A recent breach dramatically illustrates the importance of encryption in protecting health information. UCLA Health System warned more than 16,000 patients that their personal information was on a computer hard drive stolen from a doctor’s home in a burglary. The data was encrypted, but the encryption password was on a sheet of paper near the computer that was also missing. As a result, the breach notification rules of HIPAA and the HITECH Act required UCLA Health System to send First Class Mail letters to the 16,288 patients affected, warning them of possible identity theft and giving them contact information for a data security company that the system hired to help mitigate the harm—potential identity theft. So far, no identity theft has occurred. But would a small physician practice want to spend the First Class Mail cost for more than 16,000 patients (or, God forbid, thousands more)?
UCLA recently had to pay an $865,000 fine for improper access to celebrity records and has had to fire employees for such improper access in the past.
Yes, this data was encrypted, but with an unsecure password it might as well not have been. The importance of encryption (with the password secured) is that, if the hard drive had been encrypted and the password not compromised, the data would have been “secured”—not readable—and no breach requiring reporting to either the subjects of the breach or to the Department of Health and Human Services (“DHHS”) would have occurred. Nor would the theft of secure data required mitigation, such things as purchasing credit reports or identity theft insurance in cases in which the subjects of the breach are at risk of identity theft.
This year, Massachusetts General had to pay a $1 million fine for an employee’s negligence in leaving paper records on a subway. If those paper records had been scanned into an encrypted memory stick and the encrypted memory stick had been left on the subway instead of paper records, no breach justifying such a large fine would have occurred.
DHHS regulations specify that the only technologies that render data “secure” are encryption and destruction consistent with the National Institute for Standards and Technology (“NIST”) guidelines.
When you consider the cost of a breach of unsecured protected health information (“PHI”), including possible fines by DHHS, the cost of notifying the subjects of the breach, the bad publicity of being posted on the DHHS website as a “big breacher,” and the like, encryption of any portable device that could be lost or stolen going to and from work or any personal computer used at home would seem absolutely necessary for HIPAA compliance. The 2009 Ponemon Institute Study found that the average cost of a breach was $204 per compromised record.
Consequently, I require all my HIPAA clients to have work-at-home policies and policies governing movement of PHI and to encrypt all devices taken or used offsite.
