Privacy risks extend beyond your own systems
A recent news item highlights one of the most challenging and frustrating aspects for companies and organizations dealing with their privacy and data security obligations: their potential responsibility for the behavior of others. Lincoln Medical and Mental Health Center in New York City has posted a notice on its website explaining that several CDs containing patients’ protected health and personal information had apparently been lost in transit. One of the hospital’s vendors had shipped the CDs to the hospital via overnight courier, but they never arrived. According to the website, the CDs contained the following types of information: name, address, social security number, medical record number, patient number, health plan information, date of birth, dates of admission and discharge, diagnostic and procedural codes and descriptions, and possibly a driver’s license number.
The vendor and the overnight courier conducted an investigation, the vendor stopped shipping CDs in this fashion and, according to the website, “policies have been put in place to ensure that a similar incident does not recur.” The hospital does not know if the protected health or personal information of patients was improperly accessed by any third-party. The hospital sent letters to all the affected patients explaining the situation and recommending actions the patients should take to protect themselves from identity theft. These include ordering free (to the patients) credit reports, placing a credit alert on their consumer credit files, monitoring the activity in their financial and health accounts, and checking specified websites to learn more about how the patients can protect themselves against identity theft. The hospital also provided a toll-free number that the affected patients could call to have their questions answered.
The hospital may, of course, have indemnification rights against the vendor – which, under the HITECH Act, would clearly seem to be a “business associate” that is also primarily responsible for protecting patients’ protected health information. The hospital certainly has considerable exposure of its own, and its reputation is at risk as well. If the hospital has a well-negotiated privacy insurance policy, then it may be covered with respect to its potential liability to patients, its out-of-pocket costs (for notifying patients, providing credit monitoring services and providing call-center services), and with respect to crisis management steps that it could take to preserve its reputation.
Among other things, the situation highlights the irreducible fact that having strong internal privacy and network security systems is not enough to shield a company or organization from significant financial and reputational risk for the improper disclosure of protected health or personal information. The danger may be felt most keenly by healthcare organizations because of the especially sensitive nature of the information that they are obligated to protect, but all organizations that provide third parties with access to protected health or personal information (which, it should be remembered, include information about an organization’s own employees) have similar exposure.(Click here for another example from a recent blog post from WGA’s Healthcare Practice on how serious an issue privacy is for healthcare organizations)