The Department of Health and Human Services' Office for Civil Rights, the division responsible for investigating HIPAA breaches, has said repeatedly encryption is one of the most basic things providers and business associates can implement to protect patient information. "Pay attention to encryption," said Susan McAndrew, deputy director for health information privacy at OCR, speaking at HIMSS14 this past month, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."
However, one business associate did not heed the OCR pronouncement, at least not until now. Los Angeles County contractor, Sutherland Healthcare Solutions, failed to encrypt its computers, which were reported stolen during a burglary on February 5. This theft resulted in the breach of as many as 168,500 patient’s data that may have been stolen. Sutherland handles billing and collections for the county’s Department of Health Services and Department of Public Health. The stolen computers held patient data including first and last names, Social Security numbers and other medical and billing information. As a result of the theft, these patients are receiving breach notification letters offering free credit monitoring because Social Security numbers were involved in the breach. Meanwhile, Sutherland is now reviewing its policies and procedures as well as providing additional training, while Los Angeles County is helping them review their information privacy and security programs to see what enhancements need to be made.
Being proactive and encrypting data before a breach happens is of the utmost importance. If we can be of help in explaining how to get HIPAA compliant, please let us know.