A 2011 HIPAA patient privacy violation in Canada, where an imaging technician accessed the medical records of her ex-husband’s girlfriend is illustrative of unauthorized disclosure of patient information by authorized people.
Data leakage of ePHI (electronic protected health information) in hospitals is rampant simply because a) there is a lot of it floating around and b) because of human nature.
Humans being are naturally curious, sometimes vindictive and always worried when it comes to the health condition of friends and family. Being human, they will bend rules to get information and in the course of bending rules, breach patient privacy.
The right to patient privacy
The Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients’ right to confidentiality and HIPAA’s Privacy Rule grants federal protections for patients’ personal health information held by covered entities and gives patients rights regarding that information.
What is ePHI?
The Department of Health and Human Services defines ePHI as a combination of personal identifiers and clinical data in order to protect patient privacy.
Electronic Protected health information (ePHI) is any information in an electronic medical record (EMR) that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. This includes names, geographical locations, dates of birth etc, phone numbers, email, social security numbers, medical record numbers, license plate numbers, driver license number, biometrics.
Basically any combination of personal identifiers that can be used to steal a persons identity, when combined with EMR data becomes ePHI.
HIPAA risk and compliance assessments that we’ve been involved with at hospitals in Israel, the US and Australia reveal that most patient privacy breaches are not perpetrated by hackers but by friends and family seeking information or insurance companies seeking to validate claims.
Social engineering methods are often employed with or without a “sweetener” and do not need to rely on exploiting software security vulnerabilities in order to breach patient privacy.
Courtesy of my friend Alan Norquist from Veriphyr
Information and Privacy Commissioner Ann Cavoukian ordered a Hospital in Ottawa to tighten rules on electronic personal health information (ePHI) due to the hospital’s failure to comply with the Personal Health Information Protection Act (PHIPA).
“The actions taken to prevent the unauthorized use and disclosure by employees in this hospital have not been effective.” – Information and Privacy Commissioner Ann Cavoukian
The problem began when one of the hospital’s diagnostic imaging technologists accessed the medical records of her ex-husband’s girlfriend. At the time of the snooping, the girlfriend was at the hospital being treated for a miscarriage.
Commissioner Cavoukian faulted the hospital for:
- Failing to inform the victim of any disciplinary action against the perpetrator.
- Not reporting the breach to the appropriate professional regulatory college.
- Not following up with an investigation to determine if policy changes were required.
“The aggrieved individual has the right to a complete accounting of what has occurred. In many cases, the aggrieved parties will not find closure … unless all the details of the investigation have been disclosed.” – Information and Privacy Commissioner Ann Cavoukian
It was not the hospital but the victim who instigated an investigation. The hospital determined that the diagnostic imaging technologists had accessed the victim’s medical files six times over 10 months.
The information inappropriately accessed included “doctors’ and nurses’ notes and reports, diagnostic imaging, laboratory results, the health number of the complainant, contact details … and scheduled medical appointments.” – Information and Privacy Commissioner Report
(a) Privacy czar orders Ottawa Hospital to tighten rules on personal information – Ottawa Citizen, January, 2011