A resident physician “misplaced” the USB drive that was being used “to study and continuously improve surgical results,” the statement said. “The flash drive is believed to have been lost at a URMC outpatient orthopedic facility. After an exhaustive but unproductive search, hospital leaders believe that the drive likely was destroyed in the laundry. A search of the laundry service, which works exclusively with hospital/medical facilities, also failed to locate the drive.”Hospital spokeswoman Teri D'Agostino said the orthopedic resident reported the breach March 7. He was counseled, and his department chairman “used it as an opportunity to re-educate the staff” on privacy issues, including making sure that any data on portable devices is encrypted. It also highlighted the need to focus on residents who move through the hospital, “an area for us where we could step up and improve.”
Security expert Michael McMillan said the hospital handled everything appropriately, but the language in the notice illustrates the differences between the old and new privacy rules. McMillan is the founder of CynergisTek, an Austin, Texas-based security firm.
“Their rationale was they don't believe there was harm because they believe it was lost in the wash,” McMillan said. “They look at the old rule and say they have to prove harm and since they've not heard from anybody, they can assume there was no harm.”
The effective date of the omnibus privacy and security rule was March 26, although the compliance date for many of its provisions is not until Sept. 23. The rule interprets the more stringent privacy and security provisions of the American Recovery and Reinvestment Act of 2009.
But under the new rule, providers and other HIPAA-covered entities must go down a list of four standard questions.
“What information was on it?” determines whether the information was protected by HIPAA, McMillan said.
“Who got it?” determines whether the person who received the breached information was authorized to have it. But, he said, “When you can't say who's got it, you have to assume it was compromised.”
“Then you answer the third question, 'What they did with it?' and you can't answer it,” he said.
The fourth question is: “Were their any mitigating circumstances, such as, the data was encrypted?”
“In this case, there were none,” McMillan said. So, the breach must be reported.
Follow Joseph Conn on Twitter: @MHJConn