Jay Cline: Are medical-data breaches overreported?
Healthcare organizations should make better use of the 'significant risk of harm' exemption in the federal law
Computerworld - The Eli Lilly employee whose programming glitch exposed the e-mail addresses of almost 700 Prozac users to each other didn't know he was making history. Since that day in June 2001, hundreds more US healthcare organizations have reported medical-data breaches. As a result of those reports, federal and state health agencies have dealt out millions of dollars in fines, and the U.S. Department of Health and Human Services has launched a round of 150 audits. Meanwhile, a cottage industry of breach-notification service providers has arisen, and healthcare organizations can't find enough privacy talent to batten down the hatches.
But is this obsessiveness over health-data privacy warranted? Do medical-data breaches harm people, and does notifying them of the incidents help them?
The answer to these questions might seem like a resounding yes. The thought of our medical records ending up on websites or in criminals' hands makes us nervous. We want to know about these incidents if they happen, even though few of us take any action as a result of being notified.
This large and growing allocation of healthcare resources in an era of cost containment, however, deserves a closer look.
The phenomenon of data-breach notification started in California the same year as the Eli Lilly incident. State legislators Steve Peace and Jim Simitian drafted what became SB 1386, the first data-breach notification act in the world. Passed in 2002, this law remained an outlier until the infamous ChoicePoint breach of 2005. Nearly every U.S. state passed a breach-notification law in its aftermath, and many other countries are following suit. Most of these laws notably did not include personal medical records in their scope of concern.
That all changed in 2009. In April of that year, Congress passed the HITECH Act as part of the economic-stimulus package. Included in that act were instructions for the U.S. Department of Health and Human Services (HHS) to issue a series of new rules about improving the protection of personal health information. In August 2009, HHS released its first installment -- an "interim final rule" on notification of health-data breaches. By the end of 2011, HHS is expected to divulge its "final final rule" on medical-data breach notification.
The landmark feature of the interim final rule is a mandate to immediately notify HHS of any data breaches affecting 500 or more people. The rule also requires an annual notification to the department of incidents affecting fewer people. The department posts the notices for the large breaches on its infamous "wall of shame."
A close look through the wall of shame tells a curious story. More than a handful of incidents don't appear to involve malicious intent or easy-to-use media. A number of entries cite "other," "loss" or "improper disposal" for the type of breach, instead of "theft" or "unauthorized access." A large share also cites "paper" as the medium, instead of easier-to-manipulate electronic media. On the wide spectrum of data breaches, these often fall on the low-impact side.
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Privacy White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!