Howard University Hospital has sent a breach notification letter, as required under HITECH’s Breach Notification Rule, to 34,503 patients. A contractor’s laptop, protected only with password-protection, was stolen. Technically speaking, though, wouldn’t this have been a data breach even if the contractor had used disk encryption software like AlertBoot to secure his laptop’s contents, or even if his laptop hadn’t been stolen?
Contractor Violated Hospital and Federal Rules
According to wusa9.com,
The contractor, who stopped working for the hospital in December 2011, reported the theft of the laptop to police on Jan. 25. The contractor subsequently notified hospital officials…data varied in the types of information contained, but included some or all of the following: names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information and discharge dates.
Most of the patients affected received treatment between December 2010 and October 2011. Some data goes as far back as 2007. Patients are being offered one year of free identity theft monitoring service.
The site nbcwashington.com notes that,
Howard University Hospital said the contractor violated hospital and federal rules by downloading the data onto the personal computer. It said new procedures are now in place to prevent this from happening again.
The above statement leaves me wondering, “which federal rules?”
Which Rule Was Violated?
It can’t be HIPAA / HITECH because it applies to covered-entities, and not business associates or contractors, as far as I know. In fact, under this arrangement, it’s correct to note that Howard University is in breach of HIPAA because they didn’t have the security that stopped the contractor from accessing PHI; copying the data; or an auditing mechanism that alerted them of the contractor’s actions.
The only other law that I can come up with (and this is a surefire sign that I’m not a lawyer) is the Computer Fraud and Abuse Act, which is generally applied to hackers and such. Plus, it wouldn’t really apply in this case because it covers “federal interest computers” which are defined as:
exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
I’m not saying the contractor didn’t do anything wrong. If you’re a contractor who deals with sensitive data, you really ought to be using encryption software on your work computer. That the above contractor didn’t do so could have had far-reaching effects: for example, if he was offering his services at multiple institutions, he could have triggered a PHI data breach at other HIPAA-covered institutions as well.
But, I’m wondering which federal rule he violated.
Related Articles and Sites: