Share this article on:
The decision not to encrypted healthcare data carries a risk that in the event of loss or theft of computer hardware, PHI will be exposed. Inland Empire Health Plan (IEHP) has discovered this following the theft of a desktop computer from its Rancho Cucamonga center on Oct. 28. The incident has affected 1,030 IEHP members.
The desktop computer was owned by Children’s Eyewear Sight, a provider of vision services to the health plan’s members. The data exposed in the incident included personal identifiers along with details of past and future appointments and IEHP member ID numbers. No Social Security numbers were exposed, although names, addresses and contact telephone numbers were stored on the laptop computer.
A copy of the breach notification letter sent by the IEHP Compliance Department to affected individuals has been posted on the Calif. government website. In the notice plan members are advised that a suspect has been arrested, although the letter does not confirm whether the device was recovered.
In accordance with state and federal laws, the incident was been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), the Department of Health Care Services (DHCS) and the California Office of Attorney General (OAG). A breach report has also been provided to local media channels.
The Decision to Encrypt
Under the Security Rule of the Health Insurance Portability and Accountability Act, covered entities must apply the administrative, technical and physical controls to safeguard the Protected Health Information of patients and plan members.
Data encryption is covered in the Security Rule, but it is only an addressable area. It is not mandatory for data at rest to be encrypted. The covered entity is given the flexibility to decide what security measures are employed to safeguard PHI, such as whether to use data encryption or other security measures that provide an appropriate level of protection.
Many healthcare providers have chosen to encrypt PHI in motion and also on portable devices such as laptop computers, pen drives and portable hard disk drives. These devices are easily lost or stolen; therefore the risk of data breaches being caused is higher than with servers and PCs.
Desktop computers, while not so portable, can also be stolen as was the case at Inland Empire and in numerous other HIPAA breaches reported to the OCR. It is therefore important that these devices – and network servers – are also appropriately protected, and serious consideration should be given to encrypting all PHI to prevent HIPAA breaches.