As promised, what follows are the answers to the questions posed in the previous blog item posted November 6, 2012, and titled “Is It a HIPAA Breach?”:

1. Yes. This incident is a breach of security whether the laptop was encrypted or not. A device containing PHI was apparently stolen, and even if it had been adequately secured in the car, it was nonetheless a security breach. It may be a less serious breach because the data was encrypted, but it is nonetheless a security breach. See pp. 3-2 and 3-3 of my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, Overland Park, KS: Veterans Press, 2011 (hereinafter Breach Book).
2. No. If encrypted, the data will not be readable, so no breach of privacy should occur.
3. No. HIPAA requires reporting of only breaches of unsecured—that is, readable—PHI. If the laptop or its data were encrypted consistent with the National Institute of Standards and Technology (“NIST”) or if the data had been destroyed consistent with the NIST standards, then it is secured. See Chapter 9 of the Breach Book.
4. Maybe. If the home health agency had done a risk analysis of the use of laptops outside of the facility, had implemented reasonable and appropriate security measures (which could certainly include encryption), and had implemented and enforced appropriate policies, they would not have committed willful neglect.
5. Yes. If a theft of an encrypted laptop is a breach of security, the theft of an unencrypted one certainly is.
6. Yes. Perhaps, if the laptop had had the best password protection known to man or had been immediately recovered, it would not be a privacy breach. But in the majority of situations, it would be. See pp. 3-3 and 3-4 of the Breach Book.
7. Maybe. If the breach is of unsecured PHI, the covered entity must perform a risk analysis of whether the breach poses a significant threat to the subject(s) of the breach to determine whether it must report the breach. See Chapter 9 of the Breach Book.
8. Maybe. Besides the situations in the discussion in 6, above, the breach might be due to a reasonable cause if the nursing home’s risk analysis had demonstrated that encryption was not reasonable and appropriate and if they had documented why an equivalent alternate method besides encryption was reasonable and appropriate. Absent that determination and documentation, the breach would be due to willful neglect.

Now, ponder the following additional questions based on the same scenario:

1. Which of the following actions could constitute proper mitigation (lessening the harm of the breach)?
2. Notifying the individuals whose data was on the laptop hard drives even if HIPAA does not require that they be notified, as it does in some circumstances.
3. Purchasing credit report monitoring for the individuals so that they will be warned of any identity theft.
4. Having a warning come on whenever the laptop is powered up similar to the warning on a fax or an email that the information on the computer is confidential, protected by federal and state law, and may not be accessed, used, or disclosed without proper authority.
5. Having a LoJack Security System for Laptops on the computer.
   1. [True-False] All laptops containing PHI must be encrypted.

Watch for the answers to these questions in the next blog post.