The Department of Health and Human Services’ HIPAA Security Rule has said, in an official release, that healthcare entities and their business associates must put in place measures to protect private and confidential data of patients.
Many healthcare organizations employ data encryption services to safeguard PHI in the event that healthcare networks are attacked by hackers or electronic devices are lost or stolen. Encrypting patient data should ensure that an organization is covered and protected against HIPAA breach penalties; however this may not be the case.
A recent data breach at Boston’s Brigham and Women’s Hospital has emphasized an issue faced by healthcare organizations who take the proper steps to protect PHI, only for those measures to prove inadequate.
BHW revealed on Monday 17th November that a mobile phone and laptop computer were taken in a robbery in which a doctor was held at knife point, bound to a tree and was then forced to hand over the equipment as well as the pass codes to access the data. The devices stored the data of 999 patients, including Social Security numbers, addresses, patient ages, treatment data, medications prescribed and diagnoses.
The patients affected by the HIPAA breach had been part of the neurology and neurosurgery program at the hospital between October 2011 and September 2014. The incident was reported to law enforcement agencies and a community alert was issued six days after the theft. The stolen equipment has not been found and while the pass codes were supplied, there is no indication that the data has been accessed or that the data stored on the devices were the reason for the robbery.
BHW put in place privacy and security measures to safeguard the PHI of patients following on from two previous data breaches, both involving the theft of devices containing PHI. The first breach in 2011 involved the potential disclosure of 638 patient records which were kept on an unencrypted hard drive. The second breach in 2012 happened following the theft of a computer containing 615 patient records.
The Security Rule refers to encrypted data as “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key”. However, in this instance the key was given to the thieves rendering the data open and unprotected, although it is not obvious at this stage how the OCR would class this data breach and if a financial penalty would be applicable under the circumstances.
Though a penalty may seem unlikely in this case, if data is encrypted but appropriate security measures have not been implemented to protect the key or password to protect that data, this could be construed as a violation and would therefore be subject to a financial penalty.
The encryption of data is key to protecting PHI, but healthcare organizations should not see data encryption as a universal solution to avoid penalties and ensure HIPAA-compliance.