[ Monday, September 19, 2005 ]
another privacy breach
, this time in Colorado. It's pretty small by comparison; they included patient numbers on the mailing labels sent to patients, which could be used by someone to access information about them. But the miscreant would have to get the label from your house or your trash to retrieve the number.
But this case, and Kaiser's reaction, point out an interesting dilemma that confronts any covered entity faced with a potential, but unknown, privacy breach. Obviously, there are potential privacy breaches that you never know about; an employee inadvertently leaves his computer on and the cleaning crew looks at the information, or a physician logs in from home and his kids get to the computer before he logs out. But what about a known potential breach, such as the case when an employee loses his PDA, but it gets turned into the lost and found: you don't know if the PDA was accessed while it was in unknown hands. Or what about lost CDs or other media containing medical information? What if the data was password-protected? What if it was encrypted? Theoretically, even encryption can be broken.
Contrary to popular opinion covered entities are not required to notify patients of possible or even known breaches, but they are required by HIPAA to mitigate known effects of improper uses and disclosures. But what if you don't know what the effect is? What if you don't even know if there is really a "cause" to begin with? Every covered entity has to make that decision on a case-by-case basis. And more importantly, every covered entity must consider their professional obligations as well as their business obligations. You don't want to ring a false alarm, but sometimes its best to admit your problems up front.
Jeff [10:59 AM]
Blogger: HIPAA Blog - Edit your Template