case of the stolen laptop
“I only left my car for five minutes to get something in my apartment and the car was locked,” Dr. Barney Breech explained to his medical group’s HIPAA compliance officer after his car was stolen with his laptop computer inside. The car was recovered a few days later, but not the laptop.
“Your laptop was scheduled to be updated this week, and you should not have taken your laptop home until we had encrypted your hard drive,” the compliance officer chastised. “I am pretty sure that the terms of your employment agreement require you to reimburse us for any HIPAA fines,” she continued to chide.
“How much is that?” asked Dr. Breech.
While this sounds like old news to medical folks, HIPAA breaches happen and according to the Office for Civil Rights (OCR), unencrypted laptops remain high on the list of reported breaches.
Notably, two recent self-reported breaches led to significant HIPAA fines. In the first case, an unencrypted laptop was stolen from a health care facility. When OCR investigated the report, it discovered that the organization had done some risk analysis and started to encrypt laptops, but it failed to follow through with the process in a consistent and timely manner. The organization agreed to pay $1.7 million to resolve the case and had to adopt a corrective action plan that required annual reporting to OCR for two years.
In the second case, again, an unencrypted laptop was stolen from the car of a health plan employee. OCR investigated the breach and determined that compliance deficiencies existed all the way back to the original enforcement date of the HIPAA security rule in April 2005. The health plan paid $250,000 to settle the case and entered into a two-year corrective action plan with OCR.
In each case above, only one laptop was stolen yet the combined fines were almost $2 million. So why is the concept of encryption so important?
Well, under HIPAA, if you have encrypted a laptop hard drive that contains protected health information and the laptop goes missing, in theory, it is not possible for anyone else to access and use that information (i.e., assuming encryption is done correctly and passwords are in place). As a result, that generally would not be considered a reportable breach situation under HIPAA. Without encryption in place, the breach is a breach, as they say, and requires self-reporting to OCR. If OCR reviews the breach report and decides the conduct was not excusable, it could assess significant fines.
While HIPAA privacy and security rules are complicated and require significant resources to implement, there are more complimentary guidance and training materials available now from OCR as well as the Office of the National Coordinator for Health Information Technology (ONC) to review key issues such as laptop and other mobile device encryption.
Hopefully, Dr. Breech will not have to reimburse his medical group if OCR decides the group did have a risk management plan in place and the breach was something less than bad conduct (i.e., the legal term is willful neglect). But, the fretting over that sort of risk could have been avoided. The group’s compliance team should review its training materials to see if they need updating, and look at its risk management plan to see if security tasks should be stepped-up.
See OCR Training Materials
www.hhs.gov/ocr/privacy/hipaa/understanding/training
See ONC Mobile Device Training Materials
www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security