New York City's Health and Hospital Corporation notified its patients last week of a loss of electronic files containing personal data, including PHI of some 1.7 million people. Electronic files were stolen while the information management company's van was left unlocked and unattended.
This case should serve as a great reminder to:
- check your existing contracts - including Business Associate Agreements - with HIT and health information management vendors, to see if such agreements contain appropriate clauses indemnifying the provider against costs, losses, fines and other expenses incurred as a result of the vendor's loss or improper disclosure of protected personal data, including PHI;
- make sure that same contracts do not impose a cap on vendor's liability in the event of such breach;
- confirm that you have a proper breach response plan in place (which should include, e.g., where applicable, procedures for notifying patients in foreign languages); if not, bring together management, legal, IT and privacy and security offers to develop such a plan as soon as possible; and
- review your policies and procedures with respect to compliance with the HIPAA Privacy and Security Rules, especially as modified by the HITECH Act.
Via the New York Times:
On Wednesday, the agency started mailing notification letters to the victims, in 17 languages, announcing an information hot line and customer care centers at both hospitals, and offering free credit monitoring and fraud resolution services for one year. Those interested in the offer have 120 days to register. The notification text is also available online.
The hospitals corporation said it had taken “decisive steps to protect the individuals who are potentially affected,” even though there is no evidence the information, contained on computer backup tapes that were being delivered to “a secure storage location,” has been accessed or misused. It also said that the data is stored in a program “that would make it difficult for someone without technical knowledge to access the private information.”
The hospitals corporation has filed suit to hold the vendor, GRM Information Management Services, responsible for covering all damages related to the loss of the data.
For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.