in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA HITECH Public Notices: If Affecting More Than 500, You Must Go Public

Phiprivacy.net notes that the HHS's Wall of Shame has entry for a medical data breach at the Treatment Services Northwest in Oregon that affects 1,200 patients.  The case is unusual because there is no public mention of said breach, in contravention to the HIPAA-HITECH breach notification rule.  Of course, this would be a moot point if drive encryption like AlertBoot had been used.

Only the HHS Knows

The only reason that phiprivacy.net found about the breach was due to the HHS's policy of publicizing, on their site, any medical data breaches involving more than 500 patients.  According to the short entry, the data breach at Treatment Services Northwest (in Oregon) affected 1,200 people, was discovered on July 29, and involved the theft of a computer.

Whether this is a desktop computer or laptop computer is not specified (I should point out that the HHS's site also has entries for laptops and desktops as well, which leads to some confusion).  History reveals, though, that this is not an important matter of consideration because both types of computers get stolen -- meaning all computers ought to be protected with encryption software if they store protected health information (PHI).

Anyhow, returning to the issue at hand: While Treatment Services Northwest did the right (and legal) thing by reporting the data breach to the HHS -- and one assumes, by getting in touch with all 1,200 patients -- it has not quite complied will aspects of the law.  Namely, the HITECH rules for notification of HIPAA breaches requires that the incident be reported to the media at large.

§ 164.406 Notification to the Media

In the latest Interim Final Rule for data breach notifications, it is specified that:

§ 164.406 Notification to the media.
(a) Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in § 164.404(a)(2), notify prominent media outlets serving the State or jurisdiction. For purposes of this section, State includes American Samoa and the Northern Mariana Islands.

It is expected for the above to happen without unreasonable delay, and within 60 calendar days of the breach's discovery.  Any later and you're in violation of the law.

It should be noted that the above is not to be confused with the "substitute media" clause for organizations that have decided to go public with the breach because they couldn't find the contact information for a significant number of people affected by a breach.  I guess what I'm trying to say is, if a covered entity thinks it doesn't have to alert the media because it can get a hold of 100% of affected people, it's gravely mistaken (my emphases):

IV. Section-by-Section Description of Interim Final Rule
D. Notification to the Media—164.406

Section 164.406 implements section 13402(e)(2) of the Act, which requires that notice be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. This media notice differs from the substitute media notice described in § 164.404(d)(1)(2) in that it is directed "to" the media and is intended to supplement, but not substitute for, individual notice. The Act requires that notification to the media under this provision be provided within the same timeframe as notice is to be provided to the individual.

Now, I'm no HIPAA scholar, but it seems to me that Treatment Services Northwest could be in violation of §164.406.  Certainly, the 60 days limit has not yet passed; however, the other clause is "without unreasonable delay."  What's slowing the clinic from going public?  (I don't dismiss the possibility that they already did so and that I'm unable to find it on-line...).

Remember: 500 is the magic number.  If there is a breach of PHI that involves more than 500 people and medical encryption software was not used to secure the data, you've got to notify everyone that is mentioned as a possible recipient of such notification under all the different sections of the HIPAA/HITECH laws: the affected patients, the HHS/OCR, and the media.

(Also, remember that states may have addition legislation that requires notification to other bodies, such as the Attorney General's office.)


Related Articles and Sites:
http://www.phiprivacy.net/?p=7623
http://datalossdb.org/incidents/4579-stolen-computer-contained-protected-health-information-on-1-200-patients

 
<Previous Next>

Email Content Encryption: Typosquatting Raises Questions

Information Security Breach Cost: How Much Can You Get Off For Credit Monitoring?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.