Court ruling sparks patient privacy talk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/court-breach-ruling-sparks-HIPAA-patient-privacy-talk

A recent court decision ruling that a HIPAA-covered entity was not liable
for losing a hard drive containing patients' protected health information
could have big implications for future cases in the realm of privacy and
security.

A California appeals court this week ruled that the Board of Regents at the
University of California were not accountable for data disclosure when they
lost the hard drive containing PHI of more than 16,000 patients --
including the lawsuit plaintiff, Melinda Platter -- as officials could not
confirm that patient data was actually accessed.

To all those business associates and covered entities out there who may
deem this a legal win if, say, they happen to lose or misplace devices
containing patient data, there's one important detail to remember: The hard
drive was encrypted. Thus, the implications of the ruling are lesser than
for groups currently facing legal woes over failing to protect patient data
by forgoing encryption.

Reportedly, however, a note containing the encryption password also went
missing.

The court decision was also made under a California state law, the
Confidentiality of Medical Information Act, not federal HIPAA.

The case stemmed from a November 2011 incident when the encrypted hard
drive was stolen from the home of a UCLA Health System physician. In
October 2012, Platter filed suit, alleging "unlawful disclosure of
confidential medical information in violation of CMIA," according to the
lawsuit.

The appeals court ruled that "because Platter cannot allege her information
was improperly viewed or otherwise accessed, we grant the Regents' petition
and issue a writ of mandate to the superior court directing it to vacate
its order overruling."

Just last month, Advocate Health -- who in August reported the second
largest HIPAA data breach to date after four unencrypted laptops were
stolen from its facility compromising the protected health information of
more than 4 million people -- has been slapped with a class action lawsuit
filed by affected patients.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.