PQ Systems - Quality eLine
>> In this issue:

Assuring security of medical data demands quality control

Quality Quiz: With a video!

Data in everyday life

Six Sigma and more

Bytes and pieces

FYI: Current releases

>> Be social:

Visit our Quality Blog and Twitterfollow us on Twitter.

>> Sign up:

Just type in your friend's e-mail below to have them receive Quality eLine:

>> Software:






Quality Gamebox


Assuring security of medical data
demands quality control

A young man in PQ Systems’ hometown survived a dramatic auto accident last summer in which police-captured video footage of his spectacular, airborne vehicle was broadcast throughout the nation. That was just the beginning of his problems, for during his hospitalization, his medical records were apparently accessed by unauthorized hospital personnel and leaked to those outside the hospital.

Another recent dramatic case of healthcare data breach occurred when gamers who were seeking bandwidth in order to play a video game accessed a server storing protected information on 230,000 patients at Seacoast Radiology in Rochester, NH.(1) In another case, Social Security numbers were printed on address labels for 50,000 clients of the California Department of Healthcare Services.

Privacy violations, voiced as complaints under the Health Insurance Portability and Accountability Act (HIPAA) or Office of Civil Rights (OCR), represent a serious threat to the maintenance of individuals’ privacy in medical care, and seem to be on the rise.(2)  Not only a fraud issue, these violations reflect lapses in quality control, since data security represents a process that can be monitored, charted, and analyzed for improvement.
With data breaches costing the healthcare industry nearly $6 billion a year, a survey of 211 senior managers at 65 provider organizations indicates that a significant number of these organizations cannot properly secure data.(3)  Respondents at 71 percent of the surveyed provider facilities (hospitals, delivery systems, and physician practices) reported inadequate resources, a lack of appropriately trained personnel (52 percent) and insufficient policies and procedures (69 percent) to detect or prevent breaches.

More troubling, many organizations do not perceive data security to be a priority. Protecting patient information is not a top priority at 70 percent of responding hospitals. Two-thirds of organizations have less than two staff dedicated to data protection management, the Ponemon study indicates. The Institute cautions that with a small sample size, it is dangerous to generalize about the industry. Nonetheless, any data breach or privacy violation is troubling.

Privacy areas that are most often investigated by the Justice Department (with few criminal prosecutions, in spite of increasing numbers of complaints) are:

  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of personal health information (PHI);
  • Lack of patient access to their PHI;
  • Uses or disclosures of more than the Minimum Necessary PHI; and
  • Complaints to the covered entity.

Health data security breaches, or medical information accessed inappropriately, affected more than 500 patient records in less than four weeks from September 23 through October 18, 2010, according to an analysis by HIP/SA. For the most part, the breaches are due to theft of data. With increasing use of electronic data capture and storage in medical records, security breaches remain a concern.

Security breaches, September 23-October 18, 2010:

Type of breach Number of incidents
Theft 102
Unauthorized access 40
Loss 36
Improper disposal 12
Hacking/IT incident 11
Other 1

The question for the quality professional to consider is how traditional improvement tools and techniques can reduce breaches of health data security. These same tools have helped improve processes and products in manufacturing, education, and service industries around the world.

The answer: Data. Collecting data, as the chart above demonstrates, can pinpoint the kinds of breaches that are most common. A Pareto diagram (Figure 2) will clearly identify the categories with the greatest impact.

Further analysis of data will point to process breakdowns. If one were to analyze thefts, for example, disaggregating the data by time of day, personnel on duty, type of information that is stolen, whether it is electronic or physical access, or other markers, an improvement plan could be developed based on data. Information is derived from data analysis, and actions can then be based on accurate information. The lack of physical safeguards continues to be one of the leading actionable complaints in the HIPAA privacy enforcement program. 

Figure 2

Another approach to data analysis might be to look more closely at other entities that have had to take corrective action to get into compliance with HIPAA standards. One might think that healthcare management breaches occur in hospitals only, but this is clearly not the case. Potential entities include private medical practices, general hospitals, outpatient facilities, health plans, and pharmacies. A case in Texas, for example, involved six independent pharmacies that filed a lawsuit against CVS Caremark, charging violations of the HIPAA privacy rule, among other offenses. CVS Caremark is a national pharmacy chain and mail-order pharmacy benefit management firm.(4)

A growing sense of breaches of privacy has emerged in financial and retail industries as well as in healthcare, of course. This is not a healthcare problem per se, but instead represents expanding technology that demands increased scrutiny of data management. This scrutiny depends on understanding the scope of the problem—and this is where information technology and data analysis play key roles. Without understanding what kinds of breaches occur, as well as their frequency and impact, any attempt to bolster data security will be simply a shot in the dark.

(1) Health Data Management <accessed January 12, 2011>
Also cited: Information Week <accessed February 15, 2011>

(2) http://www.melamedia.com/HIPAA.Stats.home.html

(3) Traverse City, Mich.-based Ponemon Institute, a research firm focusing on privacy, data protection and information security policy, conducted the survey, which included interviews with 211 senior managers at the 65 organizations. The survey focused on adherence to HITECH Act privacy and security requirements. ID Experts, a Portland, Ore.-based data breach prevention and remediation firm, paid for the survey.
Goedert, Joseph. “Survey: Data Security Not a Priority.” Health Data Management.com. <Accessed November 4, 2010.>

(4) http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html

(Note: This article was published in QualityDigest.com weekly newsletter in January.)

Our reader survey:
Have you or someone in your family experienced theft of private data related to health records, financial data, or retail services? If so, which kind?

The results from last month's survey:

Last month we asked you to tell us about your recalculation of control limits. Here are the results, in CHARTrunner format:

PQ Systems  |  Proof of quality.

PQ Systems, Inc.  |  210 B East Spring Valley Road, Dayton, OH 45458  |  800-777-3020

Copyright 2011 PQ Systems, Inc. All rights reserved.