Does DLP Help Solve HIPAA Concerns?

One of the most promising technologies for automatically enforcing compliance with sensitive data handling practices is Data Loss Prevention (DLP) technology and it is quickly gaining popularity and adoption across many industries. Does this mean that DLP is the answer to all sensitive information handling concerns? In short, I am sorry to say that while DLP offers excellent solutions within a limited range of data, such as payment cards, social security numbers, and other easily identifiable data, it does not offer great solutions for HIPAA compliance. Most recently a case of an employee being fired from Oakwood Hospital in Michigan has once again highlighted the utter impossibility of automatically enforcing HIPAA compliance. In this case, Cheryl James made some comments on Facebook which were interpreted as a violation of HIPAA requirements. This was not the case of medical records being leaked out, but rather a comment made by a medical professional. More information about the incident can be obtained here.

More and more people are using websites such as Facebook as a part of their everyday conversations with their friends and family. However, a comment made to a spouse in the privacy of one’s home is clearly not the same as posting that comment on Facebook. Since this is not the first time a comment made on a social networking website has landed a hospital employee in trouble, it’s clear that it will take some time before everyone fully realizes the risks of communication of sensitive data on social networking websites. Naturally the question that begs to mind is if there is anything that hospitals can do to prevent such incidents in the future. The advantage of DLP technology is that if you are able to define the pattern or a structure for the data that can be automatically identified as sensitive, the DLP technology will be able to prevent most inappropriate transfers of such data, including posting on social websites. However, with regard to healthcare, data that falls in the range of being considered PHI is very diverse and does not allow for automated identification. Therefore, techniques for reducing risks of inappropriate disclosure must fall back on the low-tech controls such as training and blocking high-risk websites like Facebook for all employees.