You may need a scorecard to keep track of the players, but ponder this.
Codman Square Health Center in Boston reported a breach to HHS. However, it was not THEIR system that was breached.
Codman participates in a regional Health Information Exchange, the New England Healthcare Exchange, a mandated mechanism for doctors to exchange information with other covered entities, as part of the Affordable Care Act.
An employee of an outside vendor accessed the exchange using an employee’s login information. With this login they were able to access a few of Codman Health’s customer’s records, but also thousands of records, stored on the exchange but belonging to other providers. These are records that Codman Square Health had no legitimate permission to access.
Codman Square Health said that data that was accessed includes names, addresses, birth dates, gender, medical services, payor information, insurance information and socials.
But there is a challenge. Of the data accessed, 140 of those records belonged to Codman Square Health’s patients. But there were 4,000 other records that were accessed. These were not Codman Square Health’s clients, so they don’t have access to those records and have no way to tell them that their data was breached. HIPAA regulations ASSUMED that a provider would have access to the addresses of the patients in the breached records, but in this case, they do not know who those people are.
Those 4,000 victims may never know that their data was hacked.
Will people be unwilling to share their data on the exchange? Do they even have the option not to share the data?
More importantly, do the regulations need to be fixed? How do we protect people – which is really what is important.
If we are going to store health care information electronically and share it between parties, then we are going to need to figure out how to deal with breaches that affect multiple parties.
One possibility is to require the Health Exchange to make the notifications, possibly billing the cost back to the responsible party or parties.
But it also means that HIEs need to deal with the security issues. If they do not, then Health Exchanges may not survive.
Information for this post came from Fierce Health IT.