Questions Regarding “Minimum Necessary,” Physical Controls, and Encryption Follow Insurer’s “Ongoing Search” for Six Hard Drives Containing PHI of 950,000 Individuals

by Leonardo M. Tamburello

A major health insurer announced an “ongoing comprehensive internal search” for six hard drives containing the PHI including the name, address, date of birth, social security number, member ID number and “health information,” of approximately 950,000 individuals who received laboratory services from 2009 through 2015. According to the announcement, the hard drives were used in an internal data project which analyzed laboratory results with the goal of improving health outcomes.

This incident raises two potential topics of interest under HIPAA. First, whether a data set containing fewer identifiers, or de-identified data could have been used for this project.  If de-identified information were used, the loss of the hard drives would be less damaging and possibly not a “breach” under HIPAA.  The post-breach risk assessment should attempt to answer this question and make policy recommendations that require a critical assessment of whether and to what extent PHI beyond the “minimum necessary” is required for future similar projects.

If it was necessary to use the complete data set of PHI contained on the lost hard drives, additional security precautions, such as enhanced physical security tracking measures and encryption, should have been considered and implemented.  Physical security tracking that restricted or linked the physical movement of the hard drives to a particular location or individual could be enhanced with a requirement that the location and custody of media containing PHI be periodically verified, especially if the PHI of nearly a million individuals is potentially in play.  Although there seems to have been some process along these lines in place in light of the “ongoing comprehensive internal search,” there is no indication of the last date on which the location of the hard drives can be verified.

In addition, the decision to apparently not encrypt the hard drives should also be examined.  Encryption remains an addressable implementation standard under HIPAA, it must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI. See, 45 CFR § 164.312(a)(2)(iv) and -(e)(2)(ii).  If the entity decides that encryption, as addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.

With the relative ease and speed of modern encryption applications that are available across a variety of platforms, from smart phones and tablets, to flash drives and individual hard drives, to back-up media, not encrypting data, whether it is in use, in motion, or at rest, is becoming increasingly difficult to defend from a technical standpoint.

The unexplained disappearance of devices or storage media containing unencrypted PHI through inadvertence, malicious theft, or other physical loss remains a vexing problem for covered entities.  Two relatively simple strategies to avoid the serious harm that could result for such an occurrence are eliminating the use of PHI when possible, and implementing robust tracking and encryption protocols for those instances when PHI is truly necessary.