Stolen data signals concern over HIPAA security & HIPAA privacy?
I noticed on the HIPAA Blog that Horizon Blue Cross and Blue Shield, New Jersey’s largest health insurance company, had a laptop computer stolen earlier this month in Newark along with the personal information of 300,000 of its members. Jeff Drummond reports that the laptop contained the names and social security numbers for “about 10% of the 3.3 million customers in New Jersey.” The first question that popped into my mind is: did Horizon Blue Cross and Blue Shield commit a HIPAA violation? Since there is no question that names and social security numbers are considered protected health information under HIPAA, the real issue becomes one of security. Who is in charge of enforcing HIPAA security regulations? That would be the CMS (Centers for Medicare and Medicaid Services), who would need to take action in determining if the laptop was reasonably secured at the time it was stolen. According to an editor on Realtime IT Compliance, they would need to conduct “an independent audit of the situation to reveal whether or not this was truly a violation of HIPAA.”
Well, what are people to think now? Do the 300,000 NJ members who had their information subject to potential identity theft feel confident in HIPAA security? How often are HIPAA audits conducted in the first place? I would be curious to know when the last time Horizon Blue Cross and Blue Shield was audited for adequate security and privacy measures. If protected health information such as social security numbers and names can be stolen, what about emails and electronic documents? Health insurance privacy & security professionals will have to give careful thought to email management and email archiving systems in the coming months, as the success of one thief could lead to a string of incidents to see how far HIPAA security breaches can be pushed.
Simplicato's Weblog 