When a hospital's patient data is compromised, the results are often costly and always embarrassing for those charged with protecting that information from prying eyes. Take the case of Seattle-based Providence Health and Services, which in July was slapped with one of the largest HIPAA-related fines ever levied by the U.S. Department of Health & Human Services. The system was ordered to pay the $100,000 fine and improve patient information security after a breach that contained individually identifiable health data in 2005 and 2006.
And then there are the high-profile lapses in data security that occurred in Los Angeles. Earlier this month, the Los Angeles Times reported that more than 120 workers at UCLA Medical Center looked at the medical records and other personal information of California First Lady Maria Shriver, actress Farrah Fawcett, and singer Britney Spears without permission over a nearly two-year period.
According to a report on the debacle released by the California Department of Public Health, 127 hospital workers snuck looks at the celebrities' medical records, leading to several firings, suspensions, and warnings. The report also detailed the case of one employee who looked at the records of about 900 patients "without any legitimate reason" and viewed Social Security numbers, health insurance information, and addresses, from April 2003 to May 2007. Like the Providence case, state regulators blamed the hospital for not taking adequate steps to maintain patient confidentiality.
Frances Dare, a director in Cisco System Inc.'s Internet Business Solutions Group healthcare consulting practice, says data security attacks on the healthcare industry increased 85% between January 2007 and January 2008. Not surprisingly, she also says a recent survey sponsored by HIMSS and Cisco found 86% of hospital chief information officers say that assessing and managing their hospital's data security practices remains a top concern. What this means is that even though they are doing a lot to try to protect this information, they are still lying awake at night worrying about what's happening, says Dare.
A bill currently in the Senate seeks to establish some legal guidelines by requiring that patients give their consent each time a healthcare company attempts to access their records. The bill also requires healthcare providers to notify patients of any unauthorized disclosure of their healthcare information. While a bill like this one will help provide hospitals with legal standards to follow, Dare says it is still up to the hospital to ensure it has best practices in place for protecting patient information.
Edward Marx, CIO at Texas Health Resources, the largest hospital system in North Texas, says remaining vigilant is key to keeping a hospital's private data private.