Sign Up to receive free weekly articles like these

Research Compliance:

Lost Data

Reader Question: A month ago I was flying to a convention of my research specialty in San Francisco, and in one of my checked bags was my notebook computer and three discs of raw data (non-encrypted) on about 800 patients we have enrolled in a clinical trial. But the airline lost the bag in transit. Of course, I filed a "lost bag" claim with them, but no trace of it yet. Little hope now. I have heard there is some new law called HITECH that applies to lost data. What should I do at this point? Should I already have done anything?

Expert Comments: Brace yourself; we’re going to have to deal with some “alphabet soup” of U.S. government acronyms while explaining your situation.

The Health Information Technology for Economic and Clinical Health Act, or HITECH, is the U.S.A. Federal law that requires you take immediate action and notify those affected by a loss of protected health information (PHI).

First, figure out if HITECH applies. In order for it to come into play, HIPAA (Health Insurance Portability of Accountability Act of 1996) has to apply to you. It does if you’re working with patients. However, does HIPAA apply to the particular data you’ve lost? If you took all of the identifiers off the data, then you’re ok because de-identified data isn’t covered by HIPAA or HITECH.

But maybe you aren’t so lucky, and the data contained the initials of patients and their diagnoses. Remember, even initials are identifiers under HIPAA. If the bag stays gone, HIPAA’s in play, but not necessarily HITECH. Was that data encrypted? If so, HITECH’s breach notification rules won’t apply because HITECH only applies to “unsecured” PHI.

Let’s assume your data wasn’t encrypted. For HITECH to apply, the unauthorized disclosure must “compromise the security or privacy of the PHI by posing “a significant risk of financial, reputational or other harm to the individual” whose PHI was lost. If the data consists only of initials and diagnoses, you probably don’t have a HITECH breach because there is not enough data to identify specific individuals, and thus the risk of harm would be slight.

If you had social security numbers on that disk, it’s another story. These are considered sensitive financial data. Their loss definitely poses a risk of financial harm, so this is where it gets awkward. Once you’re in the breach zone, HITECH requires you to send a written notice by mail to the persons whose data was compromised. The notice has to let them know what happened and when; the data that was disclosed; the actions you’re taking to prevent harm from the disclosure; and contact procedures for people who have questions. You have to send the notice out “without unreasonable delay” and in no event later than 60 calendar days after you discover, or reasonably should have discovered, the breach.

But it can get worse. If you have ten or more people for whom you don’t have an address, then you also will need to post your notice on your home website or in “major print or broadcast media.” This notice must include a toll-free number available for people to call over the next ninety days to determine if their information was affected. Finally, if the breach involves more than 500 residents of a state (you did say you had data for 800 subjects, right?), then, you guessed it, the mandatory news media notice requirement kicks in! You will need to notify “prominent news media outlets” that serve the area (or areas) in which the individuals live, plus the Federal Secretary of Health and Human Services.

No one wants to go through that hassle and embarrassment. The solution lies in two simple steps: de-identify and encrypt.

If you must use identifiers, then use the fewest possible and encrypt! Everything can be encrypted --email, documents, hard disks, and even thumb drives. Encrypted data is not unsecured data, so HITECH won’t apply even if it is lost. Finally, remember to always back-up your data – not just so you don’t lose valuable research but also so you can figure out exactly what went missing.

Comments by Kristen H. West, J.D., Associate V.P. and Director, Office of Research Compliance, Emory University Atlanta

Enjoy this article? Sign Up to receive these free every week