Many of the lessons to be learned from the recent legal entanglements of the National Football League are of little importance to those of us in business – e.g. don’t get caught deflating footballs! However, the NFL’s involvement in a recent, seemingly obscure, case does provide guidance to many who handle data.
Specifically, those of us who entrust sensitive data – particularly protected (or personal) health information (PHI) – to others or have others entrust such data to us, must be very cognizant of where such material is stored and processed. We do not typically rely on sports media for legal authorities, but in this case an online article from thePro Football Weekly website is quite interesting. (Click here to view article.) The theft of a laptop computer from a Washington Redskins trainer has potentially compromised the security of the PHI of a number of NFL prospects and current players which records were stored on it. The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules are not just applicable to healthcare providers, they apply to all organizations that collect and maintain PHI of employees or, in the case of the NFL, PHI of potential future players.
It is unclear whether the data on the laptop was encrypted or will be of value to the thief. Nevertheless, the fact that the episode made it into the news is detrimental to the team and the league. The involvement of the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is clearly not a good thing for anyone. Enforcement statistics show the compliance issues most investigated by OCR are impermissible uses and disclosures of PHI and, lack of safeguards to protect PHI. If the investigation by OCR reveals that safeguards were not in place to protect PHI, and storage on a laptop left in a car is likely to create such a presumption, the Washington Redskins (and possibly the NFL as a whole) could face a hefty financial penalty and most certainly will be required to implement a corrective action plan.
If nothing else, the episode illustrates that sensitive materials should not be stored on portable computers or devices, such as flash drives. If they are, encryption at a suitable level is a requirement of the HIPAA Privacy and Security Rules. For example, a properly implemented HIPAA compliance plan should include policies and procedures to govern the receipt and removal of laptops that contain electronic PHI into and out of the organization’s facilities. All devices should have strong encryption and be password protected. We do not know the particulars of this incident, however, it is clear that there was a flaw in the team’s overall compliance of protecting PHI. Similar analysis comes into play under a different body of federal law, with respect to entrustment of consumer financial records.
In the context of personal health information, federal law requires the use of and compliance with ‘Business Associate Agreements’ to govern the entrustment of such information. Contractors, subcontractors, and other outside persons and companies who are not employees of the organization, but who need access to PHI to provide services, or who will potentially have the ability to gain access to PHI during the course of providing services, are considered business associates. To properly protect PHI, an organization must have a Business Associate Agreement with all its business associates.
In today’s world of ubiquitous data breaches, the storage and transfer of sensitive materials is fraught with peril. Especially where medical information is involved, those who do so must utilize good practices at all times and obtain appropriate and timely advice as to their special legal obligations. The best practice for protecting PHI and preventing a breach, is to develop and implement a strong and robust HIPAA compliance program that continues to monitor and analyze risks in the course of protecting PHI. Sometimes in the NFL, lost yardage can be overcome, but this is often not the case when the loss is of health information!