Health Information Management

Q. What are the reporting requirements when a company laptop computer containing specially protected health information, such as mental health data, is stolen?

HIM-HIPAA Insider, October 13, 2008

A. Note the difference between what the law requires you to report and what is considered appropriate communication with patients when a security and/or privacy breach occurs.
 
Approximately 40 states have enacted identity theft protection laws. The laws of all but one state require notification only when a breach involves certain types of information. Generally, the law requires reporting when information is unencrypted and the patient’s name and either the patient’s Social Security number, passport number, driver’s license number, or credit card plus the PIN are breached.
 
California is the exception; its law requires notification if the breached data also include identifiable health information. It is a good idea to review of your state laws to determine whether they require breach notification.
 
HIPAA does not require breach notification except through an accounting of disclosures. Facilities must account for a breach of PHI by including it in the list of disclosures provided when a patient requests an accounting of disclosures.
 
A practical perspective suggests that you should notify patients when their unencrypted medical information is breached. Failure to notify patients in a timely fashion can lead to the following situations:
  • Medical identity theft of your patients’ information
  • Loss of reputation
  • Loss of your patients’ trust, especially if they learn of the breach through the news media
  • Loss of business due to your damaged reputation
  • Increased civil liability
Notifying patients that their medical information has been breached is considered due diligence. Failure to notify them makes your organization ripe for a civil lawsuit, particularly if the information is specially protected under state or federal law.
 
Editor's note: Chris Apgar, president of Portland, OR-based Apgar & Associates, LLC, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Comments

0 comments on “Q. What are the reporting requirements when a company laptop computer containing specially protected health information, such as mental health data, is stolen?

 

Most Popular