One of the best ways to prevent a HIPAA data breach is to use disk encryption like AlertBoot. Not only is encryption, other than the destruction of PHI, the only way a covered entity can take advantage of the safe harbor provision found under the Breach Notification Rule (BNR), it is synonymous with data security when it comes to stored information. Indeed, HIPAA (and many state privacy laws) defines encrypted data as not being PHI or PII (hence why it cannot be subject to BNR). This is not lost on people looking to limit their risk exposure as a covered entity.
However, because HIPAA does not require outright the use of encryption on a computer that is storing PHI, one can find certain instances where PHI is not encrypted even if it should be.
EEG Machines Include a Computer
Saint Vincent Hospital in Indiana has notified approximately 1,100 patient that their medical information was lost when a laptop computer was stolen, according to phiprivacy.net. According to the notice, the computer in question was “password protected.”
Many people often confuse password protection (a form of access control) with encryption. Could it be that St. Vincent is also confused? I doubt it for the following reason: if they thought that password protection was equivalent to encryption, they would also be under the impression that they’d be covered under the safe harbor provision and wouldn’t have sent the breach notification letters.
Ergo, since the letters were sent out, it’s quite apparent that St. Vincent is aware that they’re not covered. Hence, they know that password-protection is not encryption.
(What’s the technical difference between encryption and password protection? Encryption modifies the underlying data. If someone were to run across it, they still wouldn’t be able to understand it. With password protection, there is no data modification. Essentially, password protection is the equivalent of drawing a curtain across a board. If you happen to draw the curtain by mistake — say, because your shoe got snagged on the drawstrings — you have full access to the contents of the board.)
Usually, not encrypting a laptop with sensitive data is grounds for a severe excoriation from, well, from anyone. More and more people are becoming aware of the importance of data security, and the basics of how to do so.
However, the St. Vincent case could be classified as a bit unusual. The laptop in question was hooked up to an EEG machine. Chances are that this laptop was never taken out of the medical facility (possibly from the room it’s in). In such circumstances, people tend to think that the risk of losing the laptop is low (not an unjustifiable position), which in turn leads to more relaxed attitudes where the application of encryption is concerned.
The Many Ways Laptops Can Go Missing
As I noted, it’s not an unjustifiable position. The chances of a laptop hooked up to a medical device going missing are extremely low. If the laptop goes missing, the EEG machine would probably go missing, too.
But then again, in today’s era of USB ports, what could be easier than to pull a bunch of wires and then steal the one thing that can be easily unloaded on Craigslist? The one thing that any Joe Schmoe could be carrying around in a hospital setting? And be able to literally walk away with via the front door?
There’s two ways of thinking about risk. The first is “what are the chances of this happening?” The second is “what are the consequences if it did happen?” Combine the two, and one generally arrives at a good way of deciding whether something is worth doing or not.
More Than 500 Means OCR Will Investigate
Incidentally, the breach of the 1,000+ patient data is not just the breach of patient data. Yes, there may be consequences for the data breach itself. But, the Office of Civil Rights investigates all PHI breach incidents involving more than 500 people. The investigation could uncover a host of problems other than the lack of encryption on EEG machines.