A breakdown in data destruction protocols could help explain why back-up files containing information on 800,000 individuals were lost from a Mass. hospital after a data management company was hired to destroy them.
This is according to healthcare IT security expert, Mac McMillan, CEO of Austin, Tex.-based CynergisTek, a provider of healthcare information security solutions, and chair of the HIMSS Privacy and Steering Committee.
Officials at South Shore Hospital, a not-for-profit, regional provider of acute, outpatient, home health and hospice care for southeastern Massachusetts, said the files were sent to a professional data management company for off-site destruction on Feb. 26 – and on June 17 the hospital was finally notified that only a portion of the files had been received.
The computer files contained personally identifiable information for patients who received medical services at South Shore Hospital – as well as employees, physicians, volunteers, donors, vendors and other business partners associated with the hospital – between Jan. 1, 1996, and Jan. 6, 2010.
If the tapes were encrypted, McMillan says, the hospital wouldn't be having this issue. He points to provisions under the HITECH Act, which state that if lost data is encrypted there is no obligation to report it.
Some of the data was less than a year old, which leaves the hospital with no excuse for not having it encrypted, says McMillan – adding that it would have been possible to encrypt the old data as well. But even without encryption, for an outside source to recover that data on the tapes would take specialized equipment and knowledge, he says.
Although it is not impossible for the information on the back-up tapes to be recovered, it is highly unlikely because the thief would have to have access to the application needed to run the tapes and get the data, McMillan says. It is also highly unlikely that there would be access to such an application away from the hospital.
McMillan recommends that organizations destroy their patient data on-site because it allows them to retain control of the complete process. He points out, however, that there are reputable data management companies, and that organizations simply need to do their homework so they understand the company's processes and how files are received and documented.
McMillan says that if the hospital had tighter chain of custody processes, it may have been alerted sooner about a problem, and authorities would have a better chance at finding out what happened to this data. "The problem is that if [the hospital] doesn't find out that something went missing until months later, the trail to find it is gone."
According to McMillan the hospital and data management company should have had a business associate agreement, which is required under HIPAA. In this case, the business associate agreement would require that the hospital obtain satisfactory assurances from the data management company that it would appropriately safeguard the protected health information it received. As part of the associate agreement, the hospital should also have had a security agreement, says McMillan. Although, this is not required under HIPAA, he says that more hospitals are beginning to use them because they are finding out that associate agreements aren't cutting it.
In the security agreement hospitals can lay out processes including:
- How material is prepared for shipping
- How material is loaded, transmitted, and then received at facility
- How long the material is held before destruction, and when they should receive a certificate of destruction
"Personal health information needs to be treated the same way as the government treats classified information – with really tight processes," said McMillan.
He adds that, based on everything he has read, the hospital is taking full responsibility and doing a good job of notifying all the appropriate parties. "This is a very unfortunate incident, and very embarrassing. But [the hospital] is doing all the right things."