In the past several weeks additional breaches of HIPAA were reported by Sutter Health System , in California, and also the Samaritan Hospital in Eastern New York State;
“Sutter Health is no stranger to healthcare data breaches. Back in 2011, nearly one million Sutter Health patients had their protected health information compromised after the theft of an unencrypted company desktop computer, making the breach one of the biggest HIPAA breaches in the United States. In its aftermath, Sutter Health is still facing up to $4.25 billion in class action lawsuits.
The California-based Sutter Health is notifying nearly 5,000 patients that their personally identifiable information has been stolen after local law enforcement officials discovered a list of patient data during an unrelated criminal investigation. The list of patient information was discovered during a drug related investigation in Oakland, Calif., KTVU reports.
Patient names, Social Security numbers, dates of birth, addresses, names of employer, work numbers and marital statuses were compromised.
Sutter Health system officials say the breach could involve patients from Sutter Health's Oakland-based Alta Bates Summit Medical Center; Antioch, Calif.-based Delta Medical Center or Eden Medical Center in Castro Valley
A consequence of HIPAA is possible multi-billion dollar fines and law suits. These costs will be passed through to patients. the ultimate pocket. Perhaps there needs to be a limit on penalties both in civil suits and HIPAA fines. The HIPAA law invited a feeding frenzy for class action legal firms.
A New York hospital waits 15 months to announce HIPAA breach, and to notify patients.
“The Samaritan Hospital in eastern New York, just outside of Albany may eventually face some hefty fines from the Office for Civil Rights as the hospital just Friday notified the public of a HIPAA privacy breach stemming from a November 2011 incident.
The issue here was a conflict between judicial authorities, which were the Department of HHS, the office of Civil Rights, and the local Sherriff’s office.
When the breach was discovered at the time in 2011 the hospital was about to notify patients and HIPAA about the breach.
According to officials, when the 238-bed Samaritan hospital discovered the breach back in November 2011, hospital officials notified the sheriff's office, who then asked the hospital to refrain from notifying patients and the OCR, the Troy Record reports.
Sheriff Jack Mahar , Rennsalaer County New York
"If a law enforcement agency asks to delay notification so as not to impede an investigation of a potentially criminal nature, we have to comply,” Streeter added.
“We received an inquiry that suggested that protected health information contained in electronic medical records that related to a patient at Samaritan Hospital may have been improperly accessed by a supervisory nursing staff member employed at the Rensselaer County Jail,” Elmer Streeter, director of communications at St. Peter's Health Partners, the system Samaritan Hospital is part of, told the Troy Record”
HIPAA is a complex law regulating a complex industry, both technologically and clinically. It becomes obvious that the law will require several more years of ‘flushing out’. At the time in 1996 when HIPAA was passed few medical facilities were using HIT, EMR and HIX. In the next several years we can expect many more breaches resulting from ambiguous situations.
The issue become more complex since the Office of Civil Rights is charged with enforcement of HIPAA violations. Many institutions which are not clinical may have unintended access to patient’s medical records, and who are not at all educated about HIPAA.
Attribution: HealthCare IT News