Get Out of HIPAA Jail Free

Consider a couple of nightmares that might easily come true:

1. Your laptop, with a variety of documents and files containing confidential, protected health information on its hard drive, is stolen from your car, hotel, or disappears while you are traveling.

2. Your office is burglarized and all the desktop computers, as well as a server containing your patient database, are stolen.

I ran across the following set of statistics, or very similar ones, repeatedly, most often on web sites of security companies:

  • Every 53 seconds another laptop is stolen in the USA.
  • At least 600,000 laptops are stolen each year in the USA. 
  • Hardly any (3%) stolen laptops are ever recovered. 
  • Laptop computer theft trails only identity theft as the most common crime. 
  • Almost half of all data leaks and breaches are the result of lost or stolen portable computers, according to a study by The Identity Theft Resource Center .
  • Laptops are the number-one item stolen in San Francisco – San Francisco Police Department.
  • The Identity Theft Resouce Center’s recent list of 397 significant data breaches so far for the year of 2009 includes 51 healthcare breaches that compromised almost 9 million records.

Most of the sources of these data are trying to sell a security solution of one sort or another, but the vulnerability of laptops, especially in transit, is obvious. I don’t have any statistics for burglaries of computer systems from offices, but I’ll wager that most of you either know of a victim of such a crime, or have been a victim yourself.

Long before HIPAA, health professionals – especially mental health professionals – had a professional responsibility to safeguard the privacy of their patients/clients and the confidentiality of the personal and clinical information in their custody. HIPAA came along and increased our awareness of the special risks of electronic records and communications, defining Protected Health Information (PHI) at a federal level and providing some rules and guidelines for securing PHI stored or transmitted in electronic form. Now the Health Information Technology for Economic and Clinical Health Act (HITECH) has arrived and adds some pretty sharp teeth to HIPAA’s privacy and security rules.

If you need a push to get you to take privacy and security compliance seriously, consider the following from Section 13402 – Notification In The Case Of Breach. (This section is from HITECH/HIPAA: Notification in the case of breach at (a site I would strongly recommend that you visit). The bold italics are mine:

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements. 13402(a): Covered Entities (CE’s) must notify individuals. 
13402(b): Business Associate’s must notify CE’s. 
13402(d): Notification must be no later than 60 days after discovery. 
13402(e): Specific notification methods are required depending on the number of individuals whose PHI was breached. 
13402(f): the notification must contain specific content.
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction—as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule  & NIST standards).

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements.

If over 500 individuals’ PHI has been compromised then the media must be notified and the Secretary of HHS as well.

Breach: “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not be able to retain such information.”

Do you really want to have to choose between:

  1. Significant civil penalties (between $100 and $50,000 per violation, up to $1.5 million maximum per incident) and …
  2. Publishing in the local media a notice of your failure to protect your patients’ private information?

Of course not! Why not take advantage of the explicitly defined safe harbor? If the hard drive of that missing laptop has been encrypted, using appropriate technology, then there is no notification requirement at all! The same technology can be applied to every hard drive in your organization, especially the servers on which the bulk of the PHI resides. There are numerous commercial disk encryption approaches available, as well as free, open-source solutions such as TrueCrypt, that would provide you with the protection you want and owe to your patients, all penalties aside.

My previous post regarding encryption resulted in no reader response whatsoever. Does this information about your notification responsibilities make it more likely that you will move forward with data encryption? If not, why not?

0 thoughts on “Get Out of HIPAA Jail Free

  • Seth,
    Thank you for staying so informed on all this. I understand what you are saying about about full drive encryption and will definitely be doing that ASAP. Your advice is always valued.

  • Seth, I have a provider who stores everything electronically via

    this is an ideal online server (with a few minor issues) which allows all data to be encrypted, password protected and best of all? Stored off site with back up options. It allows access to only the providers who need access and is ideal for a new fast forward practice who is moving toward “virtual” offices.

    Now it does have some issues, such as, any information that needs to be accessed or reviewed, must be downloaded first. Also-you must download the information if you have an internet fax. But this is ideal for a paperless office.

  • Lois, you can, and most definitely should, use TrueCrypt or a similar product on that flash drive! They are so easy to lose! Do it right away!

    Debra, I assume by cyber-backups you mean online backups. Virtually all of those services use heavy duty encryption, and most encrypt the data before it is transmitted, so that is great, as far as it goes. In fact, it brings us back to Lois’s issue about backups. It is essential that they are encrypted as well. Encrypting the hard drive does not confer encryption to backups of that data on a tape, flash key, or DVD. The backups must be specifically encrypted as well.

    The reason I am pushing full drive encryption rather than just encrypting certain databases or folders is that you secure everything stored on the system: emdeon claim files, letters, the entire SOS database, and so on, without having to mess with a bunch of different procedures and encryptions keys. If it is stored on the hard drive, it is secure. Disk encryption is pretty easy to do, and the benefits in terms of peace of mind are huge!

  • A theft would be a nightmare – but then dealing with the consequences you mention is even more so. Does encryption software work with Emdeon, cyber back ups, etc. And are cyber backups even allowed? I feel so 20th century with all that is happening.

  • Thanks you for all of this information. But I have an additional concern:
    Since I carry about a flash drive that contains just about all of my computer information, I would love to know how to secure the data on it. Any thoughts or suggestions?

  • And this just in….
    Laptop Theft Nets Data On 800,000 Doctors

    The stolen laptop contained personal data on nearly every physician in the country.
    By Thomas Claburn
    October 15, 2009 03:47 PM

    The theft of a laptop belonging to an employee of an insurance trade group has put hundreds of thousands of physician around the country at risk of identity theft.
    The laptop, belonging to an employee of the Blue Cross and Blue Shield Association (BCBSA), was stolen from a car in late August, according to reports in the Boston Globe and the Chicago Tribune. It contained a database listing the business and personal information of about 800,000 doctors.

    BCBS apparently is going to offer credit monitoring subscriptions to all those physicians. Yikes! BCBS subscribers will be seeing a bump in their renewal costs, I guess. This would have been a non-issue if the hard disk on that personal laptop had been encrypted.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.