by N. Nedim Halicioglu

At the recent Health Insurance Portability and Accountability Act (HIPAA) Summit West in San Francisco, Health and Human Services, Office of Civil Rights (OCR) officials told attendees to expect new HIPAA rules to be finalized in the coming months.  They also, once again, focused on the importance of encrypting electronic patient health information (ePHI).

The past few years have seen increased focus on new HIPAA rules with the rise of medical identity theft, news reports of major ePHI breaches, and the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH), which was passed into law along with the stimulus package in 2009.

In the past, medical identity theft has taken a back seat to the risk posed by financial identity theft.  However, with the revelation of the increased number of startling cases, medical identity theft is taking more of a national spotlight.  For instance, this past March a California resident saw $12,000 billed on her health care credit card for a liposuction procedure she never had.  Another case this year saw a Texas resident discovering over $100,000 of unpaid medical bills on his credit report, including nearly $20,000 for a life-flight helicopter trip for someone who had stolen his medical identity.

 Some market research groups estimate that 2009 saw 275,000 instances of medical information theft, twice that of 2008.  The threat to patients is not always just financial, as inaccurate medical information can be entered in their chart reflecting diseases or treatments they never had, which could result in improper treatment decisions.

Breaches of ePHI happen many different ways: malicious attacks by hackers, loss or theft of portable devices such as laptops, insiders or employees who access data without authorization, and unintended disclosures by health entities.  According to the Privacy Rights Clearinghouse, 2010 has seen 159 data breaches from medical providers, putting nearly 3 million individual’s ePHI at risk.

The largest breach this year by a health care entity occurred when the theft of 57 hard drives from a Tennessee facility put the ePHI of over 1 million people at risk.  Another major breach occurred in April, when an unerased digital copier hard drive was found to have over 400,000 patient’s information stored on it.  Other cases this year include a Florida MRI center where two former employees were involved in an identity theft scheme, resulting in 1,500 confirmed thefts, and up to 40,000 individuals’ ePHI potentially being accessed.

Generally, hackers are not considered to be a major threat, as a majority of data breaches are accidents, or unintended consequences of thieves seeking to steal computers or laptops for parts, not for the ePHI contained on them.  However, one major breach occurred in May 2009, when hackers stole over 500,000 patients’ pharmaceutical records from Virginia’s state prescription drug database.  The hackers demanded a $10 million ransom.

Why Encryption is Important - If an ePHI breach occurs, the first step is to determine whether disclosures to affected individuals and/or the department of Health and Human Services (HHS) are necessary.  In many instances, health care entities must notify affected individuals without delay, and in no case later than 60 days after learning of a breach.  If the breach affects more that 500 people, a disclosure to the media is required.  Further, HHS must be contacted within 60 days.  However, if the breach affects less that 500 people, the disclosure to HHS can be done on an annual basis.

This is where encryption comes in.  HITECH provides requirements for disclosure of only “unsecured” data breaches.  In other words, if the data is encrypted, no notifications are required.  It is expected that at least one of the new rules from the OCR will provide some additional guidance for health care providers dealing with data breaches.  Until then, moving forward with a plan to encrypt data will likely ensure compliance with future HIPAA regulations and avoid the potential expense of dealing with a breach notification if data is ever compromised.  Encrypting ePHI might be seen as a technically daunting task, and will generally require the aid of encryption specialists; however, acting now could put your practice ahead of the curve when it comes to HIPAA compliance and ensuring the safety of ePHI.

N. Nedim Halicioglu is an associate at Neil Dymott and concentrates his practice on the defense of healthcare professionals and general civil litigation defense. Mr. Halicioglu may be reached at (951) 303-3930 or This e-mail address is being protected from spambots. You need JavaScript enabled to view it