It’s one of the more bizarre stories I’ve come across in my years of blogging about data security breaches: a psychologist had his medical license suspended after a prostitute stole his laptop computer. The question remains whether he’d still have kept his license if he had protected his laptop with HIPAA compliant encryption. What’s there to question, you might ask. Well, this psychologist had one phenomenal litany of indiscretions.
Pretty Woman with Sticky Fingers
According to a Statement of Charges by the Washington State Department of Health, the psychologist’s laptop was stolen on February 4, 2013. The theft was reported to the DSHS (Department of Social and Health Services) on February 7. The police were notified of the theft on February 14. In both cases, the psychologist made false reports on how his laptop was stolen.
Eventually, he changed the story he had given to the police, saying “that the laptop was stolen by a prostitute while [the psychologist] went to an ATM.” The cops recovered the laptop from a pawnshop.
A total of 652 people were affected by the incident, but here, too, the numbers were initially underreported.
In addition to the above incident, it turns out that the psychologist was previously arrested for a DUI and had undergone treated for cannabis and alcohol dependency, which put him on notice with the state’s board.
In light of the above, it’s not so crazy that the psychologist’s license was suspended, and tying the suspension to a HIPAA data breach would appear to be a stretch.
Except that it’s not.
HIPAA Breach, Unintended Consequences
Why is the loss of an unencrypted laptop computer THE reason for suspending the psychologist’s license? Because of the impact it had on his patients:
[The psychologist’s] actions caused inconvenience and harm to the clients by requiring them to re-engage with new providers, retelling their stories and answering questions, in some cases requiring the clients to repeatedly re-disclose events that were unpleasant and even traumatic to them. The clients’ eligibility for benefits and access to health care were delayed.
In the usual data breaches I cover, the top concern is that of identity theft, be it financial or medical. To date, I don’t recall any instances where a data breach has so directly affected patients.
Could the use of PHI encryption software have protected the 652 patients? The answer is a definite yes. While data security software has no impact on a person’s penchant for cavorting, one cannot get around the fact that under HIPAA, the use of encryption provides safe harbor when PHI is lost or stolen, regardless of how it is lost or stolen.
So, the laptop’s disappearance wouldn’t have required notification to the board, or eventually to the HHS, or even the police. Technically, not even an IT department would have to be notified, seeing how this was the psychologist’s personal computer (although, they would have to be notified at some point for granting access to the corporate network, etc).
Related Articles and Sites: