Share this article on:
According to the Department of Health and Human Services’ HIPAA Security Rule, healthcare entities and their business associates must implement measures to protect private and confidential data of patients. Many healthcare organizations use data encryption services to protect PHI in the event that healthcare networks are infiltrated by hackers or electronic devices are lost or stolen. Encrypting patient data should ensure that an organization is covered and protected against HIPAA violation penalties; however this may not necessarily be the case.
A recent data breach at Boston’s Brigham and Women’s Hospital has highlighted an issue faced by healthcare organizations who take the appropriate steps to protect PHI, only for those measures to prove insufficient.
BHW announced on Monday 17th November that a mobile phone and laptop computer were stolen in a robbery in which a doctor was held at knife point, bound to a tree and was subsequently forced to hand over the equipment as well as the pass codes to access the data. The devices held the data of 999 patients, including Social Security numbers, addresses, patient ages, treatment data, medications prescribed and diagnoses.
The patients affected by the breach had been part of the neurology and neurosurgery program at the hospital between October 2011 and September 2014. The incident was reported to the police and a community alert was issued 6 days after the robbery. The stolen equipment has not been recovered and while the pass codes were provided, there is no indication that the data has been accessed or that the data stored on the devices were the reason for the theft.
BHW implemented privacy and security measures to protect the PHI of patients following on from two past data breaches, both involving the theft of devices containing PHI. The first breach in 2011 involved the potential disclosure of 638 patient records which were stored on an unencrypted hard drive. The second breach in 2012 occurring following the theft of a computer containing 615 patient records.
The Security Rule describes encrypted data as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”. However, in this case the key was given to the thieves rendering the data open and unprotected, although it is not clear at this stage how the OCR would class this data breach and if a financial penalty would be warranted under the circumstances.
While a penalty may seem unlikely in this case, if data is encrypted but adequate security measures have not been implemented to protect the key or password to protect that data, this could be considered a violation and would therefore be subject to a financial penalty.
The encryption of data is vital to protect PHI, but healthcare organizations should not view data encryption as a universal solution to avoid penalties and ensure HIPAA-compliance.