A 911 dispatch office in Monroeville, Pittsburgh is being reviewed for a possible violation of the Health Insurance Portability and Accountability Act (HIPAA) after failing to secure protected health information.
The Office for Civil Rights of the U.S. Department of Health and Human Services received a complaint in August 2012 relating to the dispatch office after a former police chief was sent protected health information via E-mail, which breaches HIPAA regulations.
While the electronic communications breach HIPAA, the complaint also emphasized another possible HIPAA-compliance issue. Generic user names and passwords were establised to ‘protect’ a database of 911 callers’ medical information, potentially exposing confidential information to anyone with the login details. Users with those credentials could log into the database and access all of the data held in the database.
The complaint was submitted by Assistant Police Chief Steven Pascarella after the discovery that communications were still being broadcast via E-mail to a former police chief. Even though George Polnar retired in 2010 and assumed a position as manager of security at UPMC East, he was still allegedly being sent details of ambulance dispatches.
After the complaint was filed, officials at the Monroeville’s 911 dispatch center commenced a review using a private investigator. Lynette McKinney, manager of the 911 dispatch center, issued a statement to warn potential victims to the security breach. “Anyone who has called the police, called the fire department, used our [emergency services]” or was transferred to or from a Monroeville hospital could be affected by the breach”, she said. At this point it is not clear when the leaks began, but it is likely the data was accessed late in 2011 and the breach carried on until shortly after the complaint was received in August 2012.
The issues are more severe than the sending of an E-mail with protected data according to McKinney. She said “The magnitude of this investigation is well beyond the leaking of one resident’s private information to a former chief of police.” Protected information was accessible via the 911 database and a number of people potentially had access to the data, with both municipal and non-municipal personnel incorrectly provided with access.
The data recorded by the dispatch office varied from caller to caller, although personal identifying data was included such as name, address and driver’s license numbers were also recorded. In some cases, details of the callers’ medical history were added to the database. The claims were denied by the then chief, Doug Cole, who argued that the information in the dispatch data was not included under HIPAA.
After the complaint, the Office for Civil Rights has told McKinney that an investigation must be completed and information provided to the OPCR on the privacy practices at the dispatch office as well as the steps taken to minimize any damage caused. The OCR believes that there could possibly have been HIPAA violations relating to privacy, security and breach notifications. Should this turn out to be the case, a financial penalty of up to $1.5 million may have to be paid by Monroeville’s 911 dispatch center.
Since the complaint was reported, policies and procedures have been changed and login access restricted to the police department and the dispatch center, with access to the database by the Fire department and EMS now denies. Pascarella said that dispatch information was accessible by anyone with the login details, via internal or external computers.
While each authorized user was given a unique login and password, when the system was set up a generic login was provided to each of the five fire stations. Anyone in the Fire department could therefore have seen the PHI of 911 callers, although it is not clear how many people accessed the data during this duration of time.