Weekly roundup: Breaches, privacy efforts in the news

Even as the new Omnibus federal privacy and security rules went into effect with an upcoming compliance date of Sept. 23, three data breaches were reported by healthcare organizations this week.

A stolen laptop is the source of a data breach of approximately 4,000 Oregon Health & Science University (OHSU) patients. The unencrypted laptop containing their personal health information was stolen from an OHSU surgeon's rented vacation home in February. Patient data were located within the email program on the laptop, the majority contained in daily surgery schedules that are emailed to surgeons, according to hospital officials. The laptop included the personal health information of 4,022 patients, including patient names, genders, dates of birth, medical record numbers, type of surgery, surgery dates and locations and patients' surgeons.   

This is OHSU's third reported HIPAA breach involving more than 500 individuals since 2009. The other incidents also involved stolen and unencrypted devices.

A Utah-based medical clinic notified federal health officials of a potential data breach of approximately 2,600 medical appointment records. The records, all from 2012, had been slated for shredding when they went missing at the Granger Medical Clinic. The records included patient names, appointment dates and times and reasons for the medical visit—but did not disclose addresses, birth dates, medical claims information, Social Security numbers or financial information.

Meanwhile, two privacy experts urged covered entities to build an action plan and design an implementation timeline to ensure they are prepared.

“It adds a great deal of complexity to privacy management," said Michael Ebert, partner at KPMG, during the March 25 KPMG Healthcare & Life Sciences Institute Webcast.

Ebert and Jutta Williams, director of corporate compliance in the privacy office at Intermountain Healthcare, advised covered entities to map and flow protected health information (PHI), perform data discovery to locate all PHI and develop a third-party risk management program, among other measures.

Enforcement of the rules by the Department of Health and Human Services Office of Civil Rights (OCR) is not expected to be lax. Ebert noted that the new director of the OCR, Leon Rodriguez, formerly served in the Department of Justice’s Civil Rights Division.

“He has a strong enforcement record,” Ebert said, citing an uptick in complaints over the past 10 years. He said since 2003, there have been 27,500 breaches under investigation and 18,600 corrective actions taken. Also, civil monetary penalties and resolution agreements have amounted to $14.9 million since 2008.

Ebert also shared a preliminary analysis of HIPAA audits that showed much work needs to be done to get covered entities up to speed on privacy and security. For example, he said 39 percent of entities audited said they were unaware of HIPAA privacy requirements and 27 percent said they were unaware of security requirements.

Are you working to improve and secure the privacy of your organization's patient data? Please share your experience.

Beth Walsh

Clinical Innovation + Technology editor