A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.
District officials have refused to release any information about the employee who saved the information to the now-missing device. But a memo from the district's chief financial officer obtained by the Houston Chronicle identifies the employee as an associate administrator.
The administrator did not return an e-mail seeking comment or a telephone message left with a man who identified himself as her brother at a number listed under her name.
Fines possible
The Health Insurance Portability and Accountability Act, or HIPAA, requires health-care providers to safeguard patient records containing individually identifiable health information. The law calls for a $100 fine per violation but sets a $25,000 cap for each calendar year. The most serious violations, such as stealing information to sell it, could result in criminal prosecutions.
The federal Department of Health and Human Services fined Seattle-based Providence Health & Services $100,000 last month for allowing backup tapes, optical disks, and laptops containing unencrypted electronic protected health information to be lost or stolen in 2005 and 2006. The devices contained information about more than 386,000 patients.
Aside from that case, however, the federal government has done relatively little to crack down on HIPAA violations, the law professors said.
"This is an egregious invasion of people's privacy ... but the history of privacy violations in the United States is that there's all kinds of smoke, but very little enforcement of privacy laws," said Dr. William Winslade, who teaches health law at the University of Houston.
The hospital district has released little information about the situation. On Wednesday, spokesman Bryan McLeod issued a brief statement to the Chronicle saying patients affected by the breach would receive a letter in the mail and would be allowed to enroll in a credit protection program at the district's expense. The district has strengthened its policies and procedures regarding the use of transportable media devices, the statement said.
Harris County Judge Ed Emmett, who was briefed on the problem Thursday morning, described the situation as "the worst possible thing" imaginable. The data stored on the drive was not password-protected or encrypted and included "total files" ranging from names, birth dates and Social Security numbers to medical diagnoses and treatments, he said.
McLeod later issued a second brief statement saying the data on the device included the patients' names, medical record numbers, billing codes, the facilities where the office visits occurred and other billing information. It also included the patients' Medicaid or Medicare numbers, which can indicate their Social Security numbers or those of their spouses.
According to McLeod's Wednesday statement, the employee transferred the information to the portable storage device to complete a project at home. Asked for details about the project on Thursday, McLeod would only say it was "being used to review data as part of HCHD's ongoing compliance and monitoring process."
The July 31 memo obtained by the Chronicle was sent by Ferdinand Gaenzel to employees at the district's administrative office near Reliant Stadium. In it, he said three "memory sticks" belonging to the associate administrator were missing and were last seen on her desk. The information on one of them was "very important to the district and needs to be found as soon as possible," he added.
"However you choose to return them, we will keep your name confidential, unless you want to celebrate finding them, which I am willing to do," he said.
Emmett said the employee responsible had not been fired because hospital district officials fear it would dissuade other workers from admitting similar mistakes. But he called on the district to send a strong message that violating security and privacy policies will not be tolerated.
"I think some violations are so severe that you don't have any choice," he said. "Termination just would have to be an option."