A Tenuous Grip on Data

In a typical scenario, a doctor dictates or writes notes by hand, and sends her tapes and scribbles to medical transcribers who may work at home, at a transcribing company or for overseas outsourcers with varying levels of computer security. The transcribers send notes back via e-mail or mail them back on paper. In other cases a doctor might enter notes in a patient’s electronic file, using a clinical application from McKesson like the one at Providence. Then she might order medication for the patient at the hospital pharmacy through a homegrown prescription order-entry system. Drugstores keep patient data. An outside laboratory may record images of test results and send them to her through a virtual private network (VPN), where they will be appended to the patient’s file. Medical procedures are recorded by nurses and doctors in that same file, along with diagnostic codes, and sent to the billing department, which at Providence uses applications from Lawson Software. Insurance companies may receive treatment and billing data from the doctor through a VPN and send it along to a billing outsourcer for processing.

“As soon as [data] ends up at other organizations, it’s out of your control,” says Paul Stamp, a security analyst at Forrester Research. “Yet if there’s a problem, it’s the primary doctor or insurer who gets the blame.” Patients don’t know or care who transcribed a doctor’s notes or what outside billing company their insurer used: “They only know that the private data they shared with you is out there.”

Since the April 2003 deadline for complying with the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), 23,268 complaints about alleged breaches of patient privacy have been lodged with the U.S. Department of Health and Human Services (HHS), which is responsible for enforcing HIPAA.

There have been another 148 complaints about violations of HIPAA security rules, which detail measures for safeguarding data physically and technologically.

Investigators in Health and Human Services field offices call companies to discuss complaints against them and negotiate redress. Last year, for example, a woman complained that her insurance company violated her privacy by sending her and her daughter’s private data to her adult stepson. HHS found that a software programming change at the insurer, which HHS won’t name, had mistakenly caused the stepson to be named as the subscriber for the family’s health coverage. HHS required the insurer to see if the programming glitch had affected other members.

It had; HHS won’t say how many. The insurer then had to fix the woman’s files, correct the systems error, review all transactions affected by the defective programming for a six-month period, correct any other corrupted data about members and conduct periodic follow-up audits to make sure the error did not recur.

HHS can fine organizations that violate HIPAA, but it has fined none so far. The department prefers “voluntary cooperation” after a complaint, says Sue McAndrew, deputy director for health information privacy at the Office for Civil Rights, the HHS group that enforces HIPAA privacy rules.

“We really don’t believe you get the best compliance based on the fear that the federal government will come and get you,” McAndrew says. Seventy-six percent of the privacy and 43% of the security complaints have been closed, meaning they were found not to be HIPAA violations or HHS has gotten some kind of reparation from the offender.

Penalties for HIPAA privacy transgressions, she adds, are limited: $100 per infraction, capped at $25,000 a year. “I’ll never get headlines for a $5 million fine. I’m more like the traffic cop writing speeding tickets,” McAndrew says. “I’m not going to take down organized crime.”

Individuals can’t sue under HIPAA but federal prosecutors can. So far, however, just four cases have been filed. HHS has referred 346 privacy complaints and two security complaints to the Department of Justice to investigate for possible criminal wrongdoing. The Justice Department declines to comment on investigations, though “several additional cases are pending,” says Karen Spangenberg, chief of financial crimes at the FBI’s headquarters in Washington, D.C.

Peter Swire, a law professor at Ohio State University, wants to see violators of HIPAA fined. “Lack of enforcement undermines compliance,” he says, “because privacy officers don’t get budget and management attention unless they can show that the rules have teeth.” A survey in April by the American Health Information Management Association supports him. The group reports a slight drop in compliance with the privacy rules and says 55% of the privacy officers surveyed have trouble finding enough resources to comply.

Technology managers have to rely on employees to comply with HIPAA and internal policies, according to John Glaser, chief information officer at Partners Healthcare, which includes the famed Massachusetts General and Brigham and Women’s hospitals in Boston. Yet regardless of industry, Glaser says, no company can keep corporate data in an iron grip.

When he heard about the Providence problem early this year, he says, “I thought, there but for the grace of God go we.”

Partners hasn’t had a major data breach, he says. Still, regarding the notion that a technology staffer could take tapes or disks out of the building, against policy, Glaser is succinct: “I couldn’t swear to you that’s not going on here.”

CIOs can write policies and try to use technology to protect data, but as Glaser points out, they can’t know everything employees do.