The University of Mississippi Medical Center (UMMC) is notifying patients who visited UMMC between 2008 and January 2013 that their health information may have been stored on a laptop computer that’s “missing.” Apparently, the device was not protected with laptop encryption like AlertBoot, which may have been a result of the laptop being “a shared device, used by UMMC clinicians.”
Giving Access to Shared but Encrypted Resources
One of the problems with encryption software is that, depending on the solution, there isn’t a way to allow multiple logins to the same computer (or in some cases, there is a way but it’s very complicated, rendering it useless. As an aside, AlertBoot does not suffer from this limitation. Indeed, we make it very easy to host multiple IDs and passwords on the same computer).
This hindrance is very problematic in a hospital setting because (a) resources are shared and (b) HIPAA Security Rules generally forbid the sharing of computer passwords and such.
The obvious answer, then, is to pick a solution that allows multiple IDs and passwords for the same computer. However, sometimes people opt for a different kind of solution: not using encryption. Since most computer operating systems come with the ability to support multiple users, one “solution” is to use only password-protection without encryption.
The problem with this approach is that, while you’re able to comply with a certain aspect of the HIPAA Security Rules, you’re also exposing patients to a risk that could easily be avoided.
Is this what UMMC decided to do? It could very well be so, and it would be within their rights. After all, HIPAA doesn’t require the use of encryption. If a covered entity’s risk assessment shows that the odds of a data breach are low, and tantamount security measures can be used – UMMC’s laptop was in a non-public area, meaning the odds of the device being stolen were low – then encryption is just one of the ways one can use to lower the risk of an ePHI breach.
On the other hand, these other methods are not as useful in the event that something does go awry.
UMMC: Insufficient Contact Information
Generally, a data breach results in the breached medical entity sending out breach notification letters (via first class mail, as specified by HIPAA and HITECH rules). However, the University of Mississippi Medical Center opted to make a public announcement only (the “only” part is implied) because it didn’t have a complete notification list:
Federal and state laws require health-care institutions to notify patients potentially affected by such incidents. In this case, due to insufficient contact information for those who may be affected, individual notifications are not possible. [phiprivacy.net]
As I pointed it out before, the implication is that no one is getting a personal breach notification letter. Again, UMMC is within its legal rights to do so; however, honestly, what are the chances that all of the affected parties will be informed of this notice, be it via word of mouth, a segment in the local news, or some other method?
Perhaps that’s the wrong question. My guess is that the odds of all affected parties being reached is close to 0%. Rather, the question ought to be: what percentage of the affected parties will be informed? Is it closer to 90% or 40% or 10% or what is it? The former is better than the latter, obviously, but the honest truth is that we have absolutely no way of knowing.
When you consider that the purpose behind breach notifications is to give who are affected a chance to do something about any potential risks, it feels like UMMC is following the letter of the law, but falling very short when it comes to the spirit of things.
Perhaps a better method may have been to send individual notification letters if a patient’s current address was on file in addition to making a public announcement.
Related Articles and Sites: