Stanford University has filed its fifth HIPAA breach with the Department of Health and Human Services (HHS). At the center of the breach lies a computer that was not protected with HIPAA laptop encryption. It was, however, in a "badge-access controlled area," according to healthcareitnews.com.Now, this probably means that the case is not actually a HIPAA breach, despite what my title (and any other media outlet's title) proclaims. But, Stanford does have to contact everyone involved. What a doozy the latest final HIPAA rule turns out to be!
According to various reports and Stanford's own statement, the laptop computer was stolen from a restricted area at the Lucile Packard Children's Hospital at Stanford University. The theft occurred sometime between May 2 and May 8, and the laptop computer was password-protected. It was also described as "non-functional," although details, other than it was damaged, were omitted.(Non-functional tends to mean that it's not working. Damaged means exactly what it means. But, is it not working because something's broken, or is it not working because it's put out of commission – but perfectly serviceable for playing King's Quest II? For example, a crack in the palm rest is also "damage." However, retrieving patient data that was stored on the machine would be quite easy on such a damaged machine.)The lost data includes patient names, age, medical record numbers, telephone numbers, surgical procedure schedules, and physician names. The records go back to 2009.Insurance and Social Security numbers were not part of the data.Approximately 12,900 patients are being notified.
Is this a breach of HIPAA? Most likely, yes. For one, everyone is referring to it as a HIPAA breach. And, the hospital alerted the HHS of the data breach.On the other hand, consider this: nothing in HIPAA forces a covered entity to use encryption software to protect patient data. As long as a risk assessment shows that encryption is not necessary, for example because other security measures are in place, the covered entity has complied with HIPAA regulations.My guess is that Stanford / Lucile Packard Children's Hospital has complied with HIPAA as I just described it. For example, what are the odds of a laptop being stolen from a restricted area of the hospital? Basically, nil. So, it could very well be that, despite the fact that the laptop was stolen, and that patient information was on it, LPCH will be found to have done nothing wrong.
Why the data breach notification, you might ask? Well, that's where things get complicated.As I understand it, under the HITECH "amendments" to HIPAA, the Breach Notification Rule forces a covered entity to notify patients of any data breach involving protected health information (and, if memory serves, immediately notify the HHS when more than 500 patients are affected). The only safe harbor from this requirement is if the information was encrypted; there is no other.Plus, the Final Rule removed the "Risk of Harm" analysis, where the breached entity is allowed to decide whether a data breach is of a significant enough nature that it warrants notification. Under the Final Rule, a data breach is a data breach is a data breach – no matter how small.Combine these two requirements and if a HIPAA covered entity loses data, it has to notify patients. The HHS may conduct an investigation and absolve the breached covered-entity (meaning that fines would not be assessed), but those notification are going out, no matter what.This is the real reason why many go around proclaiming that encryption is necessary (and a requirement) under HIPAA, when language clearly shows that encryption is anything but.I think it was a smart move on HHS's part to include the Breach Notification Rule and get rid of the risk of harm element. When it comes to digital data stored on laptops, smartphones, and tablets, encryption is pretty much the only safety net you can count on.