Justin Shafer pointed me to a case where the government, investigating a healthcare provider, served SaaS MicroMD with a federal search warrant for some patients’ data.
You can read Justin’s write-up on his blog, but the case reminds us that patient data can be disclosed to law enforcement without patients’ awareness or consent, and that unencrypted patient data – or data that are encrypted but where the vendor has the encryption key – gives the covered entity less control over the data. Justin writes:
Better IT security might have prevented the DEA from getting the patient data (disk encryption and setting a backend database password for starters), but when that data is NOT in YOUR control, then you are not going to have that much POWER.
Of course, the government could seek a court order for decrypted data or any encryption key, and they’d likely get it, but Justin’s point is worth thinking about in terms of defense against those not in law enforcement who may also be trying to obtain your patient data.