Does encryption cover all HIPAA bases?
A Boston robbery turned HIPAA breach sheds light on these cases
What are the responsibilities of covered entities when an encrypted laptop or device is stolen, but the passcodes are handed over in the theft as well? A recent robbery reported by Boston's Brigham and Women's Hospital may shed some light on these tricky situations.
Hospital officials on Monday announced that an encrypted – not unencrypted – cellphone and laptop containing patient medical data were stolen this fall after a BWH physician was robbed at knifepoint and forced to disclose the laptop's passcodes.
[See also: 4-year long HIPAA breach uncovered.]
The two devices contained the names, medical record numbers, ages, medications, clinical diagnoses and treatment data on 999 patients, officials said. The specific set of patients were those who received treatment at BWH's neurology and neurosurgery programs from October 2011 to September 2014, in addition to a group of individuals who participated in research studies.
The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.
"We apologize for any inconvenience and deeply regret any concern this situation may cause our patients," said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. "We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future."
[See also: Ready or not: HIPAA gets tougher today.]
So does encryption cover an organization's HIPAA bases? Short answer: No. Encryption, according to the Department of Health and Human Services' HIPAA Security Rule, involves using "an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key ... and such confidential process or key that might enable decryption has not been breached."
In what transpired at BWH, the key was indeed breached after the passcodes were given. When asked how these cases are handled by the federal government, the Office for Civil Rights, the HHS division responsible for enforcing HIPAA, did not respond for comment by publication time.
As Beth Israel Deaconess Medical Center CIO John Halamka, MD, told Healthcare IT News earlier this summer, the words from staff that give him the chills? "My laptop was stolen, but it had a password. That's the same as encryption, right?"
This is the third HIPAA breach for BWH, according to data from HHS – and the third theft.
[See also: Vendor sacked for HIPAA breach blunder.]
Back in 2011, a BWH employee lost an unencrypted hard drive that contained protected health information of 638 patients. A year later, the hospital reported a second HIPAA breach after BWH officials reported that an unencrypted desktop computer had been stolen. The computer contained the PHI of 615 individuals.
To date, more than 41 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches.