It’s not unusual to hear of a HIPAA breach that involves more than 500 people from a large medical facility, like a general hospital or a teaching university hospital. It always seems a little surprising if the news comes from a small private practice, especially one that appears to be a single practice physician, like a dentist. But then, when you consider that there are 200 or so working days in a year, and that a dentist could easily see three patients in a day, it wouldn’t take too long for single individuals to rack up enough patient data to put themselves into “large data breach” territory.
Extending that logic, why would a single physician even attempt to go into business if they didn’t have adequate PHI security in place? That’s what I found myself thinking when I read the following story.
Office Break-In, Computer Stolen
An Arlington (Texas) dentist found herself in the middle of a HIPAA data breach when someone broke into her practice (between August 23 and 25) and stole a computer. According to nbcdfw.com, more than 500 people “could be” at risk – names, addresses, phone numbers, and SSNs were stolen – and that affected patients are being individual contacted.
Aside from the above, nothing else has been revealed (well, except for the fact that they don’t have footage of the break-in, but what kind of information is that?).
Not mentioning whether encryption software was used, combined with the “magic number” of 500 patients and the fact that the media was contacted, lends me to believe that computer encryption was not used.
Medical Data Breaches and HIPAA Regulations
Among other things, the use of NIST-compliant encryption provides safe harbor from having to notify the HHS/OCR about the data breach; from notifying patients of the data breach; and of notifying the media once more than 500 people are affected.
(Why? Because the strength of well-developed encryption prevents unauthorized access to the data. As long as the information is safe, the theft of the computer itself is not a data breach.)
However, once a data breach does take place, things quickly go bad for the breached entity. The OCR, Office for Civil Rights, needs to be alerted. This could mean that they’ll launch an investigation that has further ramifications. The media needs to be alerted as well, leading to a loss of face for the physician. And patients have to be contacted, possibly the act that will have the most repercussions.
In addition, there may be state laws to follow, such as contacting the Attorney General’s office.
Seeing how this is too much work for the single physician, such practitioners will most likely seek the services of a lawyer to take care of the mess.
From a cost-benefit analysis, this is a terrible way to spend your money: a laptop encryption solution like AlertBoot’s managed disk encryption would have been much, much cheaper without angering anyone (except for the thief, assuming he was after the data on the computer in the first place).
A stitch in time saves nine, and encryption before a breach saves time, notification, and aggravation.
Related Articles and Sites: