Phiprivacy.net has a link to a most unusual website: www.danielsanddanielsdentistry.com. If you follow this link, you’re shown a very elementary page with an image, a business name, and a short HIPAA breach notice. Could this website have been setup because sensitive data was not protected with data encryption software like AlertBoot? It also seems to conform with the letter, but perhaps not with the spirit, of HIPAA.
Dentist Data Breach Out of Arizona
A search for “Daniels” at the “Breaches Affecting 500 or More Individuals” section of hhs.gov shows that Brian J Daniels DDS and Paul R Daniels DDS notified the OCR about a data breach affecting 10,000 individuals due to the theft of a portable electronic device. We can assume that the device wasn’t a laptop because the HHS marks those as “laptop.” Same goes for backup tapes. It was probably an external hard drive or a USB flash drive of some sort that was stolen, perhaps data CDs (although who’d steal those?). According to the records, the theft took place on March 1, 2011.
A quick search also shows us that the website was registered on April 4, 2011, or roughly about a month after the breach took place. Whether the site was specifically created to post the short HIPAA notice is guesswork on my part, but the timing — and dearth of content at the site other than the notice — is uncanny.
It’s also surprising. There is nothing within HITECH/HIPAA that forces a breached entity to set up a website. They merely point out that if a breached entity had a website to begin with, they should make a public posting of the breach. There are other ways of providing substitute notices to those affected by a data breach, including sending notice to the general, local media.
Arizona has Data Breach Law, Does Not Apply to HIPAA-Covered Entities
Because of what the dates and actions suggest, I thought that perhaps there may have been something within Arizona law directing for a website to be set up.
Arizona has a data breach law (44-7501. Notification of breach of security systems) for those cases involving the data breaches of unencrypted personal information. The law, however, pointedly makes an exception for any organizations that are HIPAA-covered entities:
J. This section does not apply to either of the following:
1. A person subject to title V of the Gramm-Leach-Bliley act of 1999 (P.L. 106-102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809).
2. Covered entities as defined under regulations implementing the health insurance portability and accountability act, 45 Code of Federal Regulations section 160.103 (1996).
So, it appears that Daniels and Daniels had to follow HIPAA rules. Which brings us back to the question, why’d they set up that website?
Perhaps they did it out of an abundance of caution? And if so, will this abundance of caution also extend to better data security practices, including the use of encryption software?