The Risk Posed by Unauthorized PHI & PII Disclosure is Contextual

The list of data elements that the HIPAA data breach notification rule and states breach laws have designated as PHI or PII vary from mundane and publicly available items like name, and mailing address to more private information such as account numbers and medical record numbers. When PHI or PII is hacked, one of the factors that determine the level of risk to the individuals affected is the sensitivity of the PHI or PII involved. For example, social security and full account numbers and pins are treated as high risk. It is very easy to dismiss any significant risk of harm with unauthorized disclosures of PHI/PII that include only names, email addresses, partial account number (last 4 digits) and mailing addresses since it is believed that this information can be assembled from publicly available sources and do not pose a significant risk of harm. But this week we learned from the Wired magazine's Mat Honan's sad experience (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/) that in the wrong hands, even this seemingly innocuous set of PHI/PII can be used to trigger a malicious attack. Mat's entire digital life was wiped out remotely once the hackers used his limited PII (name, billing address, last 4 digits of credit card, and email) to exploit security gaps in the Amazon and Apple privacy and security policies and customer service practices.

What does this mean to the industry at large, and especially to the Healthcare industry with stewardship of an incredible amount of highly sensitive PHI and PII? Should the industry treat unauthorized access or disclosure of any amount of PHI/PII as a data breach or is that a knee jerk reaction and unwarranted? In talking with industry colleagues and healthcare organizations that use our ID Experts RADAR^TM tool to perform an incident risk assessment and decide if an incident is a breach (reportable) or not, the consensus is that each incident is unique and that RADAR's unique approach of allowing each incident to be scored according to the PHI/PII involved as well as the nature/circumstance of the incident (for example hacking vs incidental) gives them the ability to strike the right balance and consistency when analyzing an incident and make a decision whether the incident can cause significant risk of harm.

In the final analysis, while what happened to Mat is very alarming and could've happened to anyone with a digital footprint, we have to analyze each incident uniquely.