HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Privacy and security of patient records: The lesson of the weakest link

August 13, 2010



The Queen of Soul famously wailed about being a link in a chain of fools.  Today's lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records.  In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts.  Clearly, these records ought to have been shredded or otherwise destroyed before disposal.  Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:

  • identifying the patients involved in this data breach
  • notifying affected patients of the breach
  • providing credit monitoring services to affected patients
  • any damages incurred by patients
  • any fines incurred by the hospitals

Under the HITECH Act's "Son of HIPAA" rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place.  There may also be a violation of the state data security law here as well.  Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance.  The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.

The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?

With the ink barely dry on the meaningful use final rule, and the usual suspects lined up for and against the proliferation of EHRs, it seems clear that the use of electronic health records would have eliminated the problem of plain text paper records flapping in the wind at the Georgetown town dump.  However, their use would not have eliminated the problem of covered entity and contractor bad judgment, if that is in fact the issue in this case.

Digitizing records does not eliminate covered entities' responsibilities with respect to the operation of their business associates and subcontractors.  As we all know, the latest and greatest laws and regs make covered entities fully responsible for the deeds and misdeeds of their business associates and subcontractors.  (True even if the breach notification final rule is on ice for a while.)  Thus, it becomes imperative for covered entities to have a much better handle on their associates' understanding of applicable law, on their policies and procedures, and on the actual implementation of their policies and procedures.

Auditing business associate and subcontractor compliance with HIPAA and other privacy laws is probably worth the expense.  The costs saved include being called out on page one, above the fold.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HIPAA, HIT, Massachusetts, Privacy

you might also like:

  1. HIPAA Privacy and Security Compliance: Should You Care?

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

« Pan Mass Challenge 2010 – photos and tweets from the road
OIG: Imaging pre-authorization may be handled by hospital for referring docs and patients »

Trackbacks

  1. Home Security System says:
    February 15, 2012 at 4:14 am

    Protecting Your Home With Video

    If theres one thing that thieves and trespassers fear, its house monitoring cams the ultimate in protection techniques. Sometimes, even if the house is not outfitted with a DVR camera method, just the plain sight of place under monitoring sympto…

  2. Home Security System says:
    February 15, 2012 at 4:15 am

    Protecting Your Home With Video

    If theres one thing that thieves and trespassers fear, its house monitoring cams the ultimate in protection techniques. Sometimes, even if the house is not outfitted with a DVR camera method, just the plain sight of place under monitoring sympto…

Follow me on Twitter

David Harlow 💉😷 Follow 42,881 17,567

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
1h 1618728026862149632

ICYMI> Dan Greenleaf, CEO of Modivcare on Digital Tools with a Human Touch — Harlow on Healthcare https://healthblawg.com/2022/01/dan-greenleaf-modivcare.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Dan Greenleaf, CEO Twitter feed image.
Reply on Twitter 1618728026862149632 Retweet on Twitter 1618728026862149632 0 Like on Twitter 1618728026862149632 0 Twitter 1618728026862149632
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
2h 1618723806939340806

The Harlow #Healthcare #Innovation Daily #digitalhealth #hcldr #HarlowOnHC Thanks to @MailMyStatement @NovaBACKUP #digitalhealth #healthtech

Image for twitter card

The Seemingly Limitless Potential of Blockchain in Healthcare

hitconsultant.net It is important to note that there are barriers to widespread adoption of blockchain in the health...

paper.li

Reply on Twitter 1618723806939340806 Retweet on Twitter 1618723806939340806 0 Like on Twitter 1618723806939340806 0 Twitter 1618723806939340806
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
8h 1618627492033531906

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @EricTopol @raeannephd @MobiHealthNews #digitalhealth #healthtech

Image for twitter card

It's time for banks to get more intelligent about artificial intelligence

americanbanker.com Artificial intelligence now has the potential to fundamentally change customers' relationships with banks...

paper.li

Reply on Twitter 1618627492033531906 Retweet on Twitter 1618627492033531906 0 Like on Twitter 1618627492033531906 0 Twitter 1618627492033531906
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]