Again, as promised, what follows are the answers to questions 9 and 10 posed in the previous blog item posted November 19, 2012, and titled “Yes, It’s a HIPAA Breach,” which was a continuation of the blog item posted November 6, 2012, and titled “Is It a HIPAA Breach?”:

1. a and b are examples of mitigation. c and d are not because they are actions taken before the breach. They are security measures. Mitigation measures are actions taken after the breach to minimize the harm therefrom. See Chapter 8 of my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, Overland Park, KS: Veterans Press, 2011 (the Breach Book).
2. False. Certainly most, indeed, almost all PHI on laptops should be encrypted. But as discussed in answer 8 in the previous blog item, because encryption is an addressable, not a required, implementation specification, the laptop needs to be encrypted only if doing so is reasonable and appropriate. If it is not, the covered entity may consider an equivalent alternate measure, such as a LoJack or password protection or both. Or it may do nothing if that course of action is reasonable and appropriate. That being said, with the greatly increased penalties for HIPAA violations and the need to report breaches of unsecured PHI, encryption will ordinarily be reasonable and appropriate.

Hope you enjoyed the quiz and maybe even learned something!