Since 2001, healthcare providers have made notifying patients of data breaches a priority, a practice that could prove wasteful, Computerworld reported.
According to the news source, most healthcare facilities, upon identifying that a data breach has occurred, proceed to inform all individuals impacted by the event. This is a time-consuming and expensive process that may not be worth the effort in the long run.
At first glance, the report admitted, being notified of data breaches seems critical. Most people want to know when their medical records are exposed. However, few individuals actually take any action once the issue has been brought to their attention, and understand it is simply an unfortunate, and frustrating event, according to the news source.
Furthermore, the healthcare industry is currently struggling to find the financial and technical resources it needs to maintain patient care, and providers may be better off devoting resources to preventing data breaches and improving services instead of notifying individuals of incidents that they can do almost nothing about, the report said.
According to the news source, all of this emphasis on notification when data breaches occur began in 2001 with the Eli Lilly incident, in which a human error compromised patient data of 700 individuals. Legislation soon followed in California. Since then, state and national governments have responded with more formal data breach notification laws, hitting something of a climax with 2009's HITECH Act, which mandates the establishment of more formal and useful regulations regarding notifications when breaches involving personal medical data. The report said formal final regulations will likely be released before the end of 2011.
One of the key attributes of the official mandate, according to the report, is a regulation making healthcare providers legally accountable for notifying the U.S. Department of Health and Human Services immediately upon a breach involving 500 or more patients. Each of these breaches is then published on a virtual "wall of shame," on the HHS' website, the report said.
The effectiveness of such an approach is questionable, however. The news source analyzed the incidents already on the department's wall of shame and found a significant number of data loss incidents did not occur due to malicious intent or involve data that would be easy for a cyber criminal to use. Furthermore, many of the data incidents are categorized as "loss," "other" or "improper disposal" instead of "theft" or "unauthorized access." Besides all of this, a significant number of the incidents involve paper records, not electronic ones. Typically, paper-based data loss incidents are not as harmful as electronic ones, the report said.
These factors combine to create a situation where many of the data breaches reported to the HHS are not especially significant or meaningful in nature. The report said the interim rule currently states that businesses do not need to notify the department if the data loss does not indicate significant potential for harm. However, the lines that designate what significant risk means are difficult to discern, creating some sense of confusion. This is leading to a situation where many health providers are wasting time and financial resources reporting data breaches that do not always need to be reported.
Healthcare organizations hoping to maximize their resources may want to consider outsourcing many of their IT systems to a HIPAA hosting provider. Through colocation, cloud services and other IT outsourcing capabilities, a hosting vendor can simplify data security and reporting, allowing medical facilities to focus more resources on patient care.