Skip the navigation

Jay Cline: Are medical-data breaches overreported?

Healthcare organizations should make better use of the 'significant risk of harm' exemption in the federal law

September 20, 2011 09:26 AM ET

Computerworld - The Eli Lilly employee whose programming glitch exposed the e-mail addresses of almost 700 Prozac users to each other didn't know he was making history. Since that day in June 2001, hundreds more US healthcare organizations have reported medical-data breaches. As a result of those reports, federal and state health agencies have dealt out millions of dollars in fines, and the U.S. Department of Health and Human Services has launched a round of 150 audits. Meanwhile, a cottage industry of breach-notification service providers has arisen, and healthcare organizations can't find enough privacy talent to batten down the hatches.

But is this obsessiveness over health-data privacy warranted? Do medical-data breaches harm people, and does notifying them of the incidents help them?

The answer to these questions might seem like a resounding yes. The thought of our medical records ending up on websites or in criminals' hands makes us nervous. We want to know about these incidents if they happen, even though few of us take any action as a result of being notified.

This large and growing allocation of healthcare resources in an era of cost containment, however, deserves a closer look.

The phenomenon of data-breach notification started in California the same year as the Eli Lilly incident. State legislators Steve Peace and Jim Simitian drafted what became SB 1386, the first data-breach notification act in the world. Passed in 2002, this law remained an outlier until the infamous ChoicePoint breach of 2005. Nearly every U.S. state passed a breach-notification law in its aftermath, and many other countries are following suit. Most of these laws notably did not include personal medical records in their scope of concern.

That all changed in 2009. In April of that year, Congress passed the HITECH Act as part of the economic-stimulus package. Included in that act were instructions for the U.S. Department of Health and Human Services (HHS) to issue a series of new rules about improving the protection of personal health information. In August 2009, HHS released its first installment -- an "interim final rule" on notification of health-data breaches. By the end of 2011, HHS is expected to divulge its "final final rule" on medical-data breach notification.

The landmark feature of the interim final rule is a mandate to immediately notify HHS of any data breaches affecting 500 or more people. The rule also requires an annual notification to the department of incidents affecting fewer people. The department posts the notices for the large breaches on its infamous "wall of shame."

A close look through the wall of shame tells a curious story. More than a handful of incidents don't appear to involve malicious intent or easy-to-use media. A number of entries cite "other," "loss" or "improper disposal" for the type of breach, instead of "theft" or "unauthorized access." A large share also cites "paper" as the medium, instead of easier-to-manipulate electronic media. On the wide spectrum of data breaches, these often fall on the low-impact side.

Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!