Whether you back up your data with a cloud service provider, on your local server, or a physical hard drive, the question of whether to secure it via encryption should be answered.  We begin with the basic premise that the HIPAA Security Rule requires you as a Covered Entity or a Business Associate to protect the confidentiality, integrity, and availability of the Protected Health Information in your possession. This responsibility also extends to your backed-up data.

Under the Technical Safeguards and access control standard of the rule, you are asked to determine if encryption and decryption should be implemented to allow access only to those persons who are authorized to view the PHI.  Although this is an addressable implementation specification, you must still determine if encryption is reasonable and appropriate, and if not, consider an alternative equivalent.  It would be difficult to conclude that some methodology to secure the backup PHI is not reasonable and appropriate.  This question should be answered during your risk analysis and the following event demonstrates the importance of seriously considering this standard and ultimately securing your backed-up data.

On January 11, 2017, a Covered Entity from Texas learned that an “unencrypted” external hard drive was stolen from the clinic on or about December 29, 2016.  The external computer hard drive was used by the clinic to back-up or store patient information from the Clinic’s electronic health records.  Subsequently, the hard drive was stolen from a locked closet within the Clinic.  The theft was reported to law enforcement and an investigation is currently ongoing.  The stolen data consisted of the following sensitive information:

  • Patient’s name
  • Dates of birth
  • Addresses
  • Phone numbers
  • Driver’s license numbers
  • Social Security number
  • Medical record numbers
  • Account numbers
  • Physician’s names
  • Diagnosis and conditions
  • Lab test results
  • Medications

The patient data spanned a period between 2009 and 2016 (seven years).  Notifications are going out to the affected individuals as well as an offer for credit monitoring.

One can argue the organization could not reasonably anticipate this theft as a threat to the security and integrity of the PHI.  After all, the hard drive was in a closet in the clinic. However, one can also argue the PHI was not protected from insiders who did not have a “need to know” access to the information since it was not secured via encryption.  The investigation is ongoing as reported by the Covered Entity so we don’t know if a risk analysis was conducted or if this specific piece of equipment was on the inventory and known to exist by the security team or the IT department.  What we do know is that backup data should be viewed like all data and securing it should be part of your effort to protect the confidentiality, integrity, and availability of PHI in your possession.