NEW HAMPSHIRE IDENTITY THEFT AND THE HEALTH CARE INDUSTRY New Hampshire Business Review

Identity theft and the health-care industry

By Linn F. Freedman and James Hatem

Friday, October 26, 2007

According to Privacy Rights Clearinghouse, one out of every five Americans reported data breaches in 2005. The sheer number of records containing sensitive personal information involved in security breaches is staggering. Between Feb. 15, 2005, and July 27, 2007, 158,937,228 records containing sensitive personal information were involved in security breaches.

It is natural to assume that security breaches usually involve financial information or credit card information. However, the health-care industry is a prime target of thieves, since medical records contain personal information of patients, including Social Security numbers, dates of birth and driver’s license numbers. It also is a prime candidate for mishaps, since the free flow of patient information is fundamental to the delivery of quality medical care.

Privacy breaches of medical records occur most often through lost or stolen laptops, which contain medical records of patients, or computer hackers gaining access into hospital or medical systems to obtain personally identifiable information. Privacy breaches can include fraud, loss or inadvertent disclosure.

California enacted the first data breach notification law in July 2003. Since then, 33 additional states and the District of Columbia have adopted data breach notification laws, including New Hampshire.

Since Jan. 1, 2007, New Hampshire law has required notice of the unauthorized acquisition of personally identifiable information if it is determined that there is a reasonable likelihood that the information has been or will be misused.

Specific requirements

The impact of New Hampshire law regarding security breaches on the health-care industry is significant. Because medical records contain personally identifiable information that can be utilized by identity thieves, hospitals and health-care providers should be aware how the law applies to the information contained in medical records and that the purposeful or inadvertent disclosure of such information presents issues under not only the Health Information Portability and Accountability Act of 1996, but also New Hampshire law.

Under New Hampshire law, if medical records are inadvertently or purposefully disclosed without patient authorization, hospitals and health-care providers must provide notification to patients that the disclosure occurred if the hospital or health-care provider reasonably believes that the information has been or will be misused.

New Hampshire law has specific requirements regarding notification of patients in the instance of inadvertent or fraudulent disclosure. In addition, it has significant penalties attached to it, including that a person “injured” by the violation may bring an action for damages and equitable relief as well as actual damages sustained.

Further, if it is proven that the disclosure was willful or knowing, a person is entitled to two to three times actual damages and the court may award costs and attorneys’ fees. The New Hampshire Attorney General also has prosecutorial jurisdiction.

It goes without saying that health-care entities and providers should ensure that they put in place proper security measures with respect to medical records. These measures are not only essential for compliance with HIPAA, but to impede potential hackers and to lessen the chance for inadvertent disclosure of medical records.

For planning purposes, the bottom line is that entities should assume that it is not a matter of whether a laptop will be lost or stolen or whether some other event will trigger a security breach concern; it is a matter of when. It is therefore imperative that health-care entities develop a data breach plan internally before a breach of security takes place — so that, if a breach occurs, the plan can be implemented in an orderly and efficient manner.

While developing a plan, the health-care entity can increase internal awareness of the actions that are required in the event of a security breach, the issues that will be confronted as a result of a breach, the options that are available to address the breach and implementation of a plan in an orderly and efficient manner.

For instance, the entity should address difficult issues that arise as a result of a breach, including how hard it is to determine with any real certainty whether there is a reasonable likelihood that the information has been or will be misused. In addition, the entity can research the mitigation options that are available and their related costs.

An essential part of a plan is to determine the personnel requirements for each part of implementation as well as the state law requirements in each state in which the health care entity does business. If a plan is in place, all of these factors can be considered unhurriedly and methodically before the alarm bells sound so that if, and when a breach occurs, it can be dealt with in an organized manner, instead of in crisis mode.

Linn Freedman, a partner in the law firm Nixon Peabody LLP, focuses her practice on health-care law and complex litigation and chairs the firm’s Health Information Technology Group. James Hatem, also a Nixon Peabody partner, has a practice that encompasses a broad range of business and regulatory matters, including general corporate law and governmental relations.