After breach of personal, private health information: How do you respond?
After breach of personal, private health information: How do you respond?
Laptop theft points to need for checklist to deal with data breach
In this digital age, a breach of personal data about clients or customers is the nightmare scenario for any business, conjuring specters of identity theft and public relations woes.
But for a research institution, the worries go deeper. In addition to financial information, a breach of data from a research project could compromise private medical information about thousands of subjects.
Then comes the decision of whether and how to notify participants about the breach.
That scenario was played out recently in Maryland when a laptop computer was stolen from the car trunk of a researcher with the National Heart, Lung, and Blood Institute (NHLBI) in Bethesda, MD. The computer contained unencrypted research information — including names, birth dates, hospital medical record numbers, and cardiac MRI data — from about 2,500 participants from an NHLBI study conducted between 2001 and 2007.
In a statement released March 24, the NHLBI's director says that the laptop was turned off and password-protected, but that the information shouldn't have been stored on a laptop computer without encryption.
"When volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically," says Elizabeth G. Nabel, MD. "We at the NHLBI take that trust very seriously and we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
According to NIH spokesman John T. Burklow, the Feb. 23 theft was reported to the NIH information technology department the same day and to the NHLBI's IRB on Feb. 26. Burklow says NIH policy requires primary investigators to report to the IRB any unanticipated problems that could present a risk to subjects.
At its next scheduled meeting, March 4, the IRB voted unanimously to inform participants about the theft. On March 20, the IRB approved a letter to be sent by overnight mail to all participants for whom current addresses were available. Participants were told they should contact the NHLBI if they had concerns about the theft.
The letter explains the incident, points out that Social Security numbers and other financial data were not involved, and reassures participants that the theft "poses a low likelihood of identity theft or financial implications."
"It is, however, an unfortunate breach of our commitment to protect the confidentiality of your research records," the letter states.
Burklow says about 80 participants have called or e-mailed the NHLBI since the letter was sent, about a third of them expressing concern over the incident or wanting more information.
"Several individuals sent e-mails expressing their appreciation for the notification," he says.
In the wake of the incident, Nabel says the institute is ensuring that all NHLBI laptops are encrypted, and that staff have been told never to keep patient names or other identifiable medical information on laptop computers.
In addition, Burklow says, the IRB is clarifying the notification process when a breach occurs.
Breaches common
Kirk J. Nahra, JD, a health care attorney who is co-chair of the Confidentiality, Privacy and Security Workgroup at Wiley Rein LLP in Washington, DC, says such security breaches happen all the time, in every industry.
"There's obviously lots in the health care industry, there's a ton in the academic community," he says. "I take from that a couple of principles — one is that everybody's got to pay attention to this. And a lot of what paying attention is, if it's going to happen, what can I do to reduce the problems from that?"
Nahra says institutions need to think about the problem of data security from two angles: reducing the risk of breach and knowing what to do if one occurs.
"One question for the IRB is on the front end," he says. "Should they be factoring security issues more into the front-end approval process? The bulk of those approval principles have typically involved privacy issues rather than security issues."
For example, Nahra notes that laptops are stolen every day. For that reason, he says, encryption should be the norm for laptops containing research information.
"I can't tell you it's formally a legal requirement anywhere, but they should be doing it, and if it's encrypted, you don't have to worry about some of the notice issues."
He says it's also important to pay attention to what is being kept on laptops, and whether sensitive details such as patient names really belong on computers that so easily can go astray.
"You're not going to say don't use laptops," Nahra says. "But if we're recognizing that people use laptops and they're moving around with their laptops and there's sensitive data on them, encrypt them."
To report, or not?
Once a breach has occurred, Nahra says the institution next must decide how serious it is and what reporting is required — either legally or ethically.
He says 42 states currently have laws requiring that customers, clients, or patients be notified in the event of certain security breaches, usually involving the unauthorized release of financial information such as Social Security numbers.
Last year, California expanded its law to include medical information.
Nahra says state laws usually do not require notification if the information was encrypted.
He says the HIPAA Privacy Rule itself does not require notice to study participants if their health information is breached. But it does require that covered entities mitigate, to the extent they can, any harmful effects caused by disclosure of personal, private health information in violation of the Privacy Rule.
"Sometimes mitigation of harm would make you give notice — and it might make you give notice in situations where the state laws wouldn't," he says. "Let's say you have a security breach of [information about] AIDS patients. HIPAA might tell you to give notice even though the state laws might say you don't have to."
Nahra says an institution has to make a complicated judgment when a breach occurs to determine whether participants need to be notified.
"You have a set of incidents where you have to notify, there's another set of incidents where you should probably notify anyway and then there's a set where maybe you'll make a judgment not to," he says. "It requires an assessment every time there's a breach as to whether these obligations are triggered and what it is you're going to do."
If, for example, a laptop is stolen, but the information on it is encrypted, Nahra says an institution might make the decision not to notify participants.
Nahra usually advises clients not to have a set procedure for how to handle a breach, but rather to have a list of questions to ask first.
"Who do we notify? How do we fix it? Who do we get involved in the investigation? How do we figure out what kind of information was involved?" he says. "It's not a one-size-fits-all response."
"If you say, 'We will always give notice of every security breach, that's not a good answer," Nahra says. "There's a negative to giving notice, which is you scare people. And so if there's really not a problem, don't scare people."
In this digital age, a breach of personal data about clients or customers is the nightmare scenario for any business, conjuring specters of identity theft and public relations woes.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.