Privacy and security of patient records: The lesson of the weakest link

The Queen of Soul famously wailed about being a link in a chain of fools.  Today's lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records.  In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts.  Clearly, these records ought to have been shredded or otherwise destroyed before disposal.  Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:

• identifying the patients involved in this data breach
• notifying affected patients of the breach
  
• providing credit monitoring services to affected patients
• any damages incurred by patients
• any fines incurred by the hospitals

Under the HITECH Act's "Son of HIPAA" rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place.  There may also be a violation of the state data security law here as well.  Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance.  The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.

The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?

With the ink barely dry on the meaningful use final rule, and the usual suspects lined up for and against the proliferation of EHRs, it seems clear that the use of electronic health records would have eliminated the problem of plain text paper records flapping in the wind at the Georgetown town dump.  However, their use would not have eliminated the problem of covered entity and contractor bad judgment, if that is in fact the issue in this case.

Digitizing records does not eliminate covered entities' responsibilities with respect to the operation of their business associates and subcontractors.  As we all know, the latest and greatest laws and regs make covered entities fully responsible for the deeds and misdeeds of their business associates and subcontractors.  (True even if the breach notification final rule is on ice for a while.)  Thus, it becomes imperative for covered entities to have a much better handle on their associates' understanding of applicable law, on their policies and procedures, and on the actual implementation of their policies and procedures.

Auditing business associate and subcontractor compliance with HIPAA and other privacy laws is probably worth the expense.  The costs saved include being called out on page one, above the fold.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting