Have you encrypted your laptops? No? You should probably start thinking about getting those devices encrypted. Lifespan ACE had to pay over 1 million dollars to settle an encrypted laptop breach (hhs.gov). An employee’s laptop that contained ePHI was stolen from their car. The information on that laptop included patient names, medical record numbers, demographic information and medication information on over 20,000 patients. For the full report at the HHS website CLICK HERE
The University of Rochester Medical Center paid over $3 million for a similar breach. They lost an un-encrypted flash drive and had an un-encrypted laptop stolen. In both cases, OCR investigations revealed failure to “utilize device and media controls” and failure to encrypt devices despite having indicated lack of encryption to pose a risk. For more details on this breach on fine CLICK HERE
The OCR Director has said “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk. When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”
What does this mean for your office?
Recognize that your mobile devices (laptops, cellphones, flash drives and other mobile devices) are easily lost, misplaced, or stolen. Any of these events can be considered a HIPAA incident. We need to:
1. Track these devices.
All devices you use to access or store ePHI must be listed in your HIPAA Risk Analysis. Your office should know who is responsible for the device.
2. Encrypt these devices
If your devices are encrypted, the information stored in their drives is protected and it is not a HIPAA breach. Both Lifespan and U of R Medical Center had identified that they should be encrypting their drives and their lack of encryption led to a HIPAA breach and large settlement. The Director of the OCR puts the onus on your office to encrypt these drives.
I hear some of you thinking, “I don’t have patient information on my laptop. I just use it to access my cloud software.” Here is the Catch-42, if you don’t have your laptop, how can you prove that you do not have ePHI on the device. A patient’s name is considered identifiable patient information. Without the device in hand, it is impossible to prove that you do not have a single patient’s name hidden in an old word document.
3. Again. Encrypt the drives.
Is your HIPAA Security Risk Analysis up to date? Have you recently changes how you backup your data, updates computers or added new backup devices? These changes MUST be reflected in your Risk Analysis and Risk Mitigation Plan. We regularly reach out to our clients to make sure you are up to date. If you have not spoken to us in the past few months, please call and let us help you avoid the types of fines that Lifespan and the University of Rochester received. Call us at 631 403 6687 today.
CHP, VP of Customer Service TLD Systems