Consider a couple of nightmares that might easily come true:
1. Your laptop, with a variety of documents and files containing confidential, protected health information on its hard drive, is stolen from your car, hotel, or disappears while you are traveling.
2. Your office is burglarized and all the desktop computers, as well as a server containing your patient database, are stolen.
I ran across the following set of statistics, or very similar ones, repeatedly, most often on web sites of security companies:
- Every 53 seconds another laptop is stolen in the USA.
- At least 600,000 laptops are stolen each year in the USA.
- Hardly any (3%) stolen laptops are ever recovered.
- Laptop computer theft trails only identity theft as the most common crime.
- Almost half of all data leaks and breaches are the result of lost or stolen portable computers, according to a study by The Identity Theft Resource Center .
- Laptops are the number-one item stolen in San Francisco – San Francisco Police Department.
- The Identity Theft Resouce Center’s recent list of 397 significant data breaches so far for the year of 2009 includes 51 healthcare breaches that compromised almost 9 million records.
Most of the sources of these data are trying to sell a security solution of one sort or another, but the vulnerability of laptops, especially in transit, is obvious. I don’t have any statistics for burglaries of computer systems from offices, but I’ll wager that most of you either know of a victim of such a crime, or have been a victim yourself.
Long before HIPAA, health professionals – especially mental health professionals – had a professional responsibility to safeguard the privacy of their patients/clients and the confidentiality of the personal and clinical information in their custody. HIPAA came along and increased our awareness of the special risks of electronic records and communications, defining Protected Health Information (PHI) at a federal level and providing some rules and guidelines for securing PHI stored or transmitted in electronic form. Now the Health Information Technology for Economic and Clinical Health Act (HITECH) has arrived and adds some pretty sharp teeth to HIPAA’s privacy and security rules.
If you need a push to get you to take privacy and security compliance seriously, consider the following from Section 13402 – Notification In The Case Of Breach. (This section is from HITECH/HIPAA: Notification in the case of breach at lawtechtv.com (a site I would strongly recommend that you visit). The bold italics are mine:
If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements. 13402(a): Covered Entities (CE’s) must notify individuals.
13402(b): Business Associate’s must notify CE’s.
13402(d): Notification must be no later than 60 days after discovery.
13402(e): Specific notification methods are required depending on the number of individuals whose PHI was breached.
13402(f): the notification must contain specific content.
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction—as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule & NIST standards).
If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements.
If over 500 individuals’ PHI has been compromised then the media must be notified and the Secretary of HHS as well.
Breach: “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not be able to retain such information.”
Do you really want to have to choose between:
- Significant civil penalties (between $100 and $50,000 per violation, up to $1.5 million maximum per incident) and …
- Publishing in the local media a notice of your failure to protect your patients’ private information?
Of course not! Why not take advantage of the explicitly defined safe harbor? If the hard drive of that missing laptop has been encrypted, using appropriate technology, then there is no notification requirement at all! The same technology can be applied to every hard drive in your organization, especially the servers on which the bulk of the PHI resides. There are numerous commercial disk encryption approaches available, as well as free, open-source solutions such as TrueCrypt, that would provide you with the protection you want and owe to your patients, all penalties aside.
My previous post regarding encryption resulted in no reader response whatsoever. Does this information about your notification responsibilities make it more likely that you will move forward with data encryption? If not, why not?