Breaches of patients' data raise questions on security methods

The theft of a document containing the names and Social Security numbers of 554 patients at Wake Forest University Baptist Medical Center was hardly unusual.

Federal health officials say that it was the 47th time since September 2009 that patient records of some sort had been breached from hospitals and health-insurance companies nationally.

Such breaches raise questions about the security measures being used by health-care providers on sensitive financial and medical information, as well as the need for records to be removed from secure sites.

In the Wake Forest Baptist case, a bag containing documents with the patient information was stolen Feb. 15 from an employee's locked car in the parking deck of an off-campus outpatient clinic. Hospital officials publicly revealed the theft on March 4.

The hospital arranged for free credit and financial monitoring for anyone who was listed on the stolen documents, and officials say that so far, no identity thefts have been reported, said Bonnie Davis, a Wake Forest Baptist spokeswoman.

Under federal law, Wake Forest Baptist reported the security breach to the Office of Civil Rights within the U.S. Department of Health and Human Services. Of the security breaches at hospitals and health-insurance companies nationwide, 11 have occurred in the Southeast, affecting 914,234 patients.

Methods vary as to how hospitals and health insurers protect data, how they allow the data to be taken off premises, and whether patients are made aware of those practices.

Wake Forest Baptist, for example, does not advise patients that an employee may remove their data from its hospital or clinics.

The Health Insurance Portability and Accountability Act, or HIPAA, "allows medical providers to use mobile data, and does not restrict taking data off their premises," Davis said. "There is latitude in the language in what you tell the patients and what is happening with their data."

She said that an example of when patient data might be accessed after a health-care provider's normal schedule could be a physician who has an acute-care patient in the ICU and who is later contacted by an attending physician for information for follow-up care, or perhaps there is a consultation between caregivers.

"The work day doesn't start and end at 8 a.m. or 5 p.m., and to provide the highest level of care possible, some health-care providers may sometimes need to have patient records available to them beyond their normal schedule,'' Davis said. "Not having access to the necessary data would make it difficult to provide the high level of care needed in some instances for patients.''

Wake Forest Baptist policy, she said, does require that patient data remain secure at all times.

Jim Jones, a spokesman for the N.C. Department of Health and Human Services, said that the practice of hospitals, clinics and health-insurance providers allowing employees to take home patient records is not commonplace among the 124 licensed medical providers in the state.

"If there is a practice to do this, the patients should be told," he said.

Linwood Jones, an attorney for the N.C. Hospital Association in Cary, said that his organization believes that hospital employees should be allowed to remove patient information if it is necessary to perform their duties.

"With a mobile work force, and health care being provided around the clock, I don't think it is uncommon for a physician or other employee to need to remove a record to carry out their duties for the patient's care," he said.

Among other area hospitals, Forsyth Medical Center and Moses Cone Health System in Greensboro allow employees to take patient information home. High Point Regional Health System does not.

Forsyth Medical Center employees are required to protect the information in their custody, said Freda Springs, a spokeswoman for the hospital. Those safeguards include using password-protected computers and encryption technology.

Employees are not allowed to download patient information on their own flash drives or leave their computers in cars, she said.

"We believe there is nothing more sacred than a patient's privacy, and we make every effort to protect that privacy," Springs said.

Employees at Moses Cone take a course on protecting the privacy of patient records, said Doug Allred, a spokesman for the hospital. Some employees need access to records outside the workplace to meet deadlines, he said.

"Employees are not supposed to leave such things in their car," Allred said.

At High Point Regional, employees are not allowed to take patients' records home, said Miles Romello, an information-technology coordinator for the health system.

"HIPPA laws say we have to protect patient data," Romello said. "We feel that it is better for employees to work on the records in our facility."

jhinton@wsjournal.com


727-7299