When Protected Health Information Walks Out the Door

The most publicized patient privacy breaches are often due to hackers getting into EHR systems. One more the most common ways breaches occur, however, is when protected health information (PHI) simply walks out the door. These days you can’t work effectively without laptops, tablet computers, cell phones, and other mobile gadgets. But like anything else that gets piled on tables or stuffed in briefcases, these devices can get lost. When they contain PHI, lost devices are more than an inconvenience, they’re potential HIPAA violations.

This is Not a Drill

The very first thing you should do when you learn that a device has been lost is determine what was on the device. If it did not contain patient data, then of course, you’re in the clear. If it did, you need to know whose data, and how many patients are potentially affected. And you should have an incident response plan set to go, advised Rick Hindmand, an attorney specializing in healthcare law with law firm McDonald Hopkins in Chicago. “Have a response team ready on a moment’s notice. The team should include an IT expert, an attorney, your insurer, if you have one, and possibly a public relations professional-in the case of press inquiries,” Hindmand said.

If 500 or more individuals’ data was compromised, you have to make a quick report to the individuals and the Office for Civil Rights. According to HHS, you must report, “without unreasonable delay and in no case less than 60 calendar days from the discovery of the breach.” If fewer than 500 individuals are involved, you must report to OCR within 60 days of the end of the calendar year in which the breach occurred (although you don’t have to wait), but you still have to report to those individuals within 60 days or sooner if you can. “States have their own breach notification standards,” said Paula Stannard, Washington, D. C.  healthcare attorney with Alston & Bird, and former acting general counsel for HHS, “and some states’ standards are tighter than HIPAA-California, for example-so be sure that you are familiar with the laws in your state. And keep in mind,” she added, “that you have to meet the regulations of the state where the affected patients live. If you have patients from more than one state whose information was affected by the breach, you’ll have to meet the reporting requirements for each of those states.”

How Bad Is This?

On the other hand, you may not be required to report the missing device to OCR or to your patients. If the device was properly encrypted, you’re off the hook and there is no need to report. The National Institute of Standards and Technology publishes standards for encryption, said Hindmand. Your IT department can make sure you meet the standards necessary to satisfy OCR. You are also in the clear if you have and promptly use technology on your device that allows you to wipe the data. “OCR recognizes that everybody can have breaches,” Hindman said. “They’re concerned with whether or not you were doing everything you could to protect the information. When they come in, they will want to make sure you did a risk analysis and made every effort to plug the gaps.”