Less than one month after Boston’s Beth Israel Deaconess Medical Center reached a settlement with the Massachusetts Attorney General for HIPAA violations after a laptop was stolen containing unencrypted PHI, Boston Children’s Hospital has been fined for failing to secure electronic patient health records.
According to the Security Rule, all entities covered by HIPAA must ensure appropriate controls are implemented to protect ePHI. Attorney Generals are allowed to take action against HIPAA covered entities within their jurisdictions following amendments to HIPAA regulations, and the Mass. Attorney General’s office is vigorously chasing healthcare providers that violate data privacy and security laws.
Unlike the Beth Israel data breach, the information exposed in the BCH breach was contained in an email attachment. Because the data was not kept on the hard drive the hospital was unable to determine whether it was actually accessible through the laptop. The physician in question though he had taken the appropriate steps to remove PHI from the laptop.
The theft of the laptop on March 25 was thought to have potentially exposed only a limited amount of data, with up to 2,159 patients and parents affected. No Social Security numbers were included in the data, although names and medical record numbers, surgery dates, diagnoses, treatments, procedures and dates of birth were among in the data.
BCH had refreshed its policies to allow for the changes to HIPAA brought about by the Privacy and Security Rules, and it was company policy to encrypt the data on all laptops, however in this case no data encryption was in place.
The level of danger faced by the potential victims may also have been underestimated. The patients were warned of the potential disclosure of medical records, although since no Social Security numbers or financial details were in the data set, it did not offer damage mitigation services to protect them from identity theft.
According to State law, any data breach involving personally identifiable information and medical records is labelled identity theft and identity theft protection services should be supplied to the victims. Personally identifiable includes a surname and first name or initial, together with a Driver’s license number, State ID Card number, bank account number, debit or credit card number or Social Security number.
The fine of $40,000 was not harsh; Beth Israel had to settle for $100,000 just a few weeks previously. The lower penalty takes into account the actions taken by the healthcare provider to protect the data and the Attorney General did recognize that the physician in question believed he had taken sufficient steps to protect PHI.