and health plans and compromise health data.

Under the HITECH provisions within ARRA, the Department of Health and Human Services has to perform research on privacy, security and breach-notification requirements for PHR vendors. Let's see what happens with Google Health and Microsoft Health Vault. If you keep your personal health information online, do you feel confident that it's safe and secure?

1 comment:

  1. Interesting post. Here is the reference:

    The numbers on page 22 to 24 make no sense. They are showing 107 breaches with a cost of $17 million. I see a number of problems:
    1. These breaches are from a non-profit unofficial database. These are only the publicly reported (scandal-type) breaches.
    2. It does not account for the massive increase in PHI that will be transmitted due to Federal incentives.
    3. It assumes that "HIPAA Covered Entities" encompasses the spectrum of possible breaches. When 60% of medical graduate students report using iPhones and PDAs for medical information on a daily basis, the new set of entities can include T-Mobile and other large companies:
    4. Breaches of SSNs are not necessarily included since that type of breach is not a HIPAA transaction, per se.
    5. I am sure someone must know, but I see no relation to the information on the listed website (http://www.datalossdb.org/) and the figures in Column 3 of Table 1, "Number of affected individuals."

    They go through pages and pages of crunching numbers with the wrong assumptions. The assumed figure of breaches does not seem to have any basis. I see 694 breaches for 2008. They need to make new assumptions figuring a higher volume and methods of HIPAA/PHI transactions. The loss of a large amount of data a University was excluded: "We could have included the university hospital breach in our 2008 analysis, but it is clear that the incident does not represent the average or typical case." This will pale in comparison to when the Social Security Administration gets hacked.