[ Tuesday, January 03, 2006 ]
Quite a lively discussion on the HIT list this afternoon. An anonymous poster asked what needed to be done in response to the theft of some computer hard drives that contained patient information. Part of the problem is that the covered entity didn't even know for sure whose information was on those hard drives. Do they need to notify everyone, even those people whose information was not stolen (they can't know whose might've been taken, so they'd have to notify every patient)?
Responses were fairly consistent: notification is not required, but mitigation is; mitigation might, depending on the circumstances, require notification. The facts of the theft will impact the decision being made: does it look like the work of vandals who are just defacing property, or does it look like the work of crackheads who are just stealing whatever they can quickly fence for drug money, or does it look like the work of identity thefts who targeted the hard drives since they knew they could mine the data, or does it look like the work of a disgruntled employee who only wants to disrupt the covered entity's operations? If it's identity theft, then the individuals should be notified, so they can be vigilant and protect themselves. Otherwise, the covered entity would need to determine whether notice would be proper or useful as a mitigation effort.
That's the HIPAA answer, but not necessarily the final answer. Keep in mind that many states have recently enacted their own laws requiring certain businesses that keep or use personal financial information to notify individuals if their information is lost, improperly accessed, or otherwise compromised. Here's a website
that keeps track of the states that have implemented that type of legislation. Also, here's a website
from the Federal Trade Commission with some tips on how to deal with a security breach and notify customers or clients if their personal information is disclosed.
Jeff [4:52 PM]
Blogger: HIPAA Blog - Edit your Template