Researchers for the journal Health Services Research recently conducted a study to determine whether there is a relationship between hospital data breaches and patient deaths. Of particular interest was whether or not remediation efforts for hospital data breaches diminished the quality of hospital care.
Remediation Efforts for Hospital Data Breaches: Related to Quality of Patient Care?
A hospital data breach is the unauthorized acquisition, access, use, or disclosure, in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of hospital patient PHI, or protected health information.
The researchers at Health Services Research, to determine if there was a relationship between hospital data breaches and patient deaths, conducted an analysis of patients at approximately 3,000 hospitals, for a five-year period starting in 2012. The researchers sought to find out whether higher data breach rates were linked to higher patient death rates.
To conduct the study, the researchers compared hospitals that suffered known data breaches with those that did not. Specifically, the researchers studied death rates for years after admission.
The researchers discovered that hospital data breaches were associated with a 0.23 percentage point increase in mortality rate within thirty days after a heart attack. That went up to a 0.36 percentage point increase in likelihood of death two years after the breach, and a .35 percentage point increase in likelihood of death three years after the breach.
The researchers also discovered that hospitals that suffered a data breach took longer to provide an electrocardiogram to patients than did those hospitals that had not been breached. These differences, as well, the researchers discovered, persisted for years after the breaches occurred. Following a data breach or other security incident, for every 10,000 heart attacks at a breached hospital, the researchers saw up to an additional 36 deaths beyond the expected heart attack fatality rate.
These figures suggest (without actually proving) that the immediate interruption of a data breach can disrupt patient care, and mitigating and responding to data breaches has long-lasting impacts on patient care, leading to the conclusions that hospital data breaches and patient deaths are interrelated. The researchers, however, took an additional, unwarranted leap. The researchers concluded that the remediation activities that are taken in response to a breach, cause a reduction in care quality. In other words, implementing enhanced security measures after a data breach may literally result in patient deaths, the researchers argued. Essentially, they argued, HIPAA compliance itself may contribute to patient deaths.
However, the researchers, after describing the types of available remediation controls, such as two-factor authentication, password protection, and IT upgrades and updates, did not actually study whether any of the breached hospitals had implemented these methods. Therefore, there was no basis for determining whether remediation measures were the cause of delays in patient care. In other words, there is no evidence that HIPAA kills.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.