[ Wednesday, April 27, 2005 ]
Another computer theft, another (potential) Security Rule violation:
This time it's in Houston
, where a computer was stolen from a vendor of Christus St. Joseph Hospital in downtown Houston. Christus St. Joseph had hired the vendor to convert paper records to digital, and back in January someone broke into the vendor's offices and stole some computers, including at least one with Christus St. Joseph patient data. There's been no evidence that the thiefs used the information, but Christus St. Joseph is notifying potentially affected patients. No telling if the delay in notifying patients is due to St. Joseph just finding out about the issue, or deciding to follow the lead of the Silicon Valley medical group in alerting patients.
HIPAA imposes no explicit obligation to notify patients of potential or actual improper uses or disclosures, but covered entities are obligated to take reasonable steps to mitigate damages from such use or disclosure, and mitigation in circumstances like this would probably include notifying the patients so they can look out for signs of identity theft. Perhaps another good idea would be for the offending covered entity to pay for a couple of credit checks for each affected patient (maybe 2 months out, 6 months out, a year out, and 18 months out) to check for evidence of identity theft.
Jeff [10:10 AM]
Blogger: HIPAA Blog - Edit your Template