All too often the focus is on how somebody did something wrong with PHI.
Really, though, there are so few examples of things done right…to point them out is a challenge.
Well, never fear, we seem to have a good example here…
That’s right, the Houston Methodist Hospital learned they had a breach, and they acted quickly.
Here is a summary:
- Dec 5 “Houston we have a problem” – “some paper files & an encrypted laptop were stolen”
- IF the password for the encrypted laptop was not part of this package, then the data on the laptop is “safe harbor” meaning not reportable. The truly unclear part is the term “some paper files” and knowing which patient’s info may have been in these paper files. In the end, notifying everyone is a conservative step.
- Dec 6 Notification to patients, local media and the feds – this speed in notification, while noble, is not how I’d recommend proceeding. Worst case after a breach you have 60 days from the “discovery date” to begin the notification process. These folks made the decision in 1 day. Hasty decisions can often become mistakes.
For clarity, here are the specifics of the required timeline for a PHI Data Breach:
- If breach affects under 500 people: notification to those affected and the HHS is to be made within 60 days of the end of the calendar year – in these cases there is no requirement for media notification.
- If breach affects 500 or more people: notification to those affected, the media and the HHS is to be made within 60 days of the date the breach was discovered.
So, while it is hard to ding somebody for “doing the right thing”, I’d say this could have been handled in a lower key way.
Something else to note: while it is entirely appropriate to offer identity theft protection to those potentially affected, there is not requirement to do so.