The requirements under the HIPAA/HITECH statutes and regulations for public disclosure of security breaches of Protected Health Information (“PHI”) have brought to light an increasing volume involving highly respected and sophisticated providers and insurers. It has often encouraged such providers and insurers to go well beyond the minimum legally required responses as a matter of redeeming client relations and public image.
Josh Goldstein wrote in the July 30, 2010 issue of The Philadelphia Inquirer (the “Inquirer”) that a laptop computer with unencrypted PHI on 21,000 patients was stolen from an office at Thomas Jefferson University Hospital (“TJUH”) in Philadelphia on June 14, 2010. According to Mr. Goldstein, “[t]he Jefferson records were for every patient admitted to the hospital from March 9 to June 9 and Aug[ust] 1 to November 1, 2008.” Additionally, the security breach was reported to have resulted from the copying of PHI by one employee onto a personal laptop in violation of TJUH policy.
To provide some support for those affected by the PHI breach, the Goldstein article stated that TJUH has offered a free year of identity monitoring, protection and remediation service (“Identity Protection Service”) to the potential victims. This offer of Identity Protection Service by TJUH is similar to proposals made by numerous other providers and insurers that have experienced PHI security breaches in the past. In expressing deep apology for the PHI mishap, TJUH president Thomas J. Lewis was reported to urge those whose PHI may have been compromised to activate the Identity Protection Service as soon as possible.
As this blog has reported earlier, the public disclosures required by HIPAA/HITECH for security breaches respecting PHI often make providers and insurers vulnerable to embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breaches themselves.
Additionally, TJUH and others that experience PHI breaches are required to report to, and are listed on, a permanent database which is readily accessible online and is operated by the federal Department of Health and Human Services.
A final intangible but significant concern is that, as was the case in the Goldstein article, other providers in the same geographic region or areas of practice which suffered security breaches of PHI previously will see their past calamities revived as background and comparison for each new reported event. The effect may be repeated publishing of a single past PHI security breach.
To this end, providers and insurers must heighten their efforts to avoid PHI security breaches in the first place. It is clear, however, that even with the policies, policies and precautions instituted by highly respected institutions such as TJUH, the parade of PHI security breaches will continue to lengthen. If such breaches do occur, prompt, decisive and proactive action such as that undertaken by TJUH is required to maximize damage control and rehabilitate relations with clients and the public.