Wednesday, April 30, 2008

Can the Media Move the Ball on HIPAA?

I finally have a serious prediction for 2008: I predict that unauthorized access of medical records will be the new lost laptop story.

Reporting on the compromise of data through laptop loss/theft over the past few years has raised public awareness around data breaches and disk encryption. The upswing in incidents involving hospital employees accessing celebrity medical records will have a similar affect on awareness. I mention this because a former UCLA Medical Center employee was indicted yesterday on charges stemming from similar activity. What made this a criminal case and not just another firing is that the employee sold these records to a "media outlet" (tabloid).

The reason this is significant is that stories like this in the media raise public awareness about HIPAA requirements and medical provider capabilities. Those capabilities being the ability to review who accessed a patient's medical record and when, and that the hospitals have a way of determining whether or not the access was appropriate. The end result will likely be two-fold. First, more patients will be aware of these capabilities, and will start doing things like asking doctors and hospitals for this information. And secondly, the hospitals that aren't currently reviewing the logs from their EMR systems will feel some pressure to start doing so.


Doug said...

Interesting, I hadn't thought about the consumer push for knowing who is accessing their medical records. I wondered if you have an opinion on the idea that some firms are doing more to budget for fines for HIPAA violations then to actually 'do the right thing' and secure the information properly?

PaulM said...

I don't think you're likely to see companies making budget line-items for paying fines. And I don't see companies choosing to fail instead of comply, especially when HIPAA is relatively cheap and easy to comply with. Emphasis on "relatively."

But I do think that smart companies look for ways to insulate themselves from costs associated with problems. And costs from data breaches and compliance fines are part of that landscape. In many cases, errors & omissions insurance can cover these costs when they are the result of human error, which they most often are. And for companies that want more, there are insurers providing insurance specific to data and security breaches.