Archive for November, 2011
TRICARE should soon have some company on the Office for Civil Rights (OCR) large patient-breach website.
On November 16, Sutter Health in Sacramento, CA, reported on its website the theft of an unencrypted desktop computer which contained the records for more than 4.2 million patients. The computer was taken from the health system’s administrative offices the weekend of October 15.
Sutter Health said 3.3 million patients seen from 1995 to January 2011under its Sutter Physician Services (SPS) umbrella were included in the database. Their information included1:
- Date of birth
- Phone number
- E-mail address (if provided)
- Medical record number
- Name of the patient’s health insurance plan
SPS provides billing and managed care services for healthcare providers with which it contracts, including facilities within the Sutter Health network.
Further, approximately 943,000 Sutter Medical Foundation (SMF) patients treated from January 2005 to January 2011 had the following information in the desktop computer
- Dates of services
- Description of medical diagnoses and/or procedures used for business operations
Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.
Sutter Health in its website statement said the computer was password-protected. Following the discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department. It also began an internal investigation. There were no actual medical records in the computer rather medical data for many patients seen during the designated timeframes.
“Sutter Health holds the confidentiality and trust of our patients in the highest regard, and we deeply regret that this incident has occurred,” Sutter Health President and CEO Pat Fry said in a statement. “The Sutter Health Data Security Office was in the process of encrypting computers throughout our system when the theft occurred, and we have accelerated these efforts.”
TRICARE’s breach involved 4.9 million patients treated at military hospitals and clinics during the last 20 years. Their PHI was exposed because of a data breach reported on September 14 that occurred in Texas
The TRICARE breach is easily the largest breach listed on the Office for Civil Rights website for breaches of unsecured PHI affecting 500 or more individuals. Health Net, Inc. of California, whose January 21 breach affected 1.9 million patients, follows closely behind. As of November 18, the OCR lists 364 entities on its website. Sutter Health’s breach has yet to make the list.
One number — 4 million patients.
One phrase — unencrypted desktop computer.
That’s what’s coming out of Sutter Health.
The 4.9 million patients treated at military hospitals and clinics during the last 20 years whose PHI was exposed because of a data breach can get one year of free credit monitoring, the Department of Defense (DoD) announced in a November 4 release.
TRICARE® Management Activity (TMA) has directed Science Applications International Corp. (SAIC) to provide one year of credit monitoring and restoration services to patients, according to the DoD. The data breach occurred in Texas and was reported to TMA September 14.
TRICARE reported there is no evidence any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, according to the release.
The data involved in the breach may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests, and prescriptions. The information does not contain financial data, such as credit card or bank account information.
Meanwhile, the TRICARE breach is easily No. 1 on the Office for Civil Rights website for breaches of unsecured PHI affecting 500 or more individuals. Behind TRICARE is Health Net, Inc. of California, whose January 21 breach affected 1.9 million patients. OCR lists 364 entities on its website.
At least one U.S. senator is considering legislation to encourage encryption for healthcare providers using electronic medical records, Reuters reports.
Senator Al Franken, D-Minn., who chairs the Senate Judiciary Committee’s panel on privacy, technology, and the law, said November 9 he is also considering writing leglislation that extends privacy protections beyond healthcare providers.
“The bottom line is that people have a right to privacy and to know that their data is safe and secure, and right now that right is not a reality,” Franken said in the Reuters article.
Also at the hearing, Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, delivered written testimony that said that the public “consistently expresses concern about the privacy and confidentiality of digital health records.”
“Failure to build and maintain public trust in the collection and sharing of electronic health information will doom efforts to leverage health information technology to promote innovation in the healthcare sector,” McGraw wrote.
The Office for Civil Rights (OCR) released formally its plans for HITECH-required HIPAA privacy and security audits on its website Nov. 8.
OCR posted on its website that is expects the initial round of audits to begin this month. And it also announced for the first time that in addition to covered entities, business associates (BAs) will be eligible for the audits. But it added that BAs would be included in the audits only in the “future.”
OCR will audit “as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and healthcare clearinghouses may all be considered for an audit.”
“We expect,” OCR continued, “covered entities to provide the auditors their full cooperation and support and remind them of their cooperation obligations under the HIPAA Enforcement Rule.”
OCR said it expects a typical audit to last about 30 days, from the notification letter to the initial report. It says it plans to provide entities with 30- to 90-day notice before an onsite visit.
The information released this week includes audit material in OCR’s “pilot phase.” After this first round of audits, OCR may tweak its plan based on reviews. In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, OCR said, auditors will interview key personnel and observe processes and operations to help determine compliance.
“Prior to finalizing the (audit) report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address concerns identified,” OCR wrote. “The final report submitted to OCR will incorporate the steps the entity has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity.”
Entities will have 10 business days to review the auditor’s report.
Will OCR hand out fines for violations? In its website report, OCR said if an audit indicates a “serious compliance issue,” it may begin a compliance review of that entity. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity.
“Audits are primarily a compliance improvement activity,” OCR wrote. “OCR will review the final reports, including the findings and actions taken by the audited entity to address findings. The aggregated results of the audits will enable OCR to better understand compliance efforts with particular aspects of the HIPAA rules.”
OCR also included in its report this week a sample audit notification letter.