Pittsburgh 911 Dispatch Center Investigated for HIPAA Violation

A 911 dispatch center in Monroeville, Pittsburgh is being investigated for a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) after failing to safeguard protected health information.

The Office for Civil Rights of the U.S. Department of Health and Human Services received a complaint in August 2012 relating to the dispatch center after a former police chief was sent protected health information via E-mail, which violates HIPAA regulations.

While the electronic communications violate HIPAA, the complaint also highlighted another potential HIPAA-compliance issue. Generic user names and passwords were created to ‘protect’ a database of 911 callers’ medical information, potentially exposing confidential information to anyone with the login details. Users with those credentials would be able to log into the database and access all of the information held in the database.

The complaint was made by Assistant Police Chief Steven Pascarella after the discovery that communications were still being sent via E-mail to a former police chief. Even though George Polnar retired in 2010 and took up a position as manager of security at UPMC East, he was still allegedly being sent details of ambulance dispatches.

After the complaint was received, officials at the Monroeville’s 911 dispatch center commenced an investigation using a private investigator. Lynette McKinney, manager of the 911 dispatch center, issued a statement to alert potential victims to the security breach. “Anyone who has called the police, called the fire department, used our [emergency services]” or was transferred to or from a Monroeville hospital could be affected by the breach”, she said. At this point it is not clear when the leaks started, but it is likely the information was accessed late in 2011 and the breach continued until shortly after the complaint was received in August 2012.

The problems are more severe than the sending of an E-mail with protected data according to McKinney. She stated that “The magnitude of this investigation is well beyond the leaking of one resident’s private information to a former chief of police.” Protected information was accessible via the 911 database and a number of individuals potentially had access to the data, with both municipal and non-municipal personnel incorrectly provided with access.

The data recorded by the dispatch center varied from caller to caller, although personal identifying information was included such as name, address and driver’s license numbers were also recorded. In some cases, details of the callers’ medical history were added to the database. The allegations were denied by the then chief, Doug Cole, who claimed that the information in the dispatch data was not covered under HIPAA.

Following the complaint, the Office for Civil Rights has advised McKinney that an investigation must be conducted and information provided to the OPCR on the privacy practices at the dispatch center as well as the steps taken to mitigate any damage caused. The OCR believes that there could potentially have been HIPAA violations relating to privacy, security and breach notifications. Should this turn out to be the case, a financial penalty of up to $1.5 million may have to be covered by Monroeville’s 911 dispatch center.

Since the complaint was made, policies and procedures have been changed and login access restricted to the police department and the dispatch center, with access to the database by the Fire department and EMS now blocked. Pascarella said that dispatch information was viewable by anyone with the login details, via internal or external computers.

While each authorized user was provided with a unique login and password, when the system was set up a generic login was supplied to each of the five fire stations. Anyone in the Fire department could therefore have accessed the PHI of 911 callers, although it is not clear how many individuals accessed the data during this period.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.