Even if a breach has occurred, Belfort continues, there are two additional questions to consider: Did unauthorized or improper access to personal health information (PHI) occur, and if so, is there any risk to the organization? If an unencrypted laptop containing PHI was in a car that was stolen and subsequently dumped at the bottom of a lake, then the risk of anyone having seen that PHI is low, he says.
The MAeHC incident was a data breach, Tripathi says. Neither the laptop nor the data was encrypted, and although the files were password-protected, it was determined that an "enlightened amateur" could access the data. Of the nearly 15,000 patient records on the laptop, 1,000 put patients at a significant risk of harm, he says, as they contained a patient's name and one of three other pieces of information: date of birth, Social Security number or reason for the appointment.
The next step was notifying those 1,000 patients. Here differing state and federal laws complicated matters. Federal law puts a HIPAA-covered entity at fault. In this case, that would have been the practices for which the MAeHC was a contractor. (The agency was studying error logs for electronic data submissions.) Under Massachusetts law, though, the MAeHC, as the entity that lost the data, was responsible. To avoid confusion, Tripathi says, the eight affected covered entities sent the letters (to meet federal law) but mentioned MAeHC in the first sentence (to cover the state law).
In the end, data breach mitigation cost MAHC about $289,000. More than half went to legal fees and the bulk of what was left went to pulling staff from other tasks to focus on breach mitigation. "Basically, you have to sweep everything aside and focus on this," Tripathi says.
A breach involving one specific covered entity had to be reported to the Office for Civil Rights, as it affected more than 500 patients. The OCR concluded that MAeHC was "in substantial compliance" with federal rules and did not fine the organization; the federal agency even went so far as to tell Tripathi that overlapping state and federal laws left the OCR unsure if it even had jurisdiction over the incident.
Lessons Learned: How to Prevent a Healthcare Data Breach