Just Encrypt It! Skip Lawsuits, Fines Over Laptop Theft

Wed, Sep 16, 2015 --


HIPAA compliance standards, HIPAA, EHR, EMR, Health Records, electronic health records, privacy, security, rules

The theft of a single portable device or laptop with unencrypted data can breach the protected health information (PHI) of thousands of people, leaving the covered entities in charge of the device at risk for HHS Office of Civil Rights (OCR)fines and lawsuits from breach victims. But a recent appellate court decision may offer relief to covered entities when a HIPAA breach occurs but the plaintiffs cannot prove actual injury due to the breach, saying that the plaintiffs lack standing to file suit.

After thieves stole password-protected computers holding the PHI of about four million patients, plaintiffs filed two different lawsuits, alleging that the covered entity failed to follow best practices for information security, did not secure or encrypt the computers, and failed to provide timely breach notification. However, the plaintiffs alleged neither that anyone improperly accessed the information, nor that any of the patients had been victims of identity theft. Two lower courts dismissed the cases, saying the plaintiffs lacked standing because they could not prove they had been harmed. On appeal, the Second district Illinois Appellate Court affirmed the lower court decisions in the case Maglio v. Advocate Health. In the Aug. 5, 2015 decision, the appellate court said the plaintiff’s claims of injury were speculative and thus lacked standing.

Protect Yourself – It’s Easier Than a Lawsuit Defense

Despite this decision, avoiding breaches entirely is the surest way to protect yourself from HIPAA fines and lawsuits. Most HIPAA breaches occur due to passive errors, not deliberate disclosures, so what you fail to do is most likely to land you in hot water with the OCR. When you breach PHI, HHS expects you to notify the affected parties and the HHS secretary. When the breach affects more than 500 individuals in a given area, you must notify the media as well.

Because the biggest single source of HIPAA breaches is theft, failure to protect and secure sources of PHI puts you at risk. For both small and large breaches, theft caused more than half of all exposures of PHI. Simply encrypting and securing data, especially on portable devices like laptops, smartphones, and memory sticks, saves you from a breach, even if those items are stolen.

What’s PHI?

Protected health information, or PHI, is individually identifiable demographic information, such as names, telephone and fax numbers, email addresses, and even geographical information smaller than a state, such as a city name or the last two digits of a zip code. Health information by itself is not PHI, such as a list of vital signs not linked to medical record number, name, or other individual identifier. For a list of 18 individual identifiers that mark data as PHI, go here.

What’s Not a Breach?

The HIPAA privacy rule defines a breach as any acquisition, access, use, or disclosure of PHI in violation of the privacy rule. That’s a broad set of circumstances, but a number of disclosure exceptions exempt you from reporting breaches, including:

  • Data secured with encryption or destroyed according to HHS guidelines
  • Unintentional internal use in good faith causing a disclosure, such as a clinician accidentally opening a chart on the wrong person and immediately closing the chart
  • Inadvertent internal use within job scope causing a disclosure, such as looking up the records for Jose Garcia, then realizing it’s the wrong Jose Garcia and immediately closing the notes.

If Your Practice Breaches PHI, What Do You Do?

First, have your privacy officer determine whether a breach actually occurred. If your practice has breached PHI, you must promptly notify individuals affected or face penalties for neglect of the rules. You may be able to find templates to create breach notifications from various sources. Here’s a sample template available to subscribers of Practice Management Alert and Medical Office Biller — make sure you modify it to meet your own needs. For example, if you don’t plan to offer free credit monitoring for a year, edit that portion out of the letter.


Readers, what’s your one best tip for protecting your practice from privacy and security breaches? Drop us a note in the comment box below – we love to hear from you!

Keep Up With Compliance News the Fast, Effective Way

What’s the fastest way to get the latest information to keep your practice HIPAA compliant? Here’s a hint – it’s NOT going to the HHS website and sifting through obscurely worded governmental bulletins. SuperCoder’s Health Information Compliance Alert newsletter brings you the health information compliance news you need without the impenetrable legalese. Each month, you’ll get answers to the toughest privacy and electronic claims compliance questions along with the other updates and information you need. Try it today!


Susan taught health information and healthcare documentation at the community college level for more than 20 years. She has a special love for medical language and terminology. She is passionate about ensuring accurate patient healthcare documentation through education. She has a master's degree in healthcare administration, is a certified healthcare documentation specialist, and serves as immediate past president for the Association for Healthcare Documentation Integrity (AHDI).

, , , , , , , ,

Leave a Reply