Spartanburg Regional Hospital has begun notifying clients that the theft of a laptop from an employee’s car has triggered a data breach. The laptop was not secured with disk encryption software like AlertBoot.
Laptop Encryption not Used?
According to a statement by an executive vice-president at the hospital,
“On March 29, 2011, we were informed that a computer was stolen from an employee’s car the previous night,” he wrote. “The employee was authorized to have possession of the computer. We have reported this to the proper authorities and an investigation is ongoing.” [greenvilleonline.com, my emphasis]
1) the hospital has begun notifying their patients; and,
2) it has done so close to the 60-day mark since it found about the data breach
leads me to believe that they may not have used encryption. Which is terrible because the laptop contained “names, addresses, dates of birth, medical billing codes, and Social Security numbers.” This is not the type of data you want to authorize your employees to carry about in an unprotected laptop computer.
60-Day Limit per HIPAA / HITECH
This is what Spartanburg told wspa.com regarding the breach:
Its [sic] important to note, the hospital says they have no reason to believe that any information has been misused. They sent out a notice however, to be proactive.
To be proactive? That’s debatable. Such words imply that the hospital sent out the notifications…shall we say, out of concern for the patients; however, they are required to do so under the latest HIPAA and HITECH rules whether they want to be proactive or not (again, assuming encryption was not used. If it was used, then Spartanburg can justify the claim).
According to the “Breach Notification Interim Final Regulation” of August 2009, HIPAA-covered entities have up to 60 calendar days beginning from the discovery of the breach to notify patients of a data incident. Based on this yardstick, one could claim that they’ve been anything but proactive: how else would you classify waiting until the last possible moment, before the regulating authorities start getting involved?
Taking a Softer Stance
Perhaps Spartanburg is not to blame. At least, not for the lack of encryption software on the laptop. The reality is that HIPAA / HITECH doesn’t mandate the use of encryption, as I already noted earlier this month. In other words, the use of encryption is not required, just really strongly encouraged.
As I mused two weeks ago, it’s probably because the term “protected health information” is overly broad and includes not only truly sensitive information like billing information (Medicare numbers, SSNs, credit card numbers, insurance account numbers, etc.) and medical information (prescriptions, mental evaluations, STD test results, etc), but also the less sensitive ones.
A broad term means hospitals have to use to their judgment in deciding what should be encrypted and what shouldn’t. Of course, I’m not sure how you could come to the conclusion that SSNs weren’t important enough to encrypt…but, hey, why can’t you have the rules basically state: if you’re storing SSNs on a portable device, you must use encryption? It’s not as if there are less sensitive SSNs or non-sensitive SSNs, and the rules are already heavily tipped towards the use of encryption!
If the rules take on a strong stance, you also have less room for interpretation, which (in theory) means you wouldn’t have ridiculous breaches like the above.
Related Articles and Sites: