If I don’t have a topic for a blog entry, all I apparently have to do is to wait a few days, and someone will have a major breach for me to talk about. This time, it’s Howard University Hospital in Washington, DC, although the hospital itself may not have violated HIPAA.
Apparently, someone stole a laptop from a former contractor that contained PHI of 34,503 patients. The PHI included names, addresses, Social Security numbers, identification numbers, medical record numbers, birthdates, admission dates, diagnosis-related information, and discharge dates. The laptop was not encrypted, but was password protected. The contractor had downloaded the data to his personal laptop in violation of hospital policy.
One would hope that the hospital had a business associate contract in place that would require the former contractor to continue to protect the PHI in the event that a need existed to maintain it. Otherwise, the contractor should have destroyed the data or returned it to the hospital.
The hospital sent breach notification letters to the patients as required by the HITECH Act and offered one year of paid credit monitoring and identity theft alert services to patients with SSNs on the laptop. It also reported the breach to OCR.
The hospital reported that it has now required encryption of all laptops.
Because DHHS fined Blue Cross Blue Shield of Tennessee $1.5 million for its breach as discussed in my March 16, 2012, post, one has to wonder whether Howard University may face a similar sanction. Whether the breach consists of willful neglect that OCR must investigate depends, it seems, on whether the hospital had a proper HITECH Act business associate contract in place or, if not (a covered entity may treat an independent contractor that works on site as a member of the workforce), had reasonable and appropriate security measures in place, including proper training of the independent contractor. One wonders whether or not the hospital had a written termination (of access) procedure and followed it. We will likely learn more about this breach as time goes on, but even this much information dramatizes the importance of recognizing that covered entities’ business associates can get the hospital into trouble.