On Saturday, Jan. 10th, I’ll be moderating a panel at the Consumer Electronics Show’s (CES) Digital Health Summit. The distinguished panel that includes executives from Dossia, Kaiser-Permenante, Microsoft and Walgreens will address the topic: Who Will you Trust with Your Health Data?
In preparation, I have been doing some research on the subject and following are a few data points for consideration:
Since April 2003, HHS’s Enforcement Office has handled over 9,666 cases that required some form of enforcement/corrective action regarding HIPAA privacy and security violations of Personal Health Information (PHI). That works out to over 1,200 cases a year.
In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records. Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans. If you can’t trust the government to keep your PHI safe, who can you trust?
Subtract the VA outlier and you get about 4M individuals who had their PHI breached in 2009 across 45 documented incidents or about 89,000/breach. That’s a lot of compromised records!
Also in May of 2009 we saw the Virginia Health Data, Dept of Health Professionals get hacked in which 531,000 individuals PHI were compromised and held ransom by the hackers for a cool $10M.
And let us not forget CVS who was fined $2.25M for sloppy disposal of prescription records. No one has any idea as to how many individuals may have been compromised in this blunder by a major pharmacy chain.
The scary thing about the above is that these numbers represent documented/reported cases of data breaches and it would be easy to argue that the actual number of breaches that occur in a given year is quite a bit higher (let’s remove the 76M records in the VA breach as that really is out there).
This all raises the question:
If organizations like the VA, the Virginia Health Data, Dept. of Health Professionals and some of the most prestigious hospitals in the country can’t keep PHI safe, who can?
Which logically leads to the next question…
Is there any true, fool-proof way to insure absolute privacy and security of PHI that is held by a covered entity, business associate or even an organization like Microsoft or Dossia acting on behalf of the consumer?
Yes, there are strong passwords, yes, data can be encrypted on a server but for just about every barrier thrown up, hackers have found a way to break in. Also, beyond just hackers, what is surprising is that a number of the PHI breaches in 2009 were done by employees who were then selling such data to others, such as ambulance chasing lawyers and tabloid magazines.
Which leads me to conclude…
Maybe the belief in absolute privacy and security of PHI is a fallacy.
As we move to digitize PHI through the adoption and use of EHRs by physicians and hospitals it is inevitable that we will see more breaches. Hopefully, the benefits that we, as a nation and citizens, accrue from the adoption and use of such digital records to better manage our health and coordinate health among our healthcare team will far outweigh the risks we will be taking in the potential compromise of our PHI.