A laptop computer was stolen from Lexington Clinic’s Neurology Department, “despite stringent security protocols.” What these protocols refer to is not specified. However, seeing how Lexington Clinic is “following all requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act by notifying patients of the breach,” I’d say it’s quite safe to note that drive encryption software like AlertBoot was not used in this particular case.
Some PHI Breached
The laptop was stolen on December 7, 2011 from the neurology department at St. Joseph Office Park at 1401 Harrodsburg Road, in Lexington, Kentucky. According to kentucky.com, it took weeks to figure out what information was on the laptop, which was used with the clinic’s electromyography machine.
However, in keeping with HITECH, the clinic had to make a disclosure before 60 business days had passed since the discovery of the breach. Seeing how the theft occurred on December 7 and was discovered on December 8, the notification comes towards the latter end of the 60-day rule: January 30 marks the 53rd day.
The computer contained names, contact information, and diagnoses for a number of patients that sought the neurology department’s services, some going as far back as 5 years. It did not include SSNs, credit card numbers, bank account numbers, and other financial information.
Regardless, Lexington Clinic is asking any affected patients to “stay alert for signs of identity theft”:
Accounts you didn’t open and debts on your accounts that you can’t explain.
Fraudulent or inaccurate information on your credit reports, including accounts and personal information, such as your Social Security number, address(es), name or initials and employers.
Failing to receive bills or other mail. Follow up with creditors if your bills don’t arrive on time.
Receiving credit cards that you didn’t apply for.
Being denied credit, or being offered less favorable credit terms, like a high interest rate, for no apparent reason.
Getting calls or letters from debt collectors or businesses about merchandise or services you didn’t buy.
HIPAA Breach? Not So Fast
There are many that might jump up and ask, “hey, isn’t this a HIPAA breach?” Not necessarily. Sure, the fact that patients and the media are being notified (under HITECH, which amends HIPAA, if more than 500 patients are affected, the covered entity must contact local media and disclose that data was breached) indicates that encryption software was not used on this laptop.
It’s an assumption that encryption wasn’t used, of course. I’m of the opinion that most hospitals, clinics, and other medical organizations and agencies wouldn’t want negative coverage, if avoidable, so the use of encryption would lead to bupkus in the event of a laptop theft; it’s perfectly legal under HITECH. Plus, with the use of cryptographic solutions, it’s not just a legal loophole. Technically, that data is safe no matter how the laptop thief tries to force his way into that device. (This, however, does not preclude a hospital from using encryption and going public with the breach. I can think of at least two occasions where this happened).
Anyhow, returning to the subject at hand: this might not be a HIPAA breach. After all, consider the situation: the laptop was not stolen from a car, or an employee’s home. It was stolen from the clinic. Strike one. I’m assuming that the clinic offered a certain degree of physical security.
Second, the laptop did have “stringent security protocols.” Again, it’s pretty evident that encryption was not part of that security protocol. However, nothing within HIPAA states that encryption must be used. Encryption is known as an “addressable” issue: if a hospital thinks encryption is not necessary, they don’t have to use it as long as there other security measures in place.
Still, encryption is advisable even if it’s only addressable: not only is it a better form of securing data, it’s the only way to get out of the Breach Notification Rule under HITECH. It’s win-win, for covered entities and patients alike.
Plus, a solution like AlertBoot not only protects laptops’ contents, it also makes conducting audits and monitoring easier. Its built-in and fail-safe encryption audit reports allow a covered-entity to quickly prove that a stolen laptop conforms with HIPAA and HITECH.
Related Articles and Sites: