If your medical records were exposed in a security breach, would you expect the hospital to tell you? You shouldn’t. Because of regulatory loopholes, only 56% of healthcare organizations that have exposed medical records notified the patients involved, survey results issued this month found.

“There are loopholes in almost every law regulating patient data management, including  the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and Payment Card Industry Data Security Standards (PCI DSS) that have enabled breach cases to go unreported, preventing an accurate report on frequency,” says the 2008 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Fraud Solutions.

The loopholes allow hospitals to cite “reasonable efforts,” “acceptable measures,” and similarly vague language to avoid notifying patients, the report states.

More than 1.5 million names were exposed in data breaches occurring in hospitals in 2006 and 2007, according to data cited by HIMSS Analytics.(Compare Data-Leak Protection products.)

Breaches can involve not just names but also Social Security numbers, birth dates, mailing addresses, insurance policy information, medical history, and credit card and financial information.

“Patient data breaches are the most difficult to clean up and cause problems beyond financial damage,” HIMSS Analytics states. “Patients whose data is used for medical fraud (i.e. the perpetrators use stolen information to receive treatment), suffer from insurance eligibility/application issues as well as misdiagnosis due to data on their records that does not apply to them.”
HIMSS findings were based on a survey of 263 healthcare industry professionals, about half of whom work in IT.

Survey respondents were generally familiar with HIPAA requirements, but typically focus on inappropriate access to data and privacy concerns, rather than the thorny issues of fraud and malicious intent. About 23% of breaches that required notification since 2000 were caused by an employee, including a temporary clerk convicted of stealing the identities of elderly patients for personal gain in Philadelphia, and a Louisiana emergency room clerk who deliberately leaked patients’ names, birth dates and Social Security numbers.