As details about the back-up files that went missing from a Massachusetts hospital emerge, it’s apparent that even with HHS’ new proposed rules on security and privacy set to take effect soon, hospitals may still have to do more when it comes to protecting patient data.

The not-for-profit South Shore Hospital in Weymouth, Mass., reported in July that back-up computer files containing personal, health and financial information for approximately 800,000 individuals may have been lost after the hospital contracted Phoenixville, Pa.-based Archive Data Solutions to destroy them.

According to the hospital, the files were sent on Feb. 26. When certificates of destruction were not provided in a timely manner, officials said they pressed Archive Data Solutions for an explanation and were finally informed on June 17 that only a portion of the files had been received and destroyed.

According to Jill Fallon, a company spokeswoman, Archive Data Solutions hired a freight carrier to pick up the back-up computer files. She says the entire shipment was picked up, “but after it was in their [freight carrier’s] possession only part of the shipment stayed intact and was able to be eradicated.”

She said the freight carrier was aware of the missing data and conducted its own investigation expecting it would be able to locate it on its own. Once it became clear that was not the case, Archive Data Solutions tried to help, Fallon says.

Archive Data Solutions is not releasing the name of its subcontractor, because it “helps with keeping the integrity of the investigation,” Fallon said. “Our intent was to focus on finding the data.” she added, “There has been significant due diligence on the part of the carrier and Archive Data Solutions.”

If South Shore had tighter chain-of-custody processes it may have been alerted sooner about a problem, says healthcare IT security expert, Mac McMillan, CEO of Austin, Texas.-based CynergisTek, a provider of healthcare information security solutions, and chairman of the HIMSS Privacy and Steering Committee. He says part of these processes include having a business associate agreement that also lays out processes for security.

Enforcement lacking

Currently, the Feb 17, 2010, provisions in the HITECH ACT, which requires business associates of HIPAA-covered entities to be under most of the same rules as the covered entities, are not being enforced as the final rule on these provisions is still in the commenting period.

Having a security agreement is also currently not enforced by HIPAA, although McMillan says more hospitals are beginning to use them because they are finding out that just having a business associate agreement isn’t cutting it.

McMillan says a security agreement could include processes for:

• How material is prepared for shipping
• How material is loaded, transmitted, and then received at facility
• How long the material is held before destruction, and when they should receive a certificate of destruction

However, his recommendation is that hospitals destroy their patient data on site so that they can retain complete control.

According to Fallon, Archive Data Solutions did not have a business associate agreement with the hospital. Sarah Darcy, media relations manager, South Shore would not comment as to whether the hospital had one.

HHS can penalize the hospital for not executing a business associate agreement, says Chris Apgar, president of Portland, Ore.-based Apgar and Associates, a firm which address the healthcare industry's growing need to comply with information privacy and security requirements. He says right now from a regulatory standpoint Archive Data Solutions will not be liable for any penalties.

“This does not prevent the hospital from suing the data management company for damages especially as it relates to breach notification, though, and nor does it prevent anyone who feels they were harmed from filing a lawsuit related to damages,” he said.

“This is ripe for a class action lawsuit,” Apgar added.