Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620 
Pay Online
Subscribe To Our Monthly Newsletter

Seven Things To Know When You Receive A Notice Of Investigation From The Department Of Health

Download Free Copy

Failing to Encrypt Data

The high cost of failing to encrypt protected health information.

By Michael L. Smith, R.R.T., J.D.

 

On December 26, 2013, a dermatology practice agreed to pay $150,000 to settle a possible violation of the Health Insurance Portability and Accountability Act (HIPAA). The practice reported a data breach after a thumb drive containing the unencrypted protected health information (PHI) of 2,200 patients was stolen from the vehicle of one of the practice’s staff members. The dermatology practice and its patients are now incurring the high cost of failing to encrypt electronic PHI.
Since 2009, the Breach Notification Rule has required every covered entity to report the loss or theft of unsecured PHI to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). A covered entity is not required to report the loss or theft of secured PHI under the Breach Notification Rule. Obviously, covered entities should at least consider the available methods to secure their PHI.

Secured PHI is information that has been rendered unusable, unreadable, or indecipherable by unauthorized individuals. According to HHS, encryption and destruction are the two methods approved to make PHI unusable, unreadable, or indecipherable. HHS defines encryption as the use of an algorithmic process to transform the data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. Data that is only protected by a password is not encrypted for purposes of the Breach Notification Rule. Consequently, the loss or theft of data that is only password-protected will be a data breach that must be reported to the OCR.

The Breach Notification Rule also requires every covered entity to have written policies and procedures on the Breach Notification requirements, and requires the covered entity to train its staff on those requirements. The OCR investigates all the reports of the theft or loss of unsecured PHI under the Breach Notification Rule and specifically looks for compliance with these requirements. The OCR may impose monetary and other sanctions on covered entities based upon the specific findings after a breach of unsecured PHI.

In the investigation of the dermatology practice, the OCR found the practice impermissibly disclosed the PHI of more than 2,000 individuals by not utilizing reasonable safeguards, encryption, to protect the electronic PHI on the thumb drive. The OCR investigation also revealed the practice did not have written policies and procedures on the Breach Notification requirements, the practice had not trained its staff in the Breach Notification requirements, and the practice had not performed a thorough risk assessment as required by the Breach Notification Rule. The practice did not have its required policies in place until months after the breach and did not complete its risk assessment until almost a year after the breach.

 

In addition to the $150,000 settlement, the dermatology practice must also incur the expense of notifying all of the patients of the data breach. Most covered entities also incur the cost of providing their patients with identity theft insurance, which can cost several hundred dollars per patient. Had the dermatology practice encrypted the thumb drive, the electronic PHI, while lost, would not have been usable by the unauthorized individual. Had the dermatology practice encrypted the thumb drive, the practice would not have been required to report the data breach to the OCR.

Data encryption is not currently required by the Breach Notification Rule, but the cost of encrypting electronic PHI is minimal compared to cost of a data breach to covered entities and their patients.


Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Fla. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.

Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL, 32714
By Appointment • 37 N. Orange Ave., Suite 500, Orlando, FL 32801
By Appointment • 201 E. Government St., Pensacola, FL 32502 Telephone: (407) 331-6620(850) 439-1001 Telefax: (407) 331-3030

Medicare/Medicaid Audits, Health Care Law, Contracts, Hospital Privileges Hearings, Investigations, DEA Defense, Board of Medicine Defense, Fraud Defense, Administrative Hearings, PRN, IPN, Professional Licensing, Medicare/Medicaid Fraud Defense, Nursing Law, Compliance Plans, Hospital Law, Board of Dentistry, Board of Nursing, Board of Pharmacy, Board of Psychology, White Collar Crime, Pain Management and Pain Medicine Physician Defense, Pain Management Clinic Defense, Zone Program Integrity Contractor (ZPIC) Audit Defense, Recovery Audit Contractor (RAC) Audit Defense, Medicaid Fraud Control Unit (MFCU) Defense, Search Warrant and Subpoena Defense, Board of Psychology Defense, NBME Representation, U.S.M.L.E. Challenges, ABIM Representation, Medical Exam Cheating Defense…and more

Available in the following Florida cities and counties: Daytona Beach, Fort Lauderdale, Gainesville, Jacksonville, Key West, Melbourne, Miami, Ocala, Orlando, Pensacola, Panama City, Sarasota, St. Petersburg, Tallahassee, Tampa, West Palm Beach, Alachua, Baker, Bay, Bradford, Brevard, Broward, Calhoun, Charlotte, Citrus, Clay, Collier, Columbia, Dade, De Soto, Dixie, Duval, Escambia, Flagler, Franklin, Gadsden, Gilchrist, Glades, Gulf, Hamilton, Hardee, Hendry, Hernando, Highlands, Hillsborough, Holmes, Indian River, Jackson, Jefferson, Lafayette, Lake, Lee, Leon, Levy, Liberty, Madison, Manatee, Marion, Martin, Monroe, Nassau, Okaloosa, Okeechobee, Orange, Osceloa, Palm Beach, Pasco, Pinellas, Polk, Putnam, St. Johns, St. Lucie, Santa Rosa, Sarasota, Seminole, Sumter, Suwannee, Taylor, Union, Volusia, Wakulla, Walton, and Washington

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.

Available in the following states*: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming

Disclaimer | Terms of Representation

The Health Law Firm logo shown above is a registered Service Mark of George F. Indest III, P.A. – The Health Law Firm, since 2007.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.