Lincoln Medical and Mental Health Center in Bronx, N.Y., recently notified 130,495 patients of a breach of their protected health information after seven CDs a business associate FedEx'd were lost (see story).  In a statement to Health Data Management, the hospital, part of NYC Health and Hospitals Corp., explains why the data was not encrypted and free identity and credit protection services were not offered to affected patients:

"Under the HIPAA security regulations, encryption is not a legal requirement but a suggested 'addressable' method of safeguarding electronic protected health information. Nevertheless, the Siemens CDs had been safeguarded using password protection. Moreover, in the very unlikely event that an unauthorized user managed to crack or bypass the password, that individual would need to know how to access and utilize Siemens' proprietary software in order to view the information.

"After discussions with security experts and investigations that provided no evidence that information has been improperly accessed by any person or entity, HHC has determined that given the specific facts of this case, and the reduced level of risk and potential exposure, low-cost or free credit and protection services would be just as effective in monitoring possible identity theft as commercially available security monitoring."

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access