HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Inland Empire Health Plan Reports PHI Breach

The decision not to encrypted healthcare data carries a risk that in the event of loss or theft of computer hardware, PHI will be exposed. Inland Empire Health Plan (IEHP) has discovered this following the theft of a desktop computer from its Rancho Cucamonga center on Oct. 28. The incident has affected 1,030 IEHP members.

The desktop computer was owned by Children’s Eyewear Sight, a provider of vision services to the health plan’s members. The data exposed in the incident included personal identifiers along with details of past and future appointments and IEHP member ID numbers. No Social Security numbers were exposed, although names, addresses and contact telephone numbers were stored on the laptop computer.

A copy of the breach notification letter sent by the IEHP Compliance Department to affected individuals has been posted on the Calif. government website. In the notice plan members are advised that a suspect has been arrested, although the letter does not confirm whether the device was recovered.

In accordance with state and federal laws, the incident was been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), the Department of Health Care Services (DHCS) and the California Office of Attorney General (OAG). A breach report has also been provided to local media channels.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The Decision to Encrypt

Under the Security Rule of the Health Insurance Portability and Accountability Act, covered entities must apply the administrative, technical and physical controls to safeguard the Protected Health Information of patients and plan members.

Data encryption is covered in the Security Rule, but it is only an addressable area. It is not mandatory for data at rest to be encrypted. The covered entity is given the flexibility to decide what security measures are employed to safeguard PHI, such as whether to use data encryption or other security measures that provide an appropriate level of protection.

Many healthcare providers have chosen to encrypt PHI in motion and also on portable devices such as laptop computers, pen drives and portable hard disk drives. These devices are easily lost or stolen; therefore the risk of data breaches being caused is higher than with servers and PCs.

Desktop computers, while not so portable, can also be stolen as was the case at Inland Empire and in numerous other HIPAA breaches reported to the OCR. It is therefore important that these devices – and network servers – are also appropriately protected, and serious consideration should be given to encrypting all PHI to prevent HIPAA breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.