Union Leader: KNOW THE LAW – Notifying Patients of Theft Under HIPAA – 11/2009

November 2, 2009

This question was answered by Kara Dowal of the McLane Law Firm

Q:  I run a medical practice.  We just learned that one of our company laptops was stolen.  The laptop contained unencrypted health information regarding several of our patients.  What are the practice’s obligations for notifying our patients of the theft under HIPAA?

A:  Assuming that your practice is an entity covered by the Health Insurance Portability and Accountability Act (“HIPAA”), if the information contained on the laptop included identifiable protected health information, then the theft likely triggers breach notification requirements under both federal and state law.  Consult with your attorney if you are uncertain whether the specific information on the laptop is considered “protected health information” as defined under HIPAA. 

Under amendments to HIPAA by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act enacted earlier this year, the fact that the information stolen was unencrypted means that the information was unsecured.  As a result, you are required to notify all individuals affected by the breach without unreasonable delay, but not later than 60 days after discovery of the breach.  Notifications should be written and mailed to each individual affected at his or her last known address.  If the breach affects over 500 individuals, you will also need to notify a prominent media outlet along with the Secretary of the Department of Health and Human Services.  If the breach affects less than 500 individuals, you must maintain a log of breaches and report them to the Secretary annually.

If you had encrypted the information in a manner specified by the HIPAA Security Rule, it would have been considered secured.  This would have provided you with a safe harbor from complying with the notification requirements under the HITECH Act.  However, note that encryption would not necessarily save you from notification requirements under other federal or state laws.   

It would be a good idea for you to incorporate procedures for dealing with security breaches into your already existing privacy and security policies so that when breaches happen you’re not scrambling to make sure you comply with notification requirements.  Plans for dealing with privacy breaches should outline steps for you to follow in order to (1) recognize a breach when it occurs and determine if it requires notification under federal and state law; (2) provide procedures for notifications to be made in a timely manner; and (3) provide for internal documentation and follow-up procedures with employees about the breach in order to prevent similar breaches in the future.  Educating your employees is one of the best ways to prevent additional breaches from happening.    

Finally, the theft of the laptop may also trigger notification requirements under other federal and state laws besides HIPAA.  For example, New Hampshire law requires businesses to notify individuals affected by a security breach of unencrypted personal information as well as the primary regulatory authority of the business or the New Hampshire attorney general’s office.  Consult with your attorney to make sure you don’t have other notification obligations.

Know the Law is a bi-weekly column sponsored by The McLane Law Firm
We invite your questions of business law.  Questions and ideas for future columns should be addressed to: Know the Law, The McLane Law Firm, P.O. Box 888, Manchester, NH 03101 or emailed to