This blog has been reporting on the effects on providers, insurers and others of the HIPAA/HITECH statutes and regulations that require public disclosure of breaches of unsecured Protected Health Information ("PHI"). While the greatest attention under HIPAA/HITECH has been on electronic health records ("EHR"), the increasing inventory of billions of hard copy pages of paper health records containing PHI ("Paper HR") is a continuing material hazard for providers and insurers and their respective business associates and subcontractors.
Because a large Paper HR security breach involves a bulk mass of paper, it generally may impact only a fraction of the number of individuals that can be affected by a typical EHR security breach. Nonetheless, the vigilance necessary to prevent a Paper HR security breach must be at a high level. Even where the proper measures appear to be in place, a PHI security breach may occur, giving rise to costs of notifying affected individuals and potential collateral damage.
Liz Kowalczyk identified a case in point in her article on August 13, 2010 in The Boston Globe. She reported that four Massachusetts community hospitals were investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses in addition to "patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages" ended up in a pile at a public dump.
The Kowalczyk article stated that one of the four hospitals believes that records of 8,000 to 12,000 patients may have been affected and another of the hospitals believes that records of 16,000 to 24,000 patients may have been affected. Ms. Kowalczyk explained that a major issue to be sorted out is who is responsible for the improper disposal of Paper HR, thereby imposing on that person, as required by HITECH, the obligation to notify all individuals who may have suffered a compromise of their PHI.
It should be noted that there can be other substantial collateral damage in the aftermath of a PHI security breach for responsible parties, including heavy penalties and potential damages.
If the number of affected patients reported in the Kowalczyk article proves to be correct, this event would rank among the largest reported PHI security breaches involving Paper HR. As required by section 13402(e)(4) of the HITECH Act, the Secretary of the U.S. Department of Health and Human Services has posted a list (the "HHS List") of all reported breaches of unsecured PHI affecting 500 or more individuals ("Large Breaches").
As of August 14, 2010, there were 108 separate postings of Large Breaches on the HHS List for events dating back to September 22, 2009. Of this number, 22 postings were listed that related to Paper HR and impacted an aggregate of approximately 76,000 individuals. Three of the Paper HR postings were identified as breaches involving "improper disposal."
The largest single posting on the HHS List respecting Paper HR was an event on January 26, 2010 that was reported for UnitedHealth Group and affected 16,291 individuals. Therefore, the potential PHI security breaches reported in the Kowalczyk article appear to affect collectively far more individuals than any single Paper HR event that is on the HHS List as of August 14, 2010.
If individual Paper HR security breach events are compared in magnitude to EHR events, however, as of August 14, 2010, there were eleven separate postings on the HHS List reported for PHI breaches that involved EHR and affected individuals ranging between 40,000 and 1,220,000 in number. Therefore, the risks of large security breaches of PHI appear to be most significant for EHR. However, as this blog has observed earlier, the public disclosures required by HIPAA/HITECH for a security breach respecting PHI often bring embarrassment, criticism and diminished reputation that may actually overshadow the significant legal costs and statutory consequences of the breach itself.
To this end, there must be heightened efforts to avoid PHI security breaches for both Paper HR and EHR. In many cases breaches have occurred even if apparently reasonable policies, procedures and precautions have been established. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with clients and the public.