OHSU Data Breach: Where Health IT is lacking
Richard Wagner, JD | August 13, 2013
In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform. While the 3,000 or so patient records discovered to be stored in the cloud were not actually “breached,” regulatory requirements under the HIPAA/HITECH Breach Notification Rule required administrators to notify all of the patients affected.
As Dr. Do notes, the incident underscores one of the greater issues present in the practical application of healthcare IT: despite the impressive mix of EMRs and other health-related IT tools on the market today, the very basic needs of healthcare providers still remain unfulfilled. One such practical need is the ability for healthcare providers to safely collaborate with one another electronically. As EMR systems continue to neglect the need for this collaboration among healthcare provider teams, the very same providers will look to alternative methods to satisfy the needs of their patients. And as a compliance officer or a CIO, by the time you find out that your employees are using unapproved mass market solutions, it’s usually too late.
Free cloud-based storage tools such as Google Drive or Dropbox are remarkably usable and convenient. I happen to use both on a regular basis to share documents across devices and with different people. However, despite the practical uses of these products, they were not designed to share highly sensitive data such as PHI. Moreover, when a patient record gets uploaded to the server of a third-party provider, the data has gone off hospital premises and into the custody of a de facto business associate with no BAA in place. Show me someone who has gotten Google to enter into a BAA, and I’ll show you a liar.
Here’s the bottom line: the providers at your facility have a deep thirst to use electronic tools to share patient data in a laudable effort to improve care for their patients. Given the inadequacy of existing EMR systems to provide this ability, your providers are going to find one way or another to assist with this workflow. As someone in charge of your information systems or compliance program, it’s much better to vet out the possible tools for them to use on the front end than deal with the potential data breach on the back end.