Got PHI on a Portable Device? Then Just Encrypt It!

Fri, Dec 4, 2015 --


HIPAA Protected Health Information

So many HIPAA breaches have begun with the theft of a laptop containing protected health information (PHI). One laptop can contain the PHI of thousands of patients, so it’s easy to see how that raises risks that patient data will be used by criminals for wrongful pursuits. But a recent court decision may discourage plaintiff negligence lawsuits against organizations that suffer thefts of PHI-laden devices.

No Standing For You, Courts Tell Plaintiffs

After lower courts ruled against plaintiffs in privacy breach cases, an appellate court consolidated two privacy breach cases together and affirmed the lower courts’ decisions that the plaintiffs had no standing to file the lawsuit. The Second District Illinois Appellate Court ruled in favor of Advocate Medical Group, an Illinois network of affiliated physicians and hospitals (Maglio v. Advocate Health). In these cases, after thieves stole password-protected computers containing the PHI of four million former and current Advocate patients, plaintiffs brought suits alleging that Advocate was negligent because it failed to follow best practices for information security, leading to the theft of the plaintiffs’ personal data. The plaintiffs also alleged that Advocate did not secure or encrypt the computers and failed to provide timely breach notification.

However, the plaintiffs did not allege that anyone had improperly accessed or used the PHI. Nor had they been victims of fraud or identity theft. This failure to show harm led to the lower courts’ rulings that the plaintiffs lacked standing to sue. On appeal, the plaintiffs said that the fact that the stolen information was medical in nature made the harm to them implicit. However, the plaintiffs were shot down on appeal, with the appellate court calling the claims of injury “speculative,” because no identity theft had occurred for the plaintiffs. The appeals court wrote that the plaintiffs lacked standing because they failed to show “distinct and palpable injury.”

But for OCR, Negligence Means You Get Fined, Big Time

In another case, however, a laptop stolen from the car of an oncology practice employee led to a fine of $750,000 levied by the Office of Civil Rights (OCR), the Department of Health and Human Services announced in September. OCR heard about the theft three years ago, when the theft occurred of the laptop and an unencrypted backup storage device containing names, Social Security numbers, dates of birth, addresses, and other PHI of about 55,000 patients. The reason for the hefty fine? Upon investigation, OCR found that the practice never did a risk analysis after first discovering the theft back in 2012. To make matters worse, the practice had no written policy on how to deal with PHI on electronic media and other portable devices.

OCR director Jocelyn Samuels said, “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.”

What Do You Think?

I don’t know … I think I’d rather just be HIPAA compliant and use a nice encrypted device if I had to carry four million patients’ data around on a portable device. How about you?

Keep Current on Compliance Trends With Health Information Compliance Alert

As the oncology practice above discovered, the OCR doesn’t play around with HIPAA breaches, especially when practices are recalcitrant to changing their ways. Healthcare organizations need trusted resources that can help them avoid the OCR’s tiered structure of fines for health information privacy violations. That’s why you need to subscribe to Health Information Compliance Alert! You get 12 easily searchable electronic issues a year, along with access to the newsletter archive. With Health Information Compliance Alert, there’s no need to wade through page upon page of obscure regulatory language to find what you need. Instead, you can quickly find tailor-made answers to your toughest privacy and electronic claims compliance questions. Try it today!


Susan taught health information and healthcare documentation at the community college level for more than 20 years. She has a special love for medical language and terminology. She is passionate about ensuring accurate patient healthcare documentation through education. She has a master's degree in healthcare administration, is a certified healthcare documentation specialist, and serves as immediate past president for the Association for Healthcare Documentation Integrity (AHDI).

, , , , , ,

Leave a Reply