Is HIPAA privacy compliance required when unencrypted Personal Health Information is lost on a train?

A lawyer lost a portable hard drive containing protected health information (PHI) on a commuter train, reports The Baltimore Sun. What compliance is required? From the Sun article, the hard drive, while complicated and technologically difficult to access, was not encrypted.  Loss of unencrypted data by healthcare professional or company triggers compliance under the HIPAA Privacy Rule  as a “covered entity.”  HIPAA compliance requires covered entities to notify both affected patients and the Health and Human Services Office of Civil Rights.  The lawyer’s firm was, however, as the Sun points out, not a covered entity.  According to the Sun:

… it’s unclear if the law firm would be covered by the medical record privacy law, the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The incident may have exposed a loophole, said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington and an adjunct professor at Georgetown University Law Center.

HIPAA regulates the protection of patient information by “covered entities” — providers of health care or health plans and data management companies. But malpractice attorneys aren’t expressly mentioned….

One of our colleagues in Ober|Kaler’s Health Law group, Joshua Freemire, says that a loophole for malpractice lawyers may be an oversimplification. 

Josh explains,

Law firms are generally not covered entities, but where they perform professional services for a covered entity, they are properly considered “business associates“. As business associates, law firms must be certain that their relationship to the covered entity is properly documented in a compliant business associate agreement. The firm should also be certain to familiarize itself with its obligations with regard to privacy, security, and breach reporting, both under the applicable statutory and regulatory HIPAA provisions, but also according to the terms of any applicable business associate agreement.

An entity, including a law firm, that receives protected health information as a result of a legal process (such as through discovery, or in answer to a subpoena) is not necessarily either a covered entity or a business associate. Accordingly, the receiving entity in such a scenario is not bound by HIPAA or its implementing regulations, and is not subject to federal data breach reporting requirements.

However, mere possession of private medical or financial data may bring the entity within the ambit of state privacy laws, which frequently have their own data breach notification requirements, can impose civil penalties, and may provide injured patients with a private right of action.

Josh and Ober|Kaler’s Jim Wieland often speak about privacy related to healthcare companies and recently offered a webinar on managing employee’s social media use in healthcare companies.