Yesterday on phiprivacy.net, I posted a link to an article in the Journal of AHIMA that discusses how California officials were surprised at how many breach reports they have received since California’s new medical privacy breach reporting law went into effect on Jan. 1.
Under the broadened reporting requirements whereby healthcare organizations in California are now required to report any unauthorized access to a patient’s unsecured personally identifiable health information (PHI) —intentional or otherwise — 823 incidents were reported between Jan. 1 and May 31. According to a spokesperson for the California Department of Public Health, Center for Health Care Quality (CDPH), most of the breaches have been due to errors as opposed to intentional breaches.
In a statement to PogoWasRight.org, Pam Dixon, Executive Director of the World Privacy Forum noted how the high numbers suggest that there is much to be done to ensure privacy and confidentiality:
“What struck me the most about the report is the total number of breaches since January — over 800. This is a substantially higher number than previous breach reports have hinted at. We have always known that the number of actual breaches exceeded the number of breaches that get reported, but these new statistics suggest that the number of actual breaches is staggeringly high. This new data show why there is heightened need for stronger protections for electronic health records, and especially for electronic health records that are exchanged among a variety of providers and health information exchanges. Ensuring patient privacy and confidentiality has not been adequately addressed yet, or we would not be seeing these high breach numbers.”
If that is the case, as it appears to be, then what should we expect to see nationwide when the HITECH Act is implemented? Under the new law, there is a broader definition of what constitutes a breach and what triggers notification. Although notification is only required in the case of unsecured PHI, given how many incidents we read about on a daily basis involving unsecured records, and in light of preliminary data from California, it seems likely that we are about to have a mind-boggling experience when we see how often unintended disclosure of PHI really occurs.
As Dixon points out, and as the reports from Alberta Health Services in Canada and the NHS in the UK clearly remind us, as we move towards more records online, we run greater risks of not only hacks but viruses infecting databases and either endangering the accuracy of patient records or stealing sensitive health and personal information. The California data serve as a useful wake-up call and call to action even before HITECH Act provisions go into effect.
Photo by J.Reed on Flickr, used under Creative Commons License