> But for all the HIPAA guidelines, we know of major health care breaches
(e.g. Kaiser, HCA, Lab Corp, etc.) so the strict guidelines didn't 
protect
the patients' data with those companies.

This is easy: the portal isn't the only place where patient information 
is stored and there are other ways to access data held in the patient 
portal.

Ever have a MRI or a contemporary x-ray (without films)? Those images 
each contain information about the patient and they are stored in a PACS 
(which may have a more sophisticated storage system behind it). This PACS 
isn't part of the portal, but it has the images and a practitioner will 
interpret the images and then store the images (and the radiologist's 
report) will be saved somewhere where you can review through the portal.

Billing processors also have different access. They never need all the 
information in your chart, but they need enough information to process an 
insurance claim and then collecting the remaining unpaid obligation. Even 
reducing the information needed the billing processor still has enough 
information to create a HIPAA violation.

Pharrmacies also have a different access route to information in the 
portal... like the billing processor, the pharmacist doesn't get 
everything in the patient's chart but they still need a lot of 
information to do their thing.

Researchers and practitioners also sometimes store patient information in 
places where they shouldn't (nobody has figured out how to stop laptop 
thefts yet).

All this is off the top of my head. I'm sure there are other situations 
where patient data could be compromised.

- Henry Mensch [log in to unmask]