when a physician's laptop is stolen how do you report a breach of patient information

by Dr. Kristy Dooley 5 min read

HIPAA: Are You Prepared for a Lost Laptop or Smartphone?

3 hours ago  · Since 2010, federal HIPAA fines have ranged from $50,000 to more than $1.9 million for lost and stolen devices. 2015 breach costs have risen to $398 per patient record, mostly due to loss of business when patients switch physicians after a breach (2015 Ponemon Study). Cyber liability insurance policy claims may be denied due to negligence if ... >> Go To The Portal


A notifiable breach must be reported to the ICO without undue delay but no later than 72 hours (not 72 working hours) after becoming aware of it. The patient/s concerned should also be told, since the breach is likely to result in a high risk to their rights and freedoms.

Full Answer

Do I have to report a lost device as a breach?

In almost all situations, there are only two reasons a lost device may not have to be reported as a breach under the HIPAA Breach Notification Rule: (1) no PHI was on the device, or (2) the PHI is unusable - encrypted with FIPS 140-2 encryption (a U.S. government security standard).

What are the costs of lost and stolen devices under HIPAA?

Depending on the situation, you can face significant costs and an U.S. Office for Civil Rights HIPAA investigation. Since 2010, federal HIPAA fines have ranged from $50,000 to more than $1.9 million for lost and stolen devices.

Can a hacker get into your patient records?

A hacker has just infiltrated your business’s IT system and accessed the records of hundreds – or maybe even thousands – of your patients or clients. These records include identifying information as well as sensitive information about the patients’ or clients’ health histories and conditions.

What should I do if my device is lost or stolen?

Conduct a risk assessment. You should have an incident response plan that is specific to a lost or stolen device. Your HIPAA security officer should know how to execute the plan to investigate and respond appropriately to the incident.

Is a stolen laptop a HIPAA violation?

If you have ever lost your laptop, you have something in common with one of the most frequent violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

When must a breach of PHI be reported?

within 60 daysAny breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily.

What are five examples of breach of confidentiality involving the unauthorized release of patient information to a third party?

Top 10 Most Common HIPAA ViolationsKeeping Unsecured Records. ... Unencrypted Data. ... Hacking. ... Loss or Theft of Devices. ... Lack of Employee Training. ... Gossiping / Sharing PHI. ... Employee Dishonesty. ... Improper Disposal of Records.More items...•

What is a reportable HIPAA breach?

HIPAA's Breach Notification Rule requires covered entities to notify patients when their unsecured protected heath information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.

What is the correct order of steps that must be taken if there a breach of HIPAA information or data?

Below are steps that you may follow to help identify and timely respond to HIPAA breaches.Stop the breach. ... Contact the privacy officer. ... Respond promptly. ... Investigate appropriately. ... Mitigate the effects of the breach. ... Correct the breach. ... Impose sanctions.More items...•

When a breach occurs healthcare providers are required to do what?

The Breach Notification Rule was added to HIPAA in 2009 to say that in the event of a breach of PHI, covered entities and their business associates are required to notify all affected individuals.

Which are the correct reporting options if you know of a privacy violation or breach?

Filing a Complaint If you believe that a HIPAA-covered entity or its business associate violated your (or someone else's) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with the Office for Civil Rights (OCR).

What are the breach Notification Rule requirements?

If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.

What are the three exceptions to the definition of breach?

There are 3 exceptions: 1) unintentional acquisition, access, or use of PHI in good faith, 2) inadvertent disclosure to an authorized person at the same organization, 3) the receiver is unable to retain the PHI. @

What is an example of a HIPAA breach?

Medical Records Falling into the Wrong Hands Mishandling patient records is one of the most common HIPAA violations. This frequently occurs when a clinic uses paper records or charts. This can result in the clinician accidentally leaving the record in the patient's room, resulting in another patient seeing it.

What is the most common HIPAA violation?

Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees.

What is considered a breach of patient confidentiality?

A breach of confidentiality occurs when a patient's private information is disclosed to a third party without their consent. There are limited exceptions to this, including disclosures to state health officials and court orders requiring medical records to be produced.

Why are laptops so common in medical practice?

Laptops have become extremely common in medical practices. Their portability allows for physicians to take them from room to room to chart patient visits. But their portability is also what makes them a potential HIPAA nightmare.

What happened to the CCG laptop?

In July 2012, a laptop belonging to an employee from Cancer Care Group (CCG) was stolen from the employee’s car. The stolen laptop contained records of over 55,000 current and previous patients of CCG. This data included patient names, addresses, insurance information, Social Security numbers, birth dates, and clinical information.

Is encryption required for HIPAA?

While encryption is not required under HIPAA, it can help to prevent breaches of this kind. If you are using a supported version of Microsoft Windows, then you likely already have the necessary software built into Windows. You can enable drive encryption on all of your laptops at no additional cost.

Can ephi be left unencrypted?

Unencrypted devices or media that contained ePHI should never have been allowed to leave the practice . A Risk Assessment, had it been performed, would have discovered the possibility of a breach should one of these devices been lost or stolen.

When was the Advocate Health Care computer stolen?

The computers, which were taken on July 15, 2013, contained names, addresses, social security numbers, and dates of birth.

What is the new standard for reporting breach?

The new standard presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that PHI has been compromised by the unauthorized use or disclosure.

Who is the director of the Office for Civil Rights?

Leon Rodriguez, director of the Office for Civil Rights (“OCR”), the agency responsible for investigating HIPAA data breaches and violations has promised an increase in investigations and monetary penalties for health care organizations that have failed to take patient privacy seriously.

Does HHS require breach notification?

The Rule lowers the standard for breach notification. Under the previous rule, breaches were not required to be reported to the Department of Health and Human Services (“HHS”) unless they posed a “significant risk of reputational, financial or other harm” to individuals.

Is it necessary to delete protected health information before reusing a device?

Deleting all stored protected health information before reusing or discarding a device. Although these recommendations are not required by HIPAA, they lay the foundation for best practices and should likely be analyzed and documented as part of any risk assessment undertaken in accordance with the HIPAA security rule.

How long does it take for a patient to report a breach to the ICO?

A notifiable breach must be reported to the ICO without undue delay but no later than 72 hours (not 72 working hours) after becoming aware of it.

Why is the security of patient information important?

Anyone responsible for the information needs to apply security measures appropriate to the level of risk to the data subject (the person whose data is being collected, ...

What is personal data breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data. Under new data protection legislation (GDPR and Data Protection Act 2018) certain personal data breaches need to be notified to the Information Commissioner.

How long has it been since MDU discovered data loss?

The MDU adviser told the student to contact her consultant immediately to tell them what had happened, as it had been nearly 72 hours since she had discovered the data loss. The consultant would know the trust's process to inform the relevant people of the breach.

How to protect electronic health information?

If encryption isn't a reasonable option, here are some reasonable steps you can take to protect electronic health information: 1 Laptops and other handheld devices are easy targets for theft. Do not leave them unattended. 2 Set strong account passwords to protect laptops form being accessed by unauthorized individuals or entities. 3 Install anti-theft software, such as Norton Anti-Theft, for laptops, smartphones and tablets. 4 When your laptop or other mobile device is not in use, lock it up. For example, instead of leaving the laptop in plain sight when you leave at night, lock it up in a locking drawer or cabinet. 5 Consider using the encryption technology bundled with the Windows or Macintosh operations systems to at least provide a layer of protection against casual thieves. 6 Access vs storage: some devices, such as tablet PCs and digital phones, can be configured with software that only serves to capture and retrieve data, not store it. In this case, loss or theft of the device is less of a concern from an ePHI perspective. Be aware that if the device is wireless, the device could still be used to gain access to ePHI if the locations of the wireless access points are known (see HIPAA Security Reference Guide: Device and Media Controls for more information).

How much did OCR pay?

In a news release last week it was reported that two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential HIPAA Privacy and Security violations.

How long does it take to report a breach to HHS?

For breaches involving fewer than 500 individuals, a covered entity need not notify HHS at the time of the breach but must document each such breach in a log and report all such breaches from the preceding year to HHS within 60 calendar days after the end of the year.

How long does it take for a PHR breach to be reported to the FTC?

Like HIPAA as it applies to covered entities, the FTC Rule requires a vendor of PHR or a PHR related entity to notify affected individuals and, where applicable, the media of a data breach “without unreasonable delay” and in no case later than 60 calendar days after discovery of the breach.

How many individuals must a reporting entity notify the FTC of a breach?

A reporting entity need not notify the FTC of a breach involving fewer than 500 individuals. However, the reporting entity must document each such breach in a log and submit it annually to the FTC, consistent with the parallel HIPAA requirements noted above.

What is a breach of HIPAA?

A breach is considered “discovered” under HIPAA as of the first day on which any person (other than the person committing the breach) who is an employee, other workforce member, or agent of the covered entity knew, or by exercising “reasonable diligence” would have known, of the breach.

What notification must be given to a covered entity following a breach?

A covered entity must, following the discovery of a breach, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of the breach. The notification must include:

What is a breach notification in HIPAA?

As with its other provisions, HIPAA’s Breach Notification Rule applies to “covered entities,” which include healthcare providers (e.g., physicians, hospitals) and health plans (e.g., insurers, managed care organizations), as well as their “business associates.” A “business associate” is an individual or entity that performs certain services to or on behalf of a covered entity that entail access by the business associate to “protected health information” (PHI). PHI is “individually identifiable health information” that is transmitted or maintained in electronic form or any other medium.

What is PIPA data?

PIPA applies to “data collectors,” which are entities (not individual persons) that handle, collect, disseminate, or otherwise deal with nonpublic “personal information.” PIPA defines “personal information” to include: (1) an individual’s first name or first initial and last name, in combination with one or more specified data elements, including “medical information” that is “provided to a website or mobile application”; and (2) a user name or email address, in combination with a password or security question and answer that would permit access to an online account. For purposes of PIPA, the foregoing is “personal information” only where the relevant data elements: (3) are not encrypted or redacted; or (4) are encrypted or redacted, but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through a breach.

Who investigates all complaints involving privacy of protected health information?

The privacy officer or designee investigates all complaints involving privacy of protected health information. The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.

What is a breach of protected health information?

Many breaches of Protected Health Information are a serious matter. A breach is an impermissible use or disclosure of protected health information or PHI. Consequently, it compromises privacy or security of PHI. It is presumed to be a breach unless certain criteria are met based on a complete analysis. The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment.

What is breach notification?

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records ...

How do covered entities notify individuals of a breach of unsecured health information?

Covered entities must provide individuals notice in written form by first-class mail or by e-mail if the affected individual has agreed to receive such notices in a prior interaction.

What does covered entity have to demonstrate?

Covered entities and business associates must be able to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.

How long does it take to file a complaint with the Office of Civil Rights?

In addition, an organization must file complaints within 180 days of when you knew the violation occurred.

When are HIPAA penalties available?

New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th. HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. As of this time HHS applied the same cumulative annual limit to the four categories of violations.

Recent trends

According to the ICO, the commonest reasons for data to fall into the wrong hands were that it was lost or stolen from an insecure location (112 incidents) or sent to the incorrect recipient (67 by email and 56 by post or fax). In 73 incidents there was unauthorised access to the system (65 non-cyber and eight via cyber methods).

Reporting a data breach

A personal data breach is defined by the ICO as, "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Informing patients

The General Data Protection Regulation (GDPR) states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms, such as if the data refers to a person's health. This is a higher level of risk than under the ICO notification procedures.

Learning from a data breach

Any breach of patient data would usually be discussed under your organisation's significant event audit (SEA) process to identify learning points.

Case example

A GP emailed a letter intended for one patient to another with a similar name. The letter, which a patient had requested for ongoing custody proceedings, outlined mental health history, medication history and details relating to drug and alcohol misuse.