Women & Infants Hospital of Rhode Island has settled with the Massachusetts Attorney General’s office over a 2012 data breach that ended up affecting more than 12,000 people in Massachusetts. The hospital has agreed to pay $150,000 – $110,000 in civil penalties, $25,000 for attorney’s fees, and $15,000 to a fund – and agreed to prevent future data breaches, according to narragansett.patch.com. This is the type of risk a HIPAA covered entity is setting themselves up for if they do not use HIPAA compatible encryption to protect their PHI.
Unencrypted Backup Tapes (and More)
In April 2012, Women & Infants Hospital came to the unmistakable conclusion that they were missing backup tapes used to store names, SSNs, ultrasound images, and other data classified as protected health information (PHI) under HIPAA. The tapes were meant to be sent off-site and then transferred to a “new picture archiving and communications system.” Instead, these went missing.
In addition, the hospital discovered the breach in April 2012 but didn’t notify the Massachusetts AG’s office until the fall of 2012. Because HIPAA requires notification no later than 60 calendar days since the discovery of the breach, Women & Infants Hospital ended up breaking another HIPAA rule.
It is commonly known that the use of encryption software provides safe harbor from HIPAA requirements like the above, protects PHI, and counts towards state and other federal data protection requirements.
And yet, many covered entities are still delaying the deployment of data protection tools or looking for excuses not to deploy them at all. Reasons are myriad, ranging from cost to complexity in implementing them.
However, it’s becoming clear as time goes by that the costs of not encrypting PHI could be much higher – although delayed to a later date – and that there is more complexity involved when encryption is not employed (inventorying hardware may be simpler than encrypting them, but it’s certainly not easier).
Related Articles and Sites: