HIPAA, HITECH & HIT :: Fox Rothschild LLP

 A New England hospital has reported the disappearance of backup tapes containing ultrasound images and personal data of 14,000 patients. How do you handle a data loss when you don’t have any way of determining where the data went or who may have seen it?  Is it still a “breach” in the technical sense?

These questions call to mind former Defense Secretary Donald Rumsfeld’s famous observation about assessing knowledge gaps:

 “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know.”

And a less-famous Rumsfeld quote from the same press briefing, “The absence of evidence is not evidence of absence, or vice versa” may also be applicable.

What is known, according to the press release issued by Women and Infants Hospital of Rhode Island, is that on September 13, 2012, the institution learned that unencrypted backup tapes containing ultrasound images went missing from two ambulatory sites in Providence, Rhode Island and New Bedford, Massachusetts. The backup tapes contained ultrasound images and included patient names, dates of birth, dates of exams, physicians’ names, patient ultrasound images, and, in some instances, Social Security numbers. 

The hospital has concluded that they have no reason to believe that the information has been accessed or used improperly, because doing so would require specialized equipment and technical expertise. The fact pattern and analysis recalls the 2011 breaches involving SAIC/Tricare and Nemours discussed on this blog in October 2011 by my partner Elizabeth Litten. As she noted,

When is the mere “ability” to read PHI, without evidence that the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS website that lists large PHI breaches (the “HHS List”) with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?  

At this time, Women & Infants has notified affected patients and established a hotline but is not yet offering credit monitoring or identity theft protection. Further, there is no indication of a report having been filed with HHS, but once again “absence of evidence is not evidence of absence.”

Applying the Rumsfeld test, I believe Women & Infants is facing both “known unknowns” and “unknown unknowns.” They know that they don’t and cannot be certain whether the data has been accessed, but if it has been, they cannot know the extent of the potential damage to the affected individuals.  The long-overdue “mega-regulation,” which may finally see the light of day now that the election is over, may provide some useful guidance. 

In the meantime, enjoy some of former Secretary Rumsfeld's greatest hits.

• Print
• Comments
• Trackbacks
• Share Link

This blog has been following the continuing flow of security breaches of Protected Health Information ("PHI") and how affected providers and insurers have been responding to their discovery. The University of Tennessee Medical Center ("UTMC" or the "hospital") based in Knoxville has apparently joined in the march.

On November 29, 2010, Angela Starke wrote an article entitled "Patients uneasy about possible security breach at UT Medical Center" that was posted on volunteertv.com. In the article, Ms. Starke reported that UTMC had announced that 8,000 patients' medical and identity information may have been compromised. As part of her article, Ms. Starke reproduced in full the letter attributed to the Privacy Officer of UTMC that was sent to affected patients by the hospital (the "Letter"). The following was stated in the UTMC Letter: "Please note we have no reason to believe that any of your personal information has actually been accessed or inappropriately used. However, out of an abundance of caution, we want to make you aware of the incident."

What is interesting about the UTMC event is that the hospital apparently has not seen the incident as sufficiently newsworthy to publish the UTMC Letter on its website in the news section or elsewhere. In contrast, a recent post on this blog discussed a PHI security breach issue at Henry Ford Health System in Michigan ("HFHS"). That post raised questions as to the thoroughness of the report that HFHS had placed on its website relative to the incident.

Nonetheless, HFHS did at least disclose the matter on its website. UTMC has chosen not to do so. The article by Ms. Starke would indicate that patients who received notices from UTMC about the PHI incident considered it to be somewhat more of a concern than the hospital did, as evidenced by UTMC’s failure to make a disclosure on its website.

A visit today to the U.S. Department of Health and Human Service ("HHS") website which lists reported breaches of unsecured PHI incidents affecting 500 or more individuals reveals that the UTMC matter is now posted. Even that posting, however, is defective. The list reflects the "Date of Breach" of the UTMC event of "Improper Disposal of Paper Records" as "2009-09-23." Obviously the year should be "2010" not the "2009" date listed. It is unclear whether the hospital reported the wrong year to HHS or that HHS incorrectly transcribed it.

As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for breaches respecting PHI make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.

To this end, providers and insurers must continue to heighten their efforts to avoid PHI security breaches as a primary objective. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public. Such action should include posting of the unfortunate event on the entity’s website.

• Print
• Comments
• Trackbacks
• Share Link