How to Show Due Diligence to Regulators in a Personal Health Information (PHI) Data Breach

how-to-show-due-diligence-phi-data-breach.jpgInteresting question sparked by an interesting legal case was posed on the FAIR Institute LinkedIn group discussion page recently, and answered by Institute Chairman Jack Jones. The State of New Jersey is trying to take away the license of a prominent psychologist for failing to protect patient privacy, claiming a long-running data breach of patient PHI.

Here’s the question and answer from the FAIR LinkedIn forum, with details of the case following:


With regulators & courts claiming negligence, how would you show diligence in security operations?

Jack Jones:

I'd rely on being able to show competence in a few "basic" things:

1) Visibility into my risk landscape (assets, threats, control conditions)

2) Strong analytic methods and tools that allow me to prioritize effectively and choose cost-effective solutions 

3) Highly reliable execution of policies and processes based on: a) clearly articulated expectations that are well communicated thru education and awareness, b) ensuring personnel had the necessary skills and resources, and c) effective and consistent incentives for compliance.  

This boils down to making well-informed decisions and reliable execution (low variance/non-compliance).

Like anything else, it would never assure perfection (thus the potential for having a breach where you'd have to deal with claims of negligence), but if these are in good shape the odds of a major breach will be lower, and my ability to defend my decisions/operations should be much stronger. 

The Case:

A complaint filed by the New Jersey attorney general’s office to the state’s psychology licensing board, says that psychologist Barry Helfmann and colleagues in his practice routinely sent to a collections agency copies of patients’ “true bills” showing their names and medical conditions—and these bills were made public in court documents in more than 70 lawsuits against the patients, in effect a PHI data breach. For this repeated failure to protect patient privacy, Helfmann should have his license revoked or suspended, the complaint argues.

Helfmann told the New York Times “I’ve spent my entire career advocating for patient privacy in many, many endeavors. And to be accused of something I didn’t do around patient privacy, which is a sacred tenet of what a psychologist does, is terrible.’’ According to The Times, he claims he did not know his attorneys filed the medical records with the courts and he is suing them for malpractice. He is also counter-suing the attorney general and the psychology board, says The Times. 


How to Spot Data Breaches in Audit Trails

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37