John Muir Health in Walnut Creek, Calif., recently started notifying 5,450 patients after the theft of two laptops containing their health information.
The data wasn't encrypted and John Muir soon will join a growing list of organizations with its data breach displayed on a Department of Health and Human Services' Web site. Most of the breaches listed on the site resulted from thefts and most of those were laptops or other portable media. And they weren't encrypted.
Encryption of protected health information is not required under the HIPAA privacy, security and breach notification rules. But an organization must consider use of encryption when conducting a risk assessment and document the reasons why use of the technology isn't justified.
I've always thought HIPAA's loophole to get out of encrypting was a mistake that coupled with lax federal enforcement of privacy and security rules has not served the public well. Thanks to the HHS breach list, maintained by the Office for Civil Rights which enforces health information privacy laws, it's looking a lot tougher these days to justify not encrypting data--at least on portable devices. That's my view and also the view of the government's top health privacy cop, OCR Deputy Director Susan McAndrew, who has expanded authority and money now to ramp up enforcement efforts.
Beware what McAndrew says in Health Data Management's upcoming May cover story on data breaches: "What all the incidents are showing is that entities must really take a closer look at encryption and reassess whether or not encryption should be a routine part of their security requirements."
Visit HealthDataManagement.com to comment.