There is a lot of controversy over making data encryption mandatory vs. strongly encouraging it (and being "punished" with notifications in the event of a data breach where encryption was not used, hence "encouraging it"). However, if you take a look at the recent Wentworth-Douglass Hospital debacle, one wonders whether strong encouragement can really get the job done (of adequately protecting sensitive info), especially when keeping in mind that state legislation tends to put those who've experienced the breach in charge of assessing the ramifications of that breach.
There is a lot of controversy over making data encryption mandatory vs. strongly encouraging it (and being "punished" with notifications in the event of a data breach where encryption was not used, hence "encouraging it").
However, if you take a look at the recent Wentworth-Douglass Hospital debacle, one wonders whether strong encouragement can really get the job done (of adequately protecting sensitive info), especially when keeping in mind that state legislation tends to put those who've experienced the breach in charge of assessing the ramifications of that breach.
Wentworth-Douglass Hospital is being investigated by the New Hampshire Attorney General. There are allegations that WDH tried to cover up a data breach where an employee changed patient records during a period of one year. That employee managed to "access records more than 1,800 times between May 2006 and June 2007." [fosters.com] The hospital is being investigated by the Centers for Medicare and Medicaid Services (Boston regional office) as well, and doctors from Piscataqua Pathology Associates allege their contract with WDH was not renewed after they pushed for an investigation into the data breach, which has prompted its own round of investigations.
Wentworth-Douglass Hospital is being investigated by the New Hampshire Attorney General. There are allegations that WDH tried to cover up a data breach where an employee changed patient records during a period of one year. That employee managed to "access records more than 1,800 times between May 2006 and June 2007." [fosters.com]
The hospital is being investigated by the Centers for Medicare and Medicaid Services (Boston regional office) as well, and doctors from Piscataqua Pathology Associates allege their contract with WDH was not renewed after they pushed for an investigation into the data breach, which has prompted its own round of investigations.
And yet, the hospital didn't alert affect patients about this data breach. Did WDH not know there was a breach, or that there was a law governing the duties of medical, covered entities in the event of patient data security failures? Not at all. From fosters.com: Foster's previously reported that at the time of the breach the hospital did not need to report it because the requirements of the federal Health Insurance Portability and Accountability Act [HIPAA], which protects patients' private medical information, only permitted — not expressly required — notification. [my emphasis] A further explanation was given by the hospital's spokesperson: [Noreen Biehl, vice president of community relations at WDH] said "it is interesting that the new HIPAA regulations ... indicate it is unnecessary and counterproductive to notify patients of every single disclosure of their protected health information" because it "can cause unnecessary alarm" and "might cause people to stop paying attention to such notifications." The above is a more than an adequate reason for not notifying patients. Certainly, if the changes have been restored, the employee in question has been stopped, and there's no further harm that can fall on the patients (and they haven't been harmed while the records remained uncorrected)--why bother scaring patients with a notification letter? On the other hand, if the allegations of a cover up are true, it's not hard to see how not notifying affected patients could be (or at least, could be viewed as) part of such a cover up. There is that unexpected twist, though, that it would be legal. (I'm not a lawyer, by the way. Don't take this as legal advice.) How so? Well, the decision on whether a breach is material falls under the auspices of the medical institution that experienced it. If WDH feels that it's not material, it's not material, period. Of course, they do have to document why/how they came to this conclusion. But, if no one knows about the breach (because it was not made public), the documentation is a moot point. I've read criticism on how the rules put the fox in charge of the henhouse exactly for this reason. Under HITECH (Health Information Technology for Economic and Clinical Health) on the other hand, medical institutions would be required to notify patients under the same circumstances. Does this mean that medical covered entities are required to use encryption software to protect patient health information? Nope; as far as I can tell, it means that there's an even stronger reason for using it, though.
And yet, the hospital didn't alert affect patients about this data breach. Did WDH not know there was a breach, or that there was a law governing the duties of medical, covered entities in the event of patient data security failures?
Not at all. From fosters.com:
Foster's previously reported that at the time of the breach the hospital did not need to report it because the requirements of the federal Health Insurance Portability and Accountability Act [HIPAA], which protects patients' private medical information, only permitted — not expressly required — notification. [my emphasis]
A further explanation was given by the hospital's spokesperson:
[Noreen Biehl, vice president of community relations at WDH] said "it is interesting that the new HIPAA regulations ... indicate it is unnecessary and counterproductive to notify patients of every single disclosure of their protected health information" because it "can cause unnecessary alarm" and "might cause people to stop paying attention to such notifications."
The above is a more than an adequate reason for not notifying patients. Certainly, if the changes have been restored, the employee in question has been stopped, and there's no further harm that can fall on the patients (and they haven't been harmed while the records remained uncorrected)--why bother scaring patients with a notification letter?
On the other hand, if the allegations of a cover up are true, it's not hard to see how not notifying affected patients could be (or at least, could be viewed as) part of such a cover up. There is that unexpected twist, though, that it would be legal. (I'm not a lawyer, by the way. Don't take this as legal advice.)
How so? Well, the decision on whether a breach is material falls under the auspices of the medical institution that experienced it. If WDH feels that it's not material, it's not material, period. Of course, they do have to document why/how they came to this conclusion. But, if no one knows about the breach (because it was not made public), the documentation is a moot point. I've read criticism on how the rules put the fox in charge of the henhouse exactly for this reason.
Under HITECH (Health Information Technology for Economic and Clinical Health) on the other hand, medical institutions would be required to notify patients under the same circumstances.
Does this mean that medical covered entities are required to use encryption software to protect patient health information?
Nope; as far as I can tell, it means that there's an even stronger reason for using it, though.
Related Articles and Sites:http://www.fosters.com/apps/pbcs.dll/article?AID=/20091204/GJNEWS_01/712049890/-1/fosnewshttp://www.fosters.com/apps/pbcs.dll/article?AID=/20091201/GJNEWS_01/712019914/-1/FOSNEWShttp://www.fosters.com/apps/pbcs.dll/article?AID=/20091125/GJNEWS_01/911259952http://information-security-resources.com/2009/08/12/lack-of-encryption-and-the-hitech-act/