2 min read

HIPAA privacy violations include stolen office computers

Picture of Hoala Greevy Hoala Greevy August 23, 2014

HIPAA compliance

Infographic showing HIPAA violation scenario: stolen office computers with inadequate security measures including unencrypted hard drives, resulting in fines.

In our previous posts, we covered fines for HIPAA Privacy Act violations for stolen laptops and stolen thumb drives. In most cases, the laptops and thumb drives were stolen from a car and in all cases, the disk drives were not encrypted. To avoid costly HIPAA privacy act fines for stolen computers and thumb drives, you might think enforcing a policy to encrypt all computer equipment leaving the office would suffice. But if we look into HIPAA breach investigations by the US Department of Health and Human Services, we see this is not the case.

As we'll cover in this post, even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.

Want to display this infographic on your site?

HHS Sets Precedence with a $1.7M HIPAA Privacy fine

In April, the U.S. Department of Health and Human Services announced it reached a $1.7M settlement with a covered entity for the theft of an unencrypted laptop from one of its facilities in Missouri. Although it was not determined how many patients were affected, the guidance is clear- HIPAA privacy for data protection and encryption extends to all computers that contain ePHI, regardless of whether they leave the office or not.

Protecting Office Computers with Passwords Isn't Enough

Last August, personal information for more than 4,000,000 patients was compromised after four computers were stolen during a burglary of a covered entity in Chicago. While the desktop computers were password protected, they were not encrypted. Shortly after, the incident was reported to the Office of Civil Rights. An investigation is currently underway.

Strong Building Security Isn't Sufficient

Last October, two laptops were stolen from the administration building of a covered entity near Los Angeles. The building was gated, patrolled by security and had video surveillance. Nevertheless, thieves still managed to make off with the laptops. Despite the heavy building security, since the hard drives were unencrypted, it represents a HIPAA Privacy breach. In total, 729,000 patients had their protected health information stolen by this theft and an investigation is still being performed.

Access Controlled Areas Still at Risk for HIPAA Privacy Violations

In May 2013, a laptop was stolen from a badge-access controlled area of Stanford hospital. Its hard drive was unencrypted and contained ePHI for 13,000 patients. It was the fifth big HIPAA breach for Stanford University. An investigation by OCR is still being done.

Business Associates Need to Encrypt their Office Computers Too

In February, a Business Associate for Los Angeles County had its office broken into. Eight computers and two monitors were stolen and none of the hard drives were encrypted. Protected health information for as many as 168,500 patients was stolen and an investigation is underway by the OCR.

Conclusion

HIPAA Privacy fines and investigations underway by the Office of Civil Rights give clear guidance on data privacy for computers that contain protected health information. They are:

If the computer never leaves the office, its hard drive must still be encrypted
Protecting a computer with a password isn't enough
Video Surveillance, gated entry, access badges and security guards don't necessarily mean HIPAA compliance
Business Associates fall under the same scrutiny as the Covered Entities they serve

Try Paubox Email Suite for FREE today.

Start for free