Share this article on:
Only a month has passed since Boston’s Beth Israel Deaconess Medical Center reached a settlement with the Massachusetts Attorney General for HIPAA violations after a laptop was stolen containing unencrypted PHI. Now Boston Children’s Hospital joins the list of Boston healthcare organizations to be fined for failing to safeguard electronic patient health records.
Under the Security Rule, all entities covered by HIPAA must ensure appropriate controls are put in place to protect ePHI. Attorney Generals are permitted to take action against HIPAA covered entities within their jurisdictions following changes to HIPAA regulations, and the Mass. Attorney General’s office is vigorously pursuing healthcare providers that violate data privacy and security laws.
In contrast to the Beth Israel data breach, the information exposed in the BCH breach was contained in an email attachment. Because the data was not stored on the hard drive the hospital was unable to determine whether it was actually accessible through the laptop. The physician in question believed he had taken the appropriate steps to remove PHI from the laptop.
The theft of the laptop on March 25 was believed to have potentially exposed only a limited amount of data, with up to 2,159 patients and parents affected. No Social Security numbers were present in the data, although names and medical record numbers, surgery dates, diagnoses, treatments, procedures and dates of birth were included in the data.
BCH had updated its policies to accommodate the changes to HIPAA brought about by the Privacy and Security Rules, and it was company policy to encrypt the data on all laptops, however in this case no data encryption had been used.
The level of risk posed to the potential victims may also have been underestimated. The patients were notified of the potential disclosure of medical records, although since no Social Security numbers or financial details were in the data set, it did not offer damage mitigation services to protect against identity theft.
According to State law, any data breach involving personally identifiable information and medical records is considered identity theft and identity theft protection services should be provided to the victims. Personally identifiable information is classed as a surname and first name or initial, together with a Driver’s license number, State ID Card number, bank account number, debit or credit card number or Social Security number.
The fine of $40,000 was lenient; Beth Israel had to settle for $100,000 just a few weeks previously. The lower penalty reflects the actions taken by the healthcare provider to protect the data and the Attorney General did acknowledge that the physician in question believed he had taken sufficient steps to protect PHI.