Reports of HIPAA breach incidents are nothing new. HIPAA (Health Insurance Portability and Accountability Act) stipulates that healthcare providers, insurance companies, and those who serve them (also known as “Business Associates”) take extensive measures to protect the Protected Health Information (PHI) of their patients. Even the dearly departed are protected from such disclosures. For this reason, the United Stated Department of Health and Human Services (HHS) requires that providers report data breaches that reach a certain threshold. Though disturbing, this is nothing new.
The new twist here is the near-instantaneous filing of a class-action lawsuit for those whose information was disclosed. A story in the West Chicago Tribune on September 5th 2013 details the case.They report:
Advocate Medical Group, already under federal and state investigation after the theft of computers containing personal information on millions of people, is now facing a class-action lawsuit from patients who say the Downers Grove IL-based physician group didn’t do enough to protect their private data.
This is indeed a disturbing trend that needs to be understood by Covered Entities and Business Associates that come into contact with PHI. Not only does a breach nearly always result in civil penalties and the associated humiliation, now the lawyers are coming. The story elaborates on the details:
The suit, filed in Cook County Circuit Court, says the health care nonprofit violated privacy regulations by failing to use encryption and other security measures on the four computers that were stolen from its Park Ridge offices in July. The computers contained information on more than 4 million patients.
4 million. Wow. I personally know people on that list. Anyone familiar with class action lawsuits knows that the members of the “class” rarely get more than a few dollars for their trouble. Only the lawyers get a windfall. But the implications for providers are huge. It seems as though an entirely new legal specialty has sprung up around the HIPAA law. I guess we should not be surprised.
In this case, a burglary of the company’s Park Ridge IL office resulted in the loss of several laptops that contained the mother lode – 4 million records or more. Possibly everyone they’ve ever treated. Sadly, if the laptop hard drives were encrypted, we never would have heard of the breach. HIPAA does not require the reporting of breach incidents when the information is encrypted.
Encryption is fairly straightforward. I should note here that merely having a password on the computer is not the same as encrypting the hard drive. Modern Windows computers can be configured to scramble the data in such a way as to completely frustrate any attempts to access the data on a hard drive. Data is not encrypted by default.
The take-home message is this – if you possess PHI in your computing environment, you are responsible to secure the data from incidents like this. If you’re performing your own IT services or of you have engaged the services of an IT provider that is not familiar with the HIPAA law, you really need to consider a change of course. The HIPAA penalties are bad enough, and the last thing you want to do is to reveal the PHI of your patients. Now you need to consider the additional threat of lawsuits. You would be well served by dealing with an IT provider that is fluent with the law and its requirements.