HealthBlawg

David Harlow's Health Care Law Blog

    • Twitter
    • Facebook
    • LinkedIn
    • RSS
    • Email
  • About
  • Archives
  • Podcast
  • Press
  • Awards/Reviews
  • HIPAA
  • HCSM

Privacy and security of patient records: The lesson of the weakest link

August 13, 2010



The Queen of Soul famously wailed about being a link in a chain of fools.  Today's lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records.  In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts.  Clearly, these records ought to have been shredded or otherwise destroyed before disposal.  Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:

  • identifying the patients involved in this data breach
  • notifying affected patients of the breach
  • providing credit monitoring services to affected patients
  • any damages incurred by patients
  • any fines incurred by the hospitals

Under the HITECH Act's "Son of HIPAA" rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place.  There may also be a violation of the state data security law here as well.  Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance.  The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.

The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?

With the ink barely dry on the meaningful use final rule, and the usual suspects lined up for and against the proliferation of EHRs, it seems clear that the use of electronic health records would have eliminated the problem of plain text paper records flapping in the wind at the Georgetown town dump.  However, their use would not have eliminated the problem of covered entity and contractor bad judgment, if that is in fact the issue in this case.

Digitizing records does not eliminate covered entities' responsibilities with respect to the operation of their business associates and subcontractors.  As we all know, the latest and greatest laws and regs make covered entities fully responsible for the deeds and misdeeds of their business associates and subcontractors.  (True even if the breach notification final rule is on ice for a while.)  Thus, it becomes imperative for covered entities to have a much better handle on their associates' understanding of applicable law, on their policies and procedures, and on the actual implementation of their policies and procedures.

Auditing business associate and subcontractor compliance with HIPAA and other privacy laws is probably worth the expense.  The costs saved include being called out on page one, above the fold.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Filed Under: EHR, Health care policy, Health Law, HIPAA, HIT, Massachusetts, Privacy

you might also like:

  1. HIPAA Privacy and Security Compliance: Should You Care?

  2. HITECH Act security breach rules now effective; federales give a six-month pass. Now's the time to kick compliance efforts into high gear

  3. ONC announces HITECH amendments to HIPAA privacy, security and enforcement rules

« Pan Mass Challenge 2010 – photos and tweets from the road
OIG: Imaging pre-authorization may be handled by hospital for referring docs and patients »

Trackbacks

  1. Home Security System says:
    February 15, 2012 at 4:14 am

    Protecting Your Home With Video

    If theres one thing that thieves and trespassers fear, its house monitoring cams the ultimate in protection techniques. Sometimes, even if the house is not outfitted with a DVR camera method, just the plain sight of place under monitoring sympto…

  2. Home Security System says:
    February 15, 2012 at 4:15 am

    Protecting Your Home With Video

    If theres one thing that thieves and trespassers fear, its house monitoring cams the ultimate in protection techniques. Sometimes, even if the house is not outfitted with a DVR camera method, just the plain sight of place under monitoring sympto…

Follow me on Twitter

David Harlow 💉😷 Follow 42,914 17,570

Mastodon @healthblawg@c.im #HealthCare #MedDevice #Compliance #Privacy @MyOmnipod #HIPAA #digitalhealth #HarlowOnHC #pinksocks Tweets are tweets No more no less

healthblawg
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
4h 1620842034113175552

ICYMI> Interoperability and NLP with Kyle Silvestro, CEO of SyTrue — Harlow On Healthcare https://healthblawg.com/2022/03/interoperability-nlp-sytrue.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Interoperability and NLP Twitter feed image.
Reply on Twitter 1620842034113175552 Retweet on Twitter 1620842034113175552 0 Like on Twitter 1620842034113175552 0 Twitter 1620842034113175552
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
7h 1620801819612946434

The latest Harlow On Health Care Daily #HarlowOnHC #digitalhealth #healthcare #innovation #privacy #hcldr Thx: @TWDigitalHealth @MrsYisWhy @thecommunityvc #digitalhealth #healthtech

Image for twitter card

Artificial intelligence model finds potential drug molecules a thousand times faster

techxplore.com The entirety of the known universe is teeming with an infinite number of molecules. But what fraction...

paper.li

Reply on Twitter 1620801819612946434 Retweet on Twitter 1620801819612946434 0 Like on Twitter 1620801819612946434 0 Twitter 1620801819612946434
healthblawg avatar; David Harlow 💉😷 @healthblawg ·
11h 1620736433014153217

ICYMI> Jenny Schneider, MD, CEO of Homeward: Rural Health Meets Value-Based Care — Harlow on Healthcare https://healthblawg.com/2022/06/jenny-schneider-homeward.html?utm_source=twitter&utm_medium=social&utm_campaign=ReviveOldPost #digitalhealth #hcldr #hitsm

Image for the Tweet beginning: ICYMI>  Jenny Schneider, MD, Twitter feed image.
Reply on Twitter 1620736433014153217 Retweet on Twitter 1620736433014153217 1 Like on Twitter 1620736433014153217 0 Twitter 1620736433014153217
Load More
Follow me on Mastodon

HIPAAtools

Hipaatools

The HIPAA Compliance Toolkit

The Walking Gallery

The Walking Gallery

Quick Links

  • Home
  • Categories
  • Archives
  • Podcast Interviews
  • HIPAAtools
  • HIPAA Compliance
  • Health Care Social Media
  • Speaking
  • In the Press
  • Blogroll

David Harlow

David Harlow

HealthcareNOW Radio

Connect with David

  • Twitter
  • Facebook
  • LinkedIn
  • RSS
  • Email
  • Subscribe
  • Contact
  • Book Me: Speaking
  • About
  • The Harlow Group LLC
Copyright © 2006–2023
HealthBlawg is a publication of The Harlow Group LLC. See Copyright notice and disclaimer.
Fair use with attribution and a link is encouraged. Click for more on David Harlow.
[footer_backtotop text="Back to top" href="#"]