Should HHS follow the ICO's lead?
Yesterday, the U.K. Information Commissioner’s Office used its authority to issue fines for breaches of the Data Protection Act and issued its first fines ever.
Neither breach involved a healthcare facility, despite the large number of breaches experienced by the NHS. But in what may be a warning shot, the ICO fined Hertfordshire County Council £100,000 for two incidents involving fax errors that resulted in highly sensitive personal information being sent to the wrong recipients.
The other incident resulting in a fine involved a laptop with unencrypted personal information that was stolen from an employee’s home. Ae4, an employment services agency, was fined £60,000 for giving the employee an unencrypted laptop with so much personal data.
Of course, it remains to be seen whether such fines have any deterrent effect and make entities more security-protective. But take a breath and reflect on how many faxing errors containing protected health information occur in this country every day. Can you imagine if HHS started actually fining entities for such errors/violations of HIPAA? Would it make covered entities more careful about faxing and confirming fax numbers before hitting “transmit?”
And what if HHS fined an entity who had experienced a stolen laptop containing unencrypted PHI? Stolen laptops containing inadequately secured PHI are the single most common type of breach report HHS has been receiving for breaches affecting over 500 individuals. Would a very publicly announced fine or two to entities be of any benefit in improving security?