News from Dayton, Ohio: a chiropractor reported the theft of a safe (strongbox) and a laptop from his (her?) office. The safe was “full of computer disks.” It is not known whether data disk encryption like AlertBoot was used to safeguard the contents of the disks and the laptop (although yours truly believes that, in the case of the safe-bound disks, the answer is probably “no).
Who Protects the Protectors?
Storing sensitive data like PHI – protected health information – in safes is very strongly encouraged by many guidelines that deal with HIPAA/HITECH issues. In light of this, the above theft is quite ironic: sure, the disks are protected, but what’s protecting the safe? Apparently, the answer is “nothing.”
In contrast to physical deterrents like the afore-mentioned safe, one of the advantages of full disk encryption or any other type of encryption solution, is that the protection moves in tandem with the data. Under ordinary circumstances, it’s well-nigh impossible to reach the actual data without having to defeat the encryption protection in place. It’s no surprise, then, that the use of encryption provides safe harbor from the Breach Notification Rule that is part of HITECH.
This rule specifies that individuals affected by a PHI breach must be contacted in 60 calendars or less. Other requirements are also triggered depending on the circumstances, such as the number of people affected: if more than 500 are involved, the covered entity must report it to the Health and Human Services. The agency will go public with the information.
To make a long story short: safes are good; encryption is better; safes and encryption is best….unless you’re actually looking forward to being involved in a HIPAA data breach.
Is the Above a HIPAA Breach?
Well, it depends. The article at newstalkradiowhio.com notes that “it is unknown if any patient records were taken during the theft,” implying that there is a chance that those disks stored in the safe didn’t contain patient info (which begs the question: what did it contain?).
But, even if PHI was stored in either the laptop or the disks, their theft is not an automatic HIPAA breach. While the chiropractor does have to reach out to his/her clients, it could very well be that an investigation rules the above as anything but a HIPAA breach. How so?
I’m no lawyer, but after reading and listening to the opinions and arguments of legal eagles who focus on health information and privacy issues, it turns out that a HIPAA breach, among other things, must show, in essence, recklessness or contempt (or both). A guy who stores disks in a safe shows neither.