Legal Memorandum: Disclosure of Patient Information in MN

Issue: In the event that unencrypted patient information stored on a computer is disclosed by a seller of medical devices in violation of HIPAA, what level of violation occurs and what penalty may be potentially imposed?  

Area of Law: Healthcare & Pharmaceutical Law Compliance
Keywords: Disclosure of patient information; Violation of HIPAA; Seller of medical devices
Jurisdiction: Federal, Minnesota
Cited Cases: None
Cited Statutes: § 164.530(c); § 164.310(d)(2)(i); 5 Fed. Reg. No. 134, pp. 40868, 40879; § 164.400 et seq.
Date: 11/01/2010

Without knowing the circumstances under which unencrypted data from a computer may have been disclosed it is not possible to provide a precise answer.  Nonetheless, some guidance may be found in two examples provided by the Health and Human Services in recent comments:

1. A covered entity disposed of several hard drives containing electronic protected health information in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS’s investigation reveals that the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process.




3. A covered entity’s employee lost an unencrypted laptop that contained unsecured protected health information. HHS’s investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.

75 Fed. Reg. No. 134, pp. 40868, 40879 (July 14, 2010) (http://edocket.access.gpo.gov/2010/pdf/2010-16718.pdf).  HHS says both these examples show “willful neglect.”  Id.  “The facts in these examples demonstrate that the covered entities had actual or constructive knowledge of their various violations,” writes HHS.  “In addition, the covered entities’ failures to develop or implement compliant policies and procedures or to respond to incidents as required by § 164.400 et seq. demonstrate either conscious intent or reckless disregard with respect to their compliance obligations.”  Id.

Civil penalties for disclosures made with […]

Subscribe to Litigation Pathfinder

To get the full-text of this Legal Memorandum ... and more!

(Month-to-month and annual subscriptions available)