A data breach doesn’t need to be criminal or intentional to be reportable. When a storage device is small, it is sometimes difficult to determine whether the device was lost, misplaced or stolen. However, even if a flash drive is presumably lost, a breach analysis must still be conducted and potentially affected patients must be notified if there is a probability of data compromise.
HIPAA Breach Analysis Flowchart
The following flowchart outlines how a privacy or security incident is analyzed to determine whether a HIPAA breach has occurred. It forms the basis of the analysis in the case presented here.
In addition to federal HIPAA regulations, covered entities may also have to comply with state data breach laws. State laws vary on what triggers a breach notification obligation and the nature of breach notification obligations. This case study focuses on federal data breach notification laws. The Health Information & the Law website has an interactive map that provides links to state health data security and breach notification laws.
A staff member at a large health facility saved the PHI of 600 patients on a flash drive for a diabetes management outreach project. A couple of weeks later, when she returned to the task, she could not find the flash drive. A thorough search of her office did not turn up the missing flash drive, and it was presumed lost.
HIPAA Breach Analysis
Q. Was PHI involved?
Q. Was the information on the compromised device encrypted, unusable, unreadable, or indecipherable?
A. No. The PHI was not secured.
Q. Does one of the three HIPAA disclosure exceptions apply?
A. No. Theft, loss or misplacement of a storage device is not an exception.
Q. Is there a low probability that PHI has been compromised? (Risk Assessment)
- Type of PHI: The information was sensitive and included numerous patient identifiers. There was a high possibility the PHI could be used by an unauthorized recipient in a manner adverse to the patients or could be used to further the unauthorized recipient’s own interests.
- Who took it/received it: Unknown
- Ease of access: Because the PHI on the flash drive was not encrypted or otherwise secured, the chance the PHI could be accessed was high.
- Mitigation: Nothing could be done to mitigate the potential misuse of the information.
A. The attorney who reviewed this case found that based on the risk assessment the facility could not demonstrate a low probability that the PHI was compromised. Therefore, notification was required under the federal data breach laws. Because the breach involved more than 500 patients in the same state, the breach had to be reported to patients, HHS and prominent media outlets without reasonable delay, and no later than 60 days after discovery of the breach.
The notice to the patients had to be written in “plain language” and include:
- A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known
- A description of the types of unsecured PHI that were involved in the breach
- Any steps individuals should take to protect themselves from potential harm resulting from the breach
- A brief description of steps the covered entity is taking to investigate the breach, to mitigate harm to individuals (including providing identity theft protection services for those affected), and to protect against any further breaches
- Contact procedures for individuals to ask questions, including a toll-free telephone number, email address, website or postal address.
Because over 500 patients lived in the same state, the covered entity also had to send major media outlets in that state a notification (e.g., a press release) that included the same information sent to patients. Furthermore, the practice’s report to HHS was posted on the OCR Breach Portal. In addition to complying with federal requirements to notify HHS and patients, the covered entity had to follow applicable state regulations. The state where the breach took place had PHI data breach statutes and regulations in place that required an additional notification to the state department of health, which was required on an expedited basis.
Medical Liability Risk Management Recommendations
Carefully consider whether it is necessary to transfer PHI to a flash drive or other portable storage device.
- If your EHR is cloud-based, consider accessing the data directly over a secure connection rather than downloading it to another device.
- Choose a secure method to transfer PHI between secure devices; for example:
- Download the data directly from the EHR onto a secure device.
- Transfer the PHI via a secure channel such as secure file transfer protocol (SFTP)
- Encrypt any PHI on storage devices.
- Password protect storage devices.
- Utilize flash drives with remote kill or remote wipe functions.
More Information About Preventing HIPAA Data Breaches
- Overview: Preventing HIPAA Data Breaches: Case Studies and Best Practices
- Best Practices: Mobile Device Policies for Preventing HIPAA Data Breaches
- Best Practices: Best Practices for Preventing HIPAA Data Breaches by Criminal Hackers
- Case Study Comparison: HIPAA Data Breaches and PHI on Stolen Laptops
- Closed Claim Case Study: Misdelivered Email Results in a HIPAA Data Breach
- Closed Claim Case Study: Employee Voyeurism Leads to a HIPAA Data Breach
Additional Resources for Policyholders
General HIPAA and data breach risk management resources are available to all NORCAL Mutual policyholders by contacting a NORCAL Risk Management Specialist at 855.822.3412.
Information and Network Security Coverage
Call NORCAL Mutual Customer Service at 844.4NORCAL or visit our Information and Network Security coverage page for more information about this coverage available at no additional cost as part of the Health Care Professional (HCP) policy.
Health Info & the Law Project. “States.” (accessed 5/14/2018)