Kroll Fraud Solutions Blog – A Dialogue on Data Security

The Office of the National Coordinator for Health Information Technology (ONC) is seeking public comment regarding personal health records, now through December 10. Comments can be submitted through the website, on the following topics:

• Privacy and security and emerging technologies
• Consumer expectations about collection and use of health information
• Privacy and security requirements for non-covered entities
• Any other comments on personal health records (PHRs) and non-covered entities

The ONC is also hosting a day-long public roundtable discussion, Personal Health Records – Understanding the Evolving Landscape. According to the website, the purpose is to “inform ONC’s congressionally mandated report on privacy and security requirements for non-covered entities (non-CEs), with a focus on personal health records (PHRs) and related service providers.”

In the late 1960’s, Dr. Lawrence L. Weed developed the Problem Oriented Medical Record (POMR).  His vision was to have electronic medical records with standardized progress charts for all patients.

Fast forward 30 years, and you would be hard pressed to find a medical group or health care system that used Electronic Health Records (EHRs) to exchange patient data with one another. Most medical records were still in the form of physical documents, stored in a file folder and shared between a few key members in the medical facility.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.

If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.

The Endpoint Security blog recently reviewed the actions of a Hollywood Video store that went out of business and subsequently threw old membership forms in the dumpster. The blogger inevitably asks the question: who is to blame here?

The answer, as is usually the case, is complicated. As it turns out, disposal is the Bermuda Triangle of data privacy. Whereas an organization, while solvent, is responsible for protecting its customers’ information, the picture becomes somewhat muddy if the company folds. Unless the data breach occurs before the company is completely dismantled, it’s difficult to pinpoint anyone left to be held accountable for fines or notifications. Further, the organizational assets, like desktop computers, are often sold off to the highest bidder. It’s alarming to think how much hardware may get shuffled about, still containing the records it held at the time the company went out of business, because no one wants the added expense of erasing the data.