Inside TDV - The Data Vault Blog
Data Breach Accountability
Among the current year’s 134 breaches of over 5 million medical records reported by the Privacy Rights Clearinghouse as of September 14, 2011, the most unusual and protracted incident may be the recent breach of patient data from Stanford Hospital in Palo Alto, California. Protected Health Information (PHI) contained in a billing-and-payment analysis for 20,000 emergency room patients somehow made its way to a paid homework assistance website, where it remained accessible to the public for nearly a year. A patient discovered the hospital’s spreadsheet as an attachment to a question about how to convert data into a bar graph.
The New York Times reported on September 8 that Stanford Hospital patient data, including names, diagnosis codes, account numbers, admission and discharge dates, and billing charges, was accessible from a website called Student of Fortune from September 9, 2010, when it was posted by an unknown user, to August 23, 2011, when it was removed at the hospital’s request. Although a hospital investigation traced the breach to a billing vendor and found no impermissible action among hospital employees, Stanford Hospital bears the brunt of responsibility for managing the breach as a covered entity under HIPAA.
Representatives of the hospital made required notifications to patients as well as state and federal agencies, including the Department of Health and Human Services. Also, as is typical for this kind of breach, Stanford Hospital is offering free identity protection to affected patients.
Breaches of protected health information will continue to make headlines as HHS and its enforcement agency, the Office for Civil Rights, increase audit and enforcement efforts. Earlier this year, HHS awarded over 9 million dollars in contracts to agencies hired to conduct HIPAA privacy and security audits. Likewise, according to the HHS press release announcing Leon Rodriguez as the new director of OCR, he will “spearhead the department’s continued work to ensure greater consumer confidence through strong and effective enforcement of the privacy and security of protected health information.” Rodriguez is an experienced health care litigator and federal and state prosecutor. Also, he served six years as the county attorney for Montgomery County, Maryland.
Although the HITECH Act places greater responsibility on vendors to comply with privacy and security rules, covered entities under HIPAA must protect and secure patient information, even if it is maintained offsite or by a vendor. In any industry, thorough and careful vendor selection is necessary for effective management of confidential records, and an unbroken chain-of-custody for protected data should be maintained and well-documented.
Written by: AGriffin