Stanford Hospital investigating how patient data ended up on homework help website
A key conclusion from the audience of experts at the first summit on the future of health privacy was HIPAA has not been effective at protecting patient privacy. Jaikumar Vijayan quoted Deborah C. Peel, MD, founder and chair of Patient Privacy Rights, on the problems with HIPAA and the need to restore patient control over health information in this story. See videos of the summit at: www.healthprivacysummit.org
“Stanford University Hospital in Palo Alto, Calif. is investigating how a spreadsheet containing personal medical data on 20,000 patients that was being handled by one of its billing contractors ended up publicly available for nearly one year on a homework help site for students.
The spreadsheet first became available on the site last September as an attachment to a question supposedly posed by a student on Student of Fortune, a website that lets students solicit help with their homework for a fee. The question sought help on how the medical data in the attachment could be presented as a bar graph, The New York Times reported on Thursday.
A Stanford Hospital & Clinics representative told Computerworld in a statement that the hospital discovered the file on August 22, and took action to see it was removed within 24 hours.
“A full investigation was launched, and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information,” the statement said…
The breach shows yet again how ineffective HIPAA has been in getting organizations that handle healthcare data, to take better care of it, said Deborah Peel founder and chairman of the Patient Privacy Rights Foundation .
Much of the problems stem from the indiscriminate sharing of sensitive personal information among “legions of secondary users”, she said. The average hospital has between 200 and 300 outside vendors and partners with access to patient data, Peel said.
“We do not have an effective federal health privacy law. HIPAA was gutted in 2002 when control over who can see and use patient data for all routine uses was eliminated,” she said.
The only way to really get a grip on the problem is to allow patients to exert more control over who has access to their data. “Data should be used for a single purpose after the patient gives consent such as consent to use the data to pay a claim or send to a consultant.”
“Consent should be obtained for any secondary or new uses of data,” she said. All organizations that handle health data, including third parties should be certified to adhere to the highest standards of data security, Peel said.