Friday, October 7, 2011

Protected Health Information, or using other people's data

The New York Times carried a front-page story yesterday about the release of patient data from Stanford Hospital that provides several useful lessons for those of us who spend our work lives mucking about in files and spreadsheets.

It appears that the hospital sent the file to someone they believed worked for one of their business associates. He did, but evidently as a marketing contractor, not an employee, though he did use an email address of the business associate. According to the story, the marketing contractor sent the file to a prospective employee of his, who posted it on a public paid homework help site.

What could have been done to prevent this breach? The file moved several times; each time, the sender or receiver could have at least wondered whether it contained live data. The hospital could have alerted the marketing contractor that the file had live data. The marketing contractor could have looked at the file before sending it on to the job applicant, or had her complete the assignment in his office.

So what are the lessons? Leaving technical issues aside (though you can read the next paragraph if you're interested in those) I think there are two: first, look at the file before you send it on! And second, when you get a file, think about what might be in it before you pass it on. (There's a third lesson in there too, about not asking for help publicly when you are trying to demonstrate a skill necessary for a job, but I'm inclined to skip over that one.)

More technical paragraph: Under HIPAA, the Health Insurance Portability and Accountability Act, "business associate" is a carefully defined term of art, usually an organization that provides computer, analytical, or other services to the health care provider. Business associates often need access to confidential health information (one of the services they provide is billing; another is reimbursement) and are generally hedged in with contracts spelling out what they can and cannot disclose. The people who know what is in the contracts may not be the same people with operating responsibilities, and I suspect that training around confidentiality issues is not enough. You need constant reminders too.

No comments:

Popular Posts