When you consider the furor that has been raised over HIPAA data breaches for the past five years – and the fact that it has contributed heavily towards medical organizations investing in the use of medical file encryption software like AlertBoot – it boggles the mind that we can still come across such a story as this one: according to phiprivacy.net, Jersey City Medical Center sent unencrypted PHI to a third party via a parcel delivery service.
Possibly the most damning aspect of this story is this particular assurance: “The Medical Center has now implemented measures to avoid similar incidents in the future, including prohibiting the transmission of unencrypted CDs containing patient information.”
Considering that the date to implement all aspects of the HIPAA Final Omnibus has passed considerably, it wouldn’t surprise me if the HHS/OCR immediately starts an investigation into this case.
SSNs, Names, and Other PHI Involved
According to the breach notification letter template filed with the Vermont Attorney General’s office, the data breach occurred sometime between June 13 and June 16 (or July 22, depending on your point of view), when a package wasn’t delivered and United Parcel Service couldn’t find it within their system. (As convenient as it may be, it would be unfair to blame UPS for the data breach. All package delivery services have a history of losing items. For example, FedEx once lost nuclear rods.)
The lost package contained a CD full of protected health information (PHI), including names and Social Security numbers. E-mails are contained date of birth, a Medical Center ID number, gender, admission and discharge dates, and other medical information.
In light of the information that was included in the CD, it is shocking that encryption software was not used to protect its contents. After all, the information was leaving the medical center’s data security perimeter and so required some kind of data protection other than UPS’s policies (which, if I remember correctly, generally tend to absolve the company from any responsibility).
HIPAA File Encryption: Chances Are You Need It
Why do companies continue to insist in mailing sensitive information without adequate protection? There are a number of reasons. It could be plain and simple oversight. It may not be possible for financial reasons. But sometimes the reason is technical.
The problem with file encryption is that you still need the way to exchange the encryption key or the password. You can’t send it with the file itself as that defeats the purpose. An easy way around it is to contact the recipient and reveal the password, such as giving them a call or sending it via e-mail.
But there are those instances where such actions do not help. Generally, the sender and recipient need to have the same encryption program for any of this to work. More often than not, the recipient does not access to the software that the sender used to encrypt the file. Without it, the recipient is unable to decrypt the file and use the data even if the correct password is in possession. Due to the technical limitations, encryption becomes an unviable solution and an alternative (or nothing at all) is used.
How does one get around this conundrum? AlertBoot will be releasing a new service next year that will resolve this problem as well as addressing other security concerns involving encrypted file exchanges.
Related Articles and Sites: