Private physicians and hospital systems may be new to data breach rules but the government is not, which means federal agency experience could have a big impact on the way the overall health care market deals with those rules and potentially embarrassing and expensive breaches.
Agencies that provide and pay for healthcare have operated for several years under breach notification requirements, with some, like the Veterans Affairs Department, "living under the microscope of public scrutiny for years," said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.
The VA in the past has been raked over the coals for its handling of personal data, she pointed out. The loss in 2006 of a laptop containing the personal information of millions of veterans was the reason the Office of Management and Budget directed agencies to toughen their network security and privacy policies.
"(So) VA probably has established best practice procedures that could be very helpful to private industry," McGraw said.
Under new breach notification rules that went into effect in February"the result of HITECH Act requirements to strengthen the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations"healthcare providers and health plans must notify affected individuals when their unsecured protected health information may have been disclosed.
The providers and insurance plans must also report the breach to the Health and Human Services secretary as well as the media within 60 days in cases that affect 500 or more individuals. For a smaller number, breaches have to be reported annually to the HHS.
In light of past data breaches, VA is well prepared for incident response and breach notification reporting, said Stephen Warren, VA's deputy chief information officer. For instance, VA has a national Data Breach Core Team that has met weekly since 2007 to review any possible breaches.
"We have set a high standard and have helped other federal agencies achieve this goal," he said.
VA handles both HIPAA breach notification and breach of sensitive personal information in much the same manner, Warren said, so the new rules won't require much change to the VA's current procedures.
The criteria under the OMB memo and HITECH Act assist VA to more precisely discern the full details of the occurrence "so that we make sure to comply with both rules," he noted.
VA has also formed a panel within its Data Breach Core Team to focus on procedures for compliance with the HITECH Act.
One of the most attention-getting consequences of the breach notification rule is the publication on the Web site of HHS Office for Civil Rights the name of a provider or plan that reports a breach affecting more than 500 people.
"For private industry to see their name up there, that can have a market impact potentially," McGraw said.
James Pyles, principal at Power, Pyles, Sutter and Verville PC, said that the breach notification rule will be a "more effective enforcement mechanism" for privacy than previous requirements.
With breach notification, "when you have the name of your company on the HHS OCR Web site and on the local news, it's not comfortable," he said.
Market forces don't apply as much in a government program, McGraw said. "You're not likely to make a choice not to get those [federal] benefits and go somewhere else," she said, but a person can choose to change a provider or plan in the private sector. "It's hard to know how much consumers exercise choice, or whether many would."
CVS/Caremark was fined for the way they disposed of customers' prescriptions, for example. If it's the neighborhood store and it's charging low prices, that's what seems more important to consumers.
"That suggests to me a stronger role for government to make sure that there's some baseline because the market isn't going to work on its own," McGraw said.
A large breach of personal information can also be costly. For instance, HHS listed Blue Cross and Blue Shield of Tennessee on the OCR site as a result of the theft in October of 57 hard drives, which contained what the company initially believed was the personal information of 500,000 individuals.
After further investigation, the number of persons affected is closer to 1 million as of April 2, the company said.
The health plan said it has sent letters of notification to more than 500,000 people and enrolled all affected members in an identity theft protection program and some with credit monitoring services, at a cost so far of $7 million.
