Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops

According to HHS data, more than a third of all data breaches reported through 2017 involved a laptop, desktop, or mobile device.¹ Compare Cases One and Two, and consider how better security practices protected the covered entity in Case Two.

HIPAA Breach Analysis Flowchart

The following flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred. It forms the basis of the analyses in the cases presented here.

In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. These case studies focus on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws.

Case One

At a busy family practice office, a medical assistant was tasked with reviewing 100 random patient records for quality purposes. Because she was about to miss her deadline for the project, she downloaded the records onto her laptop so she could work on the project over the weekend. She put her laptop in her car trunk and met friends for dinner on the way home. While she was having dinner, her laptop was stolen. The data on the laptop were not encrypted and there was no password protection.

HIPAA Breach Analysis

Q. Was PHI involved?

A. Yes. Full medical records were being stored on the laptop.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?

A. No.

Q. Does one of the three HIPAA disclosure exceptions apply?

A. No. Theft of a computer/storage device is not considered an exception.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)

1. Type of PHI: The information was very sensitive and included numerous patient identifiers. There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients, or could be used to further the unauthorized recipient’s own interests.
2. Who took it/received it: Unknown
3. Ease of access: Whether the medical information was viewed was unknown, but because there was no password protection on the computer, the chance that the PHI could be viewed was high.
4. Mitigation: There was no way to assure the PHI would not be used.

A. The attorney who reviewed this case found that based on the risk assessment the clinic could not demonstrate a low probability that the PHI was compromised; therefore, a breach occurred. The practice was required to comply with the HIPAA breach notification requirements.

Case Two

At a community clinic, a nurse practitioner (NP) carried a laptop computer with her, using it to enter patient information into the electronic health record (EHR) as she examined patients. Between patients, she left her laptop at the nurses’ station while she went to get a cup of coffee in the break room. When she returned, the laptop was gone. The laptop required a password to log in. Although the NP accessed patient records from the laptop, no PHI was stored on the device’s hard drive. In order to access the patient records, she had to sign on to the EHR system with a unique username and password. She immediately reported to the office administrator that the laptop had been stolen. The administrator immediately disabled the NP’s user account. Although the laptop was never recovered, the administrator monitored the EHR system to determine whether anyone had attempted to sign on with the NP’s credentials, and no one had.

HIPAA Breach Analysis

Q. Was PHI involved?

A. Yes. PHI could be accessed from the device, but there was no PHI stored on the device.

Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?

A. No.

Q. Does one of the three HIPAA disclosure exceptions apply?

A. No. Theft of a computer/storage device is not an exception.

Q. Is there a low probability that PHI has been compromised? (Risk Assessment)

1. Type of PHI: The information was very sensitive and included numerous patient identifiers. There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients or could be used to further the unauthorized recipient’s own interests.
2. Who took it/received it: Unknown
3. Ease of access: Because the computer was password protected, did not store any PHI, and required additional password sign-in to access the EHR, the chance that PHI could be accessed was low.
4. Mitigation: The office administrator moved quickly to disable the NP’s user account, which would most likely prohibit the thief from being able to access the community clinic patient records.

A. In this case, the attorney who reviewed the case found that based on the risk assessment the clinic could determine there was a low probability the PHI had been compromised. Therefore, it was determined that notification was not required under the HIPAA breach notification rules.

Medical Liability Risk Management Recomendations — Laptop Theft Protection

The Federal Trade Commission suggests that individuals think of their computers as cash on the table or an open wallet sitting on the back seat of a car.² Consider the following strategies to safeguard laptops:^2,3

• If a laptop must be left unattended, lock it to something heavy with a laptop security cable.
• Make computers personally identifiable with permanent markings or engravings.
• Install a computer alarm that activates when the computer is moved out of a particular range.
• Install a program that tracks the location of a stolen computer.
• When going through airport security, keep your laptop and phone with you until the last minute, then visually track them and retrieve them immediately.
• When staying in a hotel, lock your laptop in the safe, lock it to something heavy or take it with you.
• Do not leave your laptop in a car.
• Do not use a laptop bag; consider using a bag that hides the fact that there is a laptop in it.
• Encrypt your computer’s hard drive.
• Keep your laptop password protected and do not store passwords with, in or on it.
• If you have to put your laptop on the floor, place it between your legs so you remember it.
• Institute “clean desk” policies for employees, requiring secure physical locations for devices both during and outside of standard work hours.

More Information About Preventing HIPAA Data Breaches

• Overview: Preventing HIPAA Data Breaches: Case Studies and Best Practices
• Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
• Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
• Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
• Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
• Closed Claim Case Study: Unsecured PHI on a Lost Flash Drive Results in a HIPAA Data Breach

Additional Resources for Policyholders

Guidance and additional information on the HIPAA Security Rule and on medical records security, access and release are available to all NORCAL policyholders by contacting a NORCAL Risk Management Specialist at 855.882.3412.

Information and Network Security Coverage

Call NORCAL Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.

References

1. U.S. Department of Health and Human Services Office for Civil Rights (OCR). “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” (accessed 5/14/2018)

2. Federal Trade Commission. “Laptop Security.” (accessed 5/14/2018)

3. Oglesby P. “Laptop Anti-Theft: Travel Identity Theft Computer Theft Prevention.” Updated on September 19, 2016. (accessed 5/14/2018)

Additional Linked Sources

Health Info & the Law Project. “States.” (accessed 5/14/2018)

Verizon Enterprise. “2018 Data Breach Investigations Report.” (accessed 5/14/2018)

Federal Communications Commission (FCC). “FCC Smartphone Security Checker.” (accessed 5/14/2018)