A recent article in American Medical News notes that the greatest risks to healthcare providers in the area of maintaining patient privacy isn’t offshore hackers or rogue employees, but rather simple accidents.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ’soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.

The Department of Health and Human Services issued its Interim Final Rule on August 19, 2009 outlining the obligations of healthcare organizations regarding data breach incident notification as directed by the HITECH Act passed earlier this year.

This rule clarifies the defintion of data breach as the “unauthorized acquisition, access, use or disclosure of  protected health information (PHI)” where it “compromises the security of the PHI” this occuring if there is a “significant risk of financial, reputational, or other harm to the individual whose PHI has been compromised.

As a result of this interpretation of the HITECH Act, HHS has established a harm threshold for determining whether a data security incident is in fact a “breach”. Because of this, something that needs to be noted by privacy and information security officers in healthcare, is that HHS requires that a “risk assessment” be carried out for every incident in order to determine whether it is a breach or not.

Healthcare organizations must determine the practices for carrying out such risk assessments and carefully document the process and conclusions for every incident. Something to consider is to have risk assessments carried out by third parties in order to remove any perceptual issues as to the independence of the risk assessment results.

Since all breach incidents must be reported to Health and Human Services, and become public information, it will be essential to maintain documentation on incidents that were assessed to be breaches as well as incidents where the assessment concluded that it did not exceed the harm threshold. Unfortunately, their is substantial room for interpretation as to what constitutes risk of financial, reputational, or other harm to individuals whose PHI has been exposed.