[ Thursday, December 17, 2009 ]
Wentworth-Douglass Hospital in Dover, NH is hip-deep in an apparent data breach problem. As noted here
, someone was improperly accessing data in the hospital's pathology records and changing the information. The hospital investigated the breach and notified doctors whose patient's records were accessed, but did not notify the patients. Now, according to BNA
(subscription requried), CMS is investigating. There seem to be two issues at play here that are instructive for HIPAA covered entities: first, it seems that the investigation has ramped up not because the breach was particularly bad (although changing pathology data can sure be disastrous), but because the hospital didn't respond correctly. Secondly, the catalyst for the investigation seems to be the claim by a couple of pathologists that they were retaliated against by the hospital for reporting the breach and demanding action. This proves two points: first, accidents (and hackers) happen, and nobody expects perfection. Your efforts to prevent it up front must be good, but failure isn't proof that they weren't. But HIPAA compliance doesn't end when you adopt reasonable precautions through good policies and procedures. You must react to those breaches that do occur, and your reaction must be reasonable too. Secondly, always remember that it's those within the castle walls that can cause you the most trouble. External hackers do exist, but in most cases there's an "inside man" that either initiates the problem (see the Gibson case) or perhaps unwittingly leverages it (see the UCSF story from yesterday). Always cover your flank -- if there's a constituency or individual pushing for a particular response to a HIPAA problem, make sure their issues are addressed. That doesn't mean you have to do what they say, but be aware that if you don't (or if they feel their concerns were neglected or improperly dealt with), they might be your ultimate problem.
Jeff [9:16 AM]
Blogger: HIPAA Blog - Edit your Template