A recent news bulletin in Health Data Management noted that Rainbow Hospice and Palliative Care in Park Ridge, Ill., had an encrypted laptop stolen but still publicly reported the breach to affected patients, local media and the Department of Health and Human Services Office for Civil Rights.

Breached data that is encrypted need not be reported under the breach notification rule, but here's why Rainbow Hospice had to issue notifications:

The laptop's hard drive, with protected clinical and financial information on 999 patients, was encrypted, says a spokesperson. Two passwords are needed to use the computer, with one of the passwords decrypting data to make the database accessible. So, encryption is turned off when the laptop is in use, and turns back on when the laptop is closed or shut down.

A nurse was visiting a home that had a "chaotic environment," with the laptop turned on and open when it was stolen. But if the laptop had been turned off when stolen, the data would have been encrypted behind two passwords and notification would not have been necessary.

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access