With EHRs, Technology Magnifies Effects of Human Error

How secure are electronic health records? And, as health information exchanges or private networks are developed to share health information electronically, what is the possibility that our private health information would be available to people who shouldn’t have it?

The health information exchanges developed to share electronic health records (EHRs) are built to allow access from multiple organizations, including hospitals, multiple medical practices, laboratories, testing facilities and other institutional health care providers. With a broader network, patients and providers benefit from easy access to more complete information. But the risk of unauthorized disclosures multiplies with each organization and provider that can access the record.

Section 13402 of the HITECH Act requires entities covered by HIPAA to report promptly breaches of unsecured private health information affecting 500 or more individuals  (“large breaches”).  HHS maintains a web site listing these breaches. As of October 25, 2011, the site contained summaries of 345 reported breaches.

Breaches affecting less than 500 people may be summarized and reported annually. The agency’s report to Congress on breaches occurring  since the HITECH reporting requirement became effective analyzed both sets of breaches.

The most common breaches of the security of private health information aren’t caused by hackers.   The majority are caused by the same human foibles that disrupt other areas of life — greed and human error.

Greed: People steal valuable, portable objects, like laptops or smart phones.  Some more enterprising thieves steal network servers. In 2009, of the 45 large breaches reported, 27 resulted from theft. In 2010, theft continued to be the most frequent cause of reported major breaches, and one theft affected 1.9 million people. 42 of the 99 reported thefts involved laptop computers. The majority of thefts occurred on the premises of the covered entity.  But if the records are in another object that is stolen, the health information may be compromised. Last month, an employee of a contractor for TRICARE had loaded back-up tapes into his car for transportation to another federal facility when his car was stolen from his employer’s lot. The breach affected the security of the records of 4.9 million beneficiaries.

Last year, another  entity reported that an employee had sold protected health information to a third party.  Similar incidents are described in the data base of the Privacy Clearinghouse. The largest reported incident of unauthorized access involved a former employee using a password to enter a a password-protected web site, where the employee had access to protected health information of 400,000 people.

Human error: One entity reported that hard drives in 20 leased photocopy machines were left in the machines that were returned and resold. The hard drives contained (or could have contained, as the entity reported) personal health information of more than 340,000 people.

The Privacy Rights Clearinghouse tracks breaches  in many fields, in more detail, including where the data was stored and whether information was accessed by someone within the organization.  It also includes later developments in the incidents it has reported.

Human error:   People lose things — like laptops,  portable drives and smart-phones.  In 2010, loss of records, whether paper or electronic, was the second most commonly reported breach.

Paper vs.  electronic.  Breaches of privacy or security of paper records also occur, of course. The most commonly reported human errors involved misdirected mailings of paper records, where one or two people received someone else’s records.  Still, any one incident of loss of electronic data will affect many more people than paper would. In 2010, HHS received reports of 33 cases where records were lost. These incidents affected more than 1,156,000 people. Ten of these incidents  involved losses of portable electronic devices other than laptops.

One of those incidents, which accounted for 800,000 of the affected individuals, suggests that outsourcing the maintenance or disposal of protected health information is problematic. The HIPAA covered entity arranged for a business associate to dispose of  computer back-up tapes that were not compatible with the entity’s new system. The associate, in turn, hired a subcontractor to destroy the tapes. Later, the associate informed the covered entity that some of the tapes were not accounted for at the time of destruction.

Many incidents  of improper disposal of paper records have occurred. A retiring practitioner or  closed institution may leave behind a dumpster full of boxes of medical records pertaining to hundreds of patients.

As long as human beings continue to make mistakes, some breaches will occur. But much of the potential damage would be prevented by incorporating the most basic, common-sense precautions.  Hundreds of the incidents where electronic data were compromised involved unencrypted data. Mobile devices or portable drives often were not password-protected.

Imaginative techies may design wonderful protections, like the poison pill that destroys the information on a stolen electronic device. But no matter what firewalls or other security protocols are created, our private health information will not be secure if people fail to take basic precautions.