Last March, I wrote about a significant change in the rules for Electronic Health Records and HIPAA. Basically, the administration released a new set of rules extending responsibility to protect patient's medical records and personal information to all entities holding those records or part of them. This month, the state of Michigan is out to test those rules after a breach in the Michigan Cancer Consortium.
Hackers recently gained access to a private server that hosts the consortium's website. The hackers were able to access thousands of records of individuals that had screening tests, including the tests' results, names, addresses, Social Security numbers, telephone numbers, birth dates, and other personal data.
HIPAA rules establish that any data breach should be reported immediately to the persons whose records could have been accessed, pay substantial fines, and invest in better security. If another breach occurs, the provider or entity involved could face more serious consequences.
But the State of Michigan claimed that the screening test results stored by the Consortium are not medical records and the MCC was not a "Covered Entity" under HIPAA rules. They acknowledged a data breach, but not of Electronic Health Records. As of today the Michigan Cancer Consortium, nor their hosting providers, have placed a public notice of the breach on their websites. The only thing they did -- through a letter -- was to advise patients to place a fraud alert with the three major credit bureaus, to reduce the possibility of identity theft.
A major part of the argument is that the site in question was simply used to transmit information to local screening agencies and therefore wasn't part of a covered entity. It also stated that the information originated with the state's Cancer and Control division, which is not covered by HIPAA.
A Michigan Department of Community Health spokesperson said the compromised data:
...were not medical records and therefore, no notification under HIPAA was sent to individuals. However, because the reports contained Social Security numbers, the Identity Theft Protection Act did apply. MDCH therefore contacted individuals about the breach along with steps that could be taken to protect from the potential for identity theft.
Cancer screening test results aren't medical records? Maybe a lawyer can argue that, but that sounds like medical information to me. If you look at their website, it is full of medical information and health-related topics. Even if most of those test results are negative, they involve a medical procedure on individuals, not just a phone survey.
Is it possible for the State of Michigan to pull this off? Apparently, yes, because at the time of the writing of this article, no attempt has been made to penalize the state of Michigan for its determination or lack of notification. HIPAA rules, although inconvenient to state governments and private institutions, are there to protect people against this particular type of event, having their medical information exposed. Letting the MCC and the state government get away with this "legal trick" could pose a serious blow to the privacy of patients and destroy public confidence in their institutions.
As a CIO, it might be tempting to follow Michigan's example and try to "re-classify" your breach. And in the short term, you might be able to get away with it. But showing a long-term disregard for your patient's privacy is likely to hurt your reputation, and when regulatory agencies decide enough is enough, you're likely to be in more trouble. As they say on TV, "Don't try this at home. It is too dangerous."
What do you think? Should this breach fall under HIPAA? Should Michigan admit its mistake before it is too late? Or is this just a clever way to protect your organization the next time you have a breach? Comment below.