This week, the Connecticut Attorney General, Richard Blumenthal, sued Health Net of Connecticut for a data breach and their subsequent handling of the incident. As he notes, this lawsuit is historic, in that it is the very first enforcement action under HIPAA since the law was extended and enhanced with the HITECH (Healthcare Information Technology for Economic and Clinical Health) Act.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers. These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”

It is likely this while this is a first, that it is the beginning of a new era for healthcare organizations and the expectation that they will take the privacy obligations of their patients seriously.  While unfortunate, this situation illustrates that some healthcare organizations require stronger motivation to both protect patient information as well as to follow good sense and legal requirements to promptly notify individuals if there has been a breach of their information that may put them at risk.

One of the panels at the Consumer Electronics Show Digital Health Summit is asking a really interesting question: Who will you trust with your health data? As described in an article in Healthcare IT News on healthcare data privacy and security, there have been numerous data breach incidents over recent years who sensitive patient information has been inappropriately disclosed.

“In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records.  Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans.  If you can’t trust the government to keep your PHI safe, who can you trust?”

Now I must admit, I would never have suggested that it is reasonable to assume that the government is good at maintaining privacy of personal information that they collect on American citizens. But it is reasonable to assume that as more protected health information (PHI) is collected, stored, shared and manipulated in computer systems at healthcare providers and payors, that the risk of exposure, and the subsequent number of data breach incidents, will rise.

So it really does make for an interesting thought, do I trust my doctor and hospital with my health data? Do I trust my health insurer with my health data? How about my pharmacy? Like it or not, I don’t have much choice but to provide them with or allow them to access my PHI.

But I do have a choice as to whether I should entrust Microsoft or Google with this sensitive information. Both companies have built systems “in the cloud” that allow consumers to centralize their personal health history. Microsoft HealthVault is designed to let us “collect, store, and share health information critical to our family’s well-being” and Google Health allows us to “organize our health information all in one place, gather our medical records from doctors, hospitals, and pharmacies, and share our information securely with a family member, doctors or caregiver.”

Microsoft has made HealthVault quite “open”,enabling organizations such as providers, payors, pharmacies and others to create applications for individuals to import information that they hold on us into our HealthVault account. I setup a HealthVault account, to see how this worked. Unfortunately, neither my national pharmacy chain nor my health insurer were on the list of those who make such information “exportable” to HealthVault.

Assuming that my trusted providers, insurer and pharmacy do provide such export capabilities in the future, it still leaves me with a nagging concern: do I really trust Microsoft to hold my entire medical life history? While I’d love to have all of this information in one place, and to be able to make it available to healthcare providers that I may wantto see in the future, the thought of entrusting this to anyone is daunting, not the least of which a company who’s software is a constant target for viruses, worms and malware of all kinds.

So for now, I probably won’t start trusting my medical history to either Microsoft or Google.  My health data will be remain somewhat safe with doctors, an insurer and a pharmacy, and numerous business associates of their that I don’t even know by name, that I hope I can trust. But given the number and scope of data breaches the last year or so in healthcare, I’m not really feeling very confident about my healthcare data privacy at this moment.

As this comic strip illustrates, we can be our own worst enemy when it comes to exposing ourselves to risks of identity theft and crime. Increasingly, scammers will provide you with significant valid information such as your name, credit card number and issuing bank in order to gain your trust and solicit additional information such as the 3 digit card security code (CSC) with which they can more easily perpetrate various types of financial fraud.

An article today in iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

Thanks to Healthcare Professionals Live for highlighting this article and the important questions it highlights.

…I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR… (continue reading)

Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

Just in…Santa retains ID Experts to provide breach remediation assistance.

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation.  We are now in the process of working to establish our web page for posting information regarding such breaches.  Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future.  The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules  to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

When holidays around the corner, the amount of fraudulent activity tends to increase. As we all know, the most important aspect of stopping fraud is reporting it immediately. Unfortunately, the holidays also mean that many financial institutions and companies are closed in observation. While many banks provide a 24/7 support year-round for reporting cards lost or stolen, some financial institutions do not. Even if your bank does provide the support, the only record you may have of that phone number may be on the card itself, so if you lose the card or have it stolen you might be at a loss where to call.

Luckily, most debit and credit cards are now backed by Visa or MasterCard. If your card is backed by one of these issuers, you may want to take this number down for emergencies. You know your card is backed if you see the Visa or MasterCard logo on the front.  If you are unable to contact your bank and you have had fraud or lost your card, you can use these numbers to get assistance. The representatives there can either put you in touch with the correct call center to block the card right away, or provide the service directly depending on your bank. In a pinch, these numbers can be essential.

VISA — 1-800-847-2911

1-800-MasterCard (1-800-627-8372)

Keep this information handy, but somewhere other than with your wallet (in case you lose it). I keep a long list of company phone numbers- everything from insurance to credit cards- just in case. These numbers are at the top of my list, and I have used them several times with great success. Be prepared, and all your holiday surprises will be pleasant!

It is unfortunate that while we have very clear rights to access and correct our financial records, we don’t have similar rights when it comes to our medical records. While this hasn’t been a high level concern for patients up until now, because the majority of fraud thus far has mostly impacted the healthcare insurers, the implications for all of us are getting more and more serious.

This segment describes a situation where a young woman’s social security number at the Red Cross became associated with a patient who visited a clinic in another state, years ago, who had AIDS. It illustrates the difficulty that one has in correcting such issues with our medical identities.