As more health care providers adopt electronic health records, the increase in health data breaches is raising concern among patient privacy advocates and public health officials, Kaiser Health News/Washington Post reports.
Recent Data Breaches
Recent data breaches have occurred at:
- The Utah Department of Health, which announced in April that Eastern European hackers had stolen medical data on nearly 800,000 individuals;
- Howard University Hospital in Washington, D.C., which announced in March that medical data on more than 34,000 patients had been compromised after a hospital contractor's personal laptop was stolen; and
- TRICARE -- a provider of health benefits for military personnel, retirees and their families -- which announced in 2011 that backup computer tapes with personal data on nearly five million people had been stolen from one of its contractors.
Addressing Privacy Concerns
HHS has the authority to issue subpoenas when enforcing HIPAA privacy and security rules, but between enactment of the law in 2003 and late 2011, it has used that power only twice, according to a report the agency provided to Congress. In addition, HHS assessed a monetary penalty only once during that time, the report noted.
Susan McAndrew -- deputy director for health information policy at HHS's Office of Civil Rights -- said, "The industry is very interested and responsive to correct the mistakes that they make and improve their privacy policies, so it's not necessary for us to resort to these types of penalties."
However, at a November 2011 Senate hearing, HHS was criticized for its lack of enforcement on data breaches. During the following six months, the agency reached settlements on several HIPAA cases that included more than $1.5 million in penalties.
Deven McGraw -- director of the Center for Democracy & Technology's Health Privacy Project -- said that prior to the 2011 Senate hearing, HHS had been losing credibility on HIPAA enforcement. McGraw said she is pleased with HHS' quick response to criticisms.
However, McGraw noted that federal regulators only can mitigate the risks associated with EHRs. She said, "No matter how good you make the technology, we'll never get the risk down to zero," adding, "But we can do a lot better than we have been doing" (Schultz, Kaiser Health News/Washington Post, 6/2).