The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.
The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.
The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.
“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”
The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”
This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or firstname.lastname@example.org, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.