As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide some baseline data on how many patient privacy breaches their clients were experiencing each month. Keeping in mind that many places already had some security and privacy protocols in place and that higher rates are more likely to create customers for them, here’s what they report for four clients that they say are representative cases from their client database of 300 clients:
| Health System Description | Number of confirmed monthly incidents at outset of FairWarning® deployment |
| 200-bed hospital with a few small clinics – Rurally based | 24 confirmed incidents per month |
| U.S. based physician practice with 20 clinics metro and rurally dispersed | 29 confirmed incidents per month |
| UK based teaching hospital in major metropolitan area as well as rurally based facilities | 130 confirmed incidents per month |
| Top 50 U.S. Health System with multiple affiliated hospitals and clinics – Based in a major metropolitan area |
125 confirmed incidents per month
|
Those four cases are described in more detail in the paper. If the figures seem high to you, you may want to compare them to breach reports received by California since their new breach reporting law involving medical records went into effect last year. I asked FairWarning about the difference and their view is that many many breaches really are not detected. Kurt Long replied, “health records are rarely detected and rarer still reported.” In other words, if we were shocked by how many reports California is receiving, we’d be stunned if we knew how many breaches there really are each year that go undetected or unreported.
Although no detailed statistics are provided, the report also provides a summary on the types of patient privacy breaches most likely to occur for different types of localities. For all types of localities, the following types of privacy breaches were reported:
- Care provider employees visiting as a patient
- Immediate Family member snooping
- Child custody cases
- Criminal suspects covered in media
- Billing and fraud related
Not surprisingly, entities in rural localities also reported:
- Local government official snooping
- Neighbor snooping
- Extended family member snooping
While entities in metropolitan localities were more likely to report:
- Sports star snooping
- Federal or state government official snooping
- High profile business personality snooping
- High profile celebrity/media personality snooping
- Traditional identity theft
- Medical identity theft
Of note, they report that in their benchmark study, they obtained “multiple reports” from metropolitan and rural based care providers detecting staff using EHR access to systematically steal the identities of deceased patients to commit financial identity theft.
The company uses case examples with timelines to make the following points:
1. Simply informing your employees that you have implemented a monitoring program to detect privacy breaches can decrease patient privacy breaches significantly (on the order of 36% in one large metropolitan multi-hospital system and 60% in a rural hospital with remote clinics).
2. Telling employees that they are being monitored is not sufficient. Staff training (and re-training when new employees are hired) is also required to achieve desired results as is consistent and appropriate sanctions. The company notes that they observed spikes in privacy breaches whenever new staff was hired, suggesting to me that entities need to do (and probably could do) a do better job of initial training of new hires before they get access to patient information, including informing them that they will be monitored and informing them of possible dire consequences to their employment should they violate privacy policies.
3. A high-profile patient privacy breach that escalates into a Compliance Review and into a three year Resolution Agreement can cost between $8 to $17 million. The breakdown of costs they provide and the rationale could be useful for IT personnel who are pulling their hair out trying to get their employer to invest more in security and monitoring. Although I’m not qualified to evaluate whether their estimates are likely to be overestimates or not, I noted that the least of the costs — by a long shot — is notifying patients and offering them credit protection.
Anyone want to take a stab at the math based on FairWarning’s monthly figures? I don’t know how many urban large hospitals we have, how many rural, etc. How many patient privacy breaches would we be talking about per year, total, nationwide based on their findings?
Dissent requested input regarding the damages estimates in the Findings Report. In-line is a link to a webinar from September 8th, 2010 in which Randy Gainer of Davis Wright and Tremaine shares actual financial damages associated with privacy incidents- http://www.fairwarningaudit.com/documents/2010-FAIRWARNING-DAMAGES-WEBINAR.pdf
Thanks, Sadie!
We … talk to a large number of people who have never had to be HIPAA compliant in the past but now must do so. I can tell you that my guess is that reported breaches are the “tip of the iceberg”. These small entities are leaking PHI everyday, without even noticing that it is happening. Unsecured PHI is emailed, faxed, mailed, copied, and carried around on every conceivable portable storage device. We need the large covered entities to put pressure on their BAs and sub-contractors to get compliant and prove it.