Home > Regions > North America > Healthcare Alert: Theft of protected health information: What are the ramifications?

Healthcare Alert: Theft of protected health information: What are the ramifications?

From time to time there are reports of the loss or theft of protected health information. Frequently, these reports involve the theft or loss of computers.

The report of an investigation by the Office for Civil Rights of the Department of Health and Human Services (OCR) following the burglary at a small medical practice provides insight into what the OCR will be looking for in the course of its investigation. The burglary included the theft of patient information.

Following the disclosure of the burglary, the OCR investigated. In the course of its investigation, it required the medical practice to provide it with 11 items. The practice had 21 days to respond. Those items included the following:

  1. An admission or denial that there had been a loss of protected health information, or a statement that it was not yet known whether that had occurred.
  2. Documentation that an investigation had been conducted, including a copy of the incident report.
  3. Documentation of the corrective action taken or planned to be taken, including the sanctioning of workforce members, retraining, or mitigation of the harm alleged.
  4. A copy of the practice’s HIPAA policies and procedures relating to the disclosure and safeguarding of health information.
  5. A copy of the policies and procedures that had been implemented to safeguard the practice’s facility and equipment.
  6. Evidence of physical safeguards that had been implemented for computing devices to restrict access to health information.
  7. A copy of the most recent risk assessment that the practice had performed.
  8. Evidence of training of personnel.
  9. Evidence of actions taken to encrypt information.
  10. A copy of the written notification of the breach that had been provided to affected individuals.
  11. A copy of any written notification given to media and a listing of the media source as to whom the notification was given and any news reports.

These 11 items that were requested are not unusual, and should be viewed as the standard approach that the OCR will take when investigating an incident such as this one.

A question that any medical practice should ask itself is how it would respond if the OCR requested these items. A medical practice which has implemented these policies, procedures, safeguards, and training will be much less likely to have a privacy or security problem in the first place. The medical practice’s exposure to penalties or other sanctions by the government will likely be less if it had taken affirmative steps before the incident occurred.

Every medical practice should review these 11 items and ask itself how it would respond, and what its shortcomings are. Steps should be promptly taken to eliminate any shortcomings.

A related precaution that all medical practices should take involves determining insurance coverage for privacy or security breaches. Does your practice have an insurance policy that will provide for legal defense costs, or for any other costs or expenses associated with a privacy or security breach? Make certain that you understand the nature of your medical practice’s insurance protection.

For more information, please contact:

John T. Mulligan

Jane Pine Wood

Rick L. Hindmand

or any of our healthcare attorneys by clicking on the Healthcare Practice link below:

Healthcare Practice

McDonald Hopkins has a large and diverse healthcare practice, which is national in scope. The firm represents a wide variety of healthcare providers, facilities, vendors, technology companies and associations. Our diverse experience enables us to give our clients a unique perspective on the issues that may confront them in the rapidly evolving healthcare environment.