HHS Laptop Encryption: Arizona Counseling and Treatment Services Announces Data Breach.

Dissent at phiprivacy.net brings us news that the Arizona Counseling and Treatment Services, located in the city of Yuma, has announced the theft of an employee’s laptop computer with personal patient information.  Although it’s not spelt out, it appears pretty evident that laptop disk encryption for protecting PHI like AlertBoot was not used.

When it comes to PHI security, encryption software is not required per HIPAA/HITECH (that is, its use is not mandated).  However, more often than not, it is recommended for a number of reasons, which we’ll explore further below.

Arizona Counseling and Treatment Services: Was Encryption Used?

The general counsel and spokeswoman for Arizona Counseling and Treatment Services (ACTS) made these facts available, according to yumasun.com:

  • An employee’s laptop and external hard drive, both containing patient data, were swiped during a home burglary between March 18 and March 25.
  • The laptop was loaded with tracking software. (The hard drive was not, but it’s to be expected.  A hard drive lacks the components to do stuff, like ping its location).
  • Neither device has been recovered to date.
  • Breached data includes names, dates of birth, treatment plans but no Social Security numbers or financial information.
  • Patients will be notified and offered help with credit monitoring.
  • Over 500 patients were served between 2011 and 2013.
  • A public notice will be made “because of the size of the breach”.

The last two bullets are especially interesting, in my opinion.

Notice how it’s not revealed how many people are affected, but that over 500 patients were involved.  The significance of that number lies in the HIPAA/HITECH requirements.  If more than 500 individuals are affected during the course of a HIPAA data breach, the medical “covered entity” must notify the Department of Health and Human Services (HSS) within 60 calendar days.

Affected patients must also be individually notified within the same period; however, in the event that the covered entity doesn’t know how to reach all of them, a public notice must be made (also known as a substitute notice).  If over 500 people are affected, the public notice becomes a requirement.

These two points also imply that encryption was not used, since the use of encryption voids the above requirements.

Why Use Encryption for PHI Data?

The reason for using medical data encryption software is myriad.  Chief among them: it will protect your patients’ data.  It really will.  Encryption that has been FIPS validated is so secure that it can be used to protect the government’s secret information; it certainly will go a long way when it comes to medical information.

There are a number of other benefits for those who fall under the HIPAA/HITECH umbrella, however.  First, the use of encryption provides safe harbor from the Breach Notification Rule.  If the device holding PHI was lost or stolen, nobody has to be informed of the event because the information is secure.

This “get out of jail” card includes the HHS, who have their hands full with actual data breaches (from phiprivacy.net, my emphasis):

In a conversation with a spokesperson from HHS this week, I learned that despite HHS’s previous statements to me that it investigates all breach reports, it turns out that the decision to investigate is made by regional directors. Although HHS’s original intention was to investigate all breaches, the sheer number of breach reports and the lack of adequate resources resulted in a change in their policy.

Basically, if it’s encrypted, it’s not a data breach.

Second, it could make your risk assessments a piece of cake.  A security risk assessment happens to be an integral part of being in compliance with HIPAA rules.  There are many companies out there that perform these assessments and decide that encryption is not in their cards.  For example, perhaps their computer is (a) in a room that is not easily accessible by the public, (b) chained to an immobile object, like a very heavy desk, and (c) protected with unique IDs and password-protection (not encryption) for each user that accesses the computer.

The problem with the above is that there isn’t a guarantee that the computer won’t be stolen (burglary).  Now, if encryption is used, there is no argument: this is not a HIPAA breach.  If encryption is not used, then you have to go through an investigation to determine that, indeed, it’s not a HIPAA breach.  Or, maybe, a different conclusion will be reached based on actuality or a technicality.

It’s not for nothing that, not too long ago, the OCR director made this remark:

We love encryption, and those who use encryption love it, too,” Office for Civil Rights Director Leon Rodriguez said. “In the event of a breach, using encryption assures that that information is unreadable, unusable or undecipherable, which, basically, would qualify that entity for the safe harbors under our breach notification rule.”

Related Articles and Sites:


Comments (0)

Let us know what you think