Health knowledge made personal
Join this community!
› Share page:
Search posts:

HIPAA Harm Threshold Discussion – Assessment Needs to Be Performed Before Reporting

Posted Feb 09 2010 5:28pm

A “Risk Assessment” should be done as each individual case is going to be differenttypes of breaches are all different.  Granted with the stolen notebookthat doesn’t leave a lot of options as far as assessmentbut there are many other “gray” cases.  In working with physicians and their staff they all know the word HIPAA imagebut don’t understand the data ramifications part of itespecially if they are still a “paper” office.   Most networks are set up with numerous data trails and queries being run against data all the time for safety.  Some large concerns contract with companies that specifically search the web 24/7 for items that may be exposed on the web and for that matterso does the government.  Just last year we had this story about MRIs being infectedwhich was a bit of blame shifting between many and the FDA for now allowing Windows Updates without a 6 month notice.  (old laws that should no longer apply for the last part of that one).

If there is not only a security breach but also areas where access can be prosecuted by lawyou are going to want to have everything documented as police will present to a district attorney and they take the case on the review of the information an forensic data before going to court.  Every case of course is not going to be a legal case.  Who saw the data?  Did they or do they have possession?  What software contains the data?  Were there any “root kits” installed on any of the computers in the network?   And there are many more questions just like those. 

Each case can be so different and the police and courts may also frown upon investigating a case where criminal activity cannot be found.   One assessment is going to take longer than the next one toobut in some instances with huge network exposure those may take longer versus the stolen notebook scenario.  On the other hands a rule needs to be handled wisely so as not to be an escape route too.  I am around a few physician offices and if there was a report made on every item they think could be a breachbelieve mewe would be overwhelmed.   I’m glad though that they take notice and ask questions by all means and physician offices are not usually housing folks with any IT backgroundsbut there are some that do and read up and learn.  Sometimes too with what is read on the web as far as what to observe gets confused in the translation toobut againasking is never a problem.  If one is not curiousthen intelligence may suffer a bit here.   

Of prime importance too is the value of the data missingpractice bookkeeping records in addition to patient file exposure is big too!  If further stipulations were added to the final rule on breach notificationthat would be ok tooagain just as long as it allows for an assessment to be made before everything is made public.  An interesting case that somewhat gives some additional balance to this fact was the Express Scripts Extortion incident where they had suffered a breach before; however a letter was sent demanding money and it was verified that the intruder did have data.  Express Scripts was sue in court by another firm that thought they had not done enough to protect their data; howeverin all of this it was not proven that any individuals had suffered any identify theft and the judge ruled that damage could not be paid on the “what ifs”.  Here’s a link to an analysis of the situation.

Express Scripts is a good size company and makes a lot of money as pharmacy benefit manager with buying Well Point’s PBM last year for just under 5 billionbut if every individual was left open to sue as well as corporationsthe money would run dry.  I think in this case the judge made a prudent ruling on the fact that we can’t sue on the “what ifs”.  

I do contend though that the assessment needs to be documented though in case later something missedoverlooked or whatever did arise as this is not a perfect world we live in today.  If you notify patients on the “I thinks” that will tend to create an area of paranoia and data breach notices and occurrences will not be taken as seriously when in fact many should be.  Technology in data has also changed since they began discussing this matter like everything else has so we need laws and rules that adapt to the time and applicable technology being used.  BD  image

HHS' "harm threshold" standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responsesaccording to providers who work with privacy and security.

At the 18th annual National HIPAA Summit FridayJudi HofmanCAPCHPCHSSprivacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in BendORand Debbie Mikelscorporate managerconfidentiality for Partners Healthcare System in Bostonsaid the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.

"If you flood your patients with huge concernsyou're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," Hofman said.

According to the interim final rulethe important questions are:

  • In whose hands did the PHI land?
  • Can the information disclosed cause "significant risk of financialreputationalor other harm to the individual"?
  • Was mitigation possible? For examplecan you obtain forensic proof that a stolen laptop computer's data was not accessed?

Some Congressmen disagree with the standard.

Post a comment
Write a comment: