Prevention of HIPAA violation not Guaranteed by Data Encryption

by | Nov 22, 2014

The Department of Health and Human Services’ HIPAA Security Rule has said, in an official release, that healthcare entities and their business associates must put in place measures to protect private and confidential data of patients.

Many healthcare organizations employ data encryption services to safeguard PHI in the event that healthcare networks are attacked by hackers or electronic devices are lost or stolen. Encrypting patient data should ensure that an organization is covered and protected against HIPAA breach penalties; however this may not be the case.

A recent data breach at Boston’s Brigham and Women’s Hospital has emphasized an issue faced by healthcare organizations who take the proper steps to protect PHI, only for those measures to prove inadequate.

BHW revealed on Monday 17th November that a mobile phone and laptop computer were taken in a robbery in which a doctor was held at knife point, bound to a tree and was then forced to hand over the equipment as well as the pass codes to access the data. The devices stored the data of 999 patients, including Social Security numbers, addresses, patient ages, treatment data, medications prescribed and diagnoses.

The patients affected by the HIPAA breach had been part of the neurology and neurosurgery program at the hospital between October 2011 and September 2014. The incident was reported to law enforcement agencies and a community alert was issued six days after the theft. The stolen equipment has not been found and while the pass codes were supplied, there is no indication that the data has been accessed or that the data stored on the devices were the reason for the robbery.

BHW put in place privacy and security measures to safeguard the PHI of patients following on from two previous data breaches, both involving the theft of devices containing PHI. The first breach in 2011 involved the potential disclosure of 638 patient records which were kept on an unencrypted hard drive. The second breach in 2012 happened following the theft of a computer containing 615 patient records.

The Security Rule refers to encrypted data as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”. However, in this instance the key was given to the thieves rendering the data open and unprotected, although it is not obvious at this stage how the OCR would class this data breach and if a financial penalty would be applicable under the circumstances.

Though a penalty may seem unlikely in this case, if data is encrypted but appropriate security measures have not been implemented to protect the key or password to protect that data, this could be construed as a violation and would therefore be subject to a financial penalty.

The encryption of data is key to protecting PHI, but healthcare organizations should not see data encryption as a universal solution to avoid penalties and ensure HIPAA-compliance.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy