Home Care Law Blog Gilliland & Markette LLP

3905 Vincennes Road
Suite 204
Indianapolis, IN 46268
Phone: (317) 704-2400
Fax: (317) 704-2410

Another theft of computers

Posted by: Robert Markette
November 29, 2006

I saw another story from over the weekend regarding the theft of computers containing PHI.  This story differs from many of the others you read about, because the computers were stolen out of a locked office.  That’s right, the information was on computers in a providers office and someone broke out a window to get into the office. (As I have said many times before, locks only keep the honest people out.)

Having successfully entered the office, the thieves stole two computers containing information relating to Indiana’s Breast and Cervical Cancer Program (“BCCP”).  The BCCP is a program that many states have.  State law requires health care providers to report certain cancers (and other injuries or illnesses).  This information is maintained by the state and used for various public health planning purposes.

Of course, the state does not have the staff to handle all of the related information management and so it contracts with outside companies to handle the data for it.  In this case, the computers belonged to a contractor and contained information on 7,700 Indiana women who had been diagnosed with one of those forms of cancer.

What is interesting about this case is that even though the contractor kept the computers in its offices, those offices were locked and the information was protected by two separate passwords, there is still a cry of outrage over the theft.  Although it is early, there is no indication yet that the thief (or thieves) was able to access the information on the computers.

The point here is that even if your computers are stolen out of your locked office instead of your employees’ cars, there will be negative publicity.  This reinforces the importance of physical security.  You may have all of the electronic security in the world – firewalls, passwords, biometrics, and encryption, but if somebody is able to physically remove your computers from your office, that additional electronic security will not matter to your patients, etc.  (It may prevent any information from being accessed, but you may still face a PR backlash from patients who only see that the computers were stolen.)  

The question you should ask is whether your physical security measures are sufficient.  Is there anything else you might do, within the Security Rule’s concept of reasonableness, to ensure the physical security of your hardware, for example, a security alarm, or  locking computers that store PHI in a central windowless room?  

As you ask this, you should remember that while there is almost certainly more you could do, that does not mean it is reasonable to do so.  At some point, the additional safeguards provided by the next step of security is not appreciable enough to justify the additional costs, even in light of the potential for negative publicity.  Even with thorough physical security, you may still have a burglary.  

Because you cannot completely eliminate the possibility, the question, from a compliance standpoint is have you reduced the possible threat to a reasonable level.  If you are comfortable with the thought that you have, you should not let stories like this one scare you into costly additional measures.

As an aside, another complaint the patients had in this incident was that someone other than their physician had this information.  The patients were apparently unaware of fact that health care providers routinely have to report certain illnesses and injuries.  They must not have read the Notice of Privacy Practices.

         

News

Health Care

[08/15] Catalyst Pharmaceutical Partners Reports Second Quarter 2008 Financial Results
[08/15] Salmonella outbreak winds down; questions remain
[08/15] 6 get Legionnaires' disease in upstate NY; 1 dies
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] NYC heroes lift bus off pregnant woman; baby saved
[08/15] Former half-ton man endures hard times in Nebraska
[08/15] AP Interview: Doctor behind executions speaks out
[08/14] University Hospitals Receives $22.6 Million Donation from Harrington and McLaughlin Families
[08/14] The National Kidney Foundation's 7th Annual Ronald D. Paul Companies Kidney Walk to be Held on Saturday, September 20
[08/14] Best Practice Database adds Research on New Product Launch
Read More

Web Resources

FindLaw
Thomson West
U.S. Courts
Westlaw
United States Chamber of Commerce
FirstGov
Legislative Branch
Library of Congress
White House
Internal Revenue Service
National Weather Service
Yahoo!Maps
YellowPages.com
New York Times
Newspapers Online
USA Today
Wall Street Journal
AOL
Google
Yahoo!Legal Blog Directory  

The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation.

Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.