HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

U of MN Breach of Donor Confidentiality Shows Problems with Computer System

February 13, 2002, St. Paul, Minnesota -- The University of Minnesota recently breached the confidentiality of its organ donors. In a survey mailing sent to 1,200 recipients of kidney transplants, the University accidentally revealed the names of those who donated the kidney to the recipient. For many the name was no surprise, but 410 recipients learned the name of their donor for the first time.

Human error was the problem, according to an article in yesterday's Bureau of National Affairs (BNA) Privacy Law Watch. Citizens' Council on Health Care (CCHC), a Minnesota-based independent non-profit health care policy organization disagrees, noting that a software upgrade in the University's database was cited as a key reason for the breach.

"To prevent these types of confidentiality breaches, the name of the donor and the name of the recipient must not be in a database that is used for other administrative purposes. If the names of donors and recipients are in the same database, that database should used for no other purpose than simple documentation of the recipient-donor relationship." says Twila Brase, president of CCHC.

University officials told the BNA on February 8 that they had begun making apologies to all organ donors, and have contacted all recipients. Finding the recipients was easy, but, due to confidentiality protections, the University had to contact Lifesource, the company that manages organ donation in Minnesota, to locate the families of the deceased donors.

Richard Bianco, vice president of regulatory affairs for the University of Minnesota, said the University learned of the breach from a recipient. He noted that confidentiality is often key to organ donation, therefore an apology from the University is necessary. The University's internal review board, with purview over research involving humans, has now required that any future letters or surveys be reviewed by the board prior to dissemination.

"Although the University clearly understands the serious consequences of breaches in confidentiality, we would like them to address the problem of combined donor and recipient information accessible in what appears to be an administrative database. Relying only on review or improved training still allows significant opportunity for human error, " says Brase.

"The hospital's database system must have as its first priority the protection of patient privacy, otherwise organ donation at the University may not have a bright future," Brase adds.

For more information, read Computerworld's article, Release of Organ Donor Data Prompts Changes.