A “Risk Assessment” should be done as each individual case is going to be different, types of breaches are all different. Granted with the stolen notebook, that doesn’t leave a lot of options as far as assessment, but there are many other “gray” cases. In working with physicians and their staff they all know the word HIPAA but don’t understand the data ramifications part of it, especially if they are still a “paper” office. Most networks are set up with numerous data trails and queries being run against data all the time for safety. Some large concerns contract with companies that specifically search the web 24/7 for items that may be exposed on the web and for that matter, so does the government. Just last year we had this story about MRIs being infected, which was a bit of blame shifting between many and the FDA for now allowing Windows Updates without a 6 month notice. (old laws that should no longer apply for the last part of that one).
Hospital MRI and Other Medical Devices Infected with Conficker Virus – FDA Required 90 Day Notice before Windows Update Patch Could be Applied
If there is not only a security breach but also areas where access can be prosecuted by law, you are going to want to have everything documented as police will present to a district attorney and they take the case on the review of the information an forensic data before going to court. Every case of course is not going to be a legal case. Who saw the data? Did they or do they have possession? What software contains the data? Were there any “root kits” installed on any of the computers in the network? And there are many more questions just like those.
Each case can be so different and the police and courts may also frown upon investigating a case where criminal activity cannot be found. One assessment is going to take longer than the next one too, but in some instances with huge network exposure those may take longer versus the stolen notebook scenario. On the other hands a rule needs to be handled wisely so as not to be an escape route too. I am around a few physician offices and if there was a report made on every item they think could be a breach, believe me, we would be overwhelmed. I’m glad though that they take notice and ask questions by all means and physician offices are not usually housing folks with any IT backgrounds, but there are some that do and read up and learn. Sometimes too with what is read on the web as far as what to observe gets confused in the translation too, but again, asking is never a problem. If one is not curious, then intelligence may suffer a bit here.
Of prime importance too is the value of the data missing, practice bookkeeping records in addition to patient file exposure is big too! If further stipulations were added to the final rule on breach notification, that would be ok too, again just as long as it allows for an assessment to be made before everything is made public. An interesting case that somewhat gives some additional balance to this fact was the Express Scripts Extortion incident where they had suffered a breach before; however a letter was sent demanding money and it was verified that the intruder did have data. Express Scripts was sue in court by another firm that thought they had not done enough to protect their data; however, in all of this it was not proven that any individuals had suffered any identify theft and the judge ruled that damage could not be paid on the “what ifs”. Here’s a link to an analysis of the situation.
Express Scripts is a good size company and makes a lot of money as pharmacy benefit manager with buying Well Point’s PBM last year for just under 5 billion, but if every individual was left open to sue as well as corporations, the money would run dry. I think in this case the judge made a prudent ruling on the fact that we can’t sue on the “what ifs”.
I do contend though that the assessment needs to be documented though in case later something missed, overlooked or whatever did arise as this is not a perfect world we live in today. If you notify patients on the “I thinks” that will tend to create an area of paranoia and data breach notices and occurrences will not be taken as seriously when in fact many should be. Technology in data has also changed since they began discussing this matter like everything else has so we need laws and rules that adapt to the time and applicable technology being used. BD
HHS' "harm threshold" standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
"If you flood your patients with huge concerns, you're going to open up a floodgate of problems in your organization where you really may not have had a risk to start with," Hofman said.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause "significant risk of financial, reputational, or other harm to the individual"?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer's data was not accessed?
Some Congressmen disagree with the standard.