In our previous posts, we covered fines for HIPAA Privacy Act violations for stolen laptops and stolen thumb drives. In most cases, the laptops and thumb drives were stolen from a car and in all cases, the disk drives were not encrypted. To avoid costly HIPAA privacy act fines for stolen computers and thumb drives, you might think enforcing a policy to encrypt all computer equipment leaving the office would suffice. But if we look into HIPAA breach investigations by the US Department of Health and Human Services, we see this is not the case.
As we'll cover in this post, even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.
Want to display this infographic on your site?
HHS Sets Precedence with a $1.7M HIPAA Privacy fine
In April, the U.S. Department of Health and Human Services announced it reached a $1.7M settlement with a covered entity for the theft of an unencrypted laptop from one of its facilities in Missouri. Although it was not determined how many patients were affected, the guidance is clear- HIPAA privacy for data protection and encryption extends to all computers that contain ePHI, regardless of whether they leave the office or not.
Protecting Office Computers with Passwords Isn't Enough
Last August, personal information for more than 4,000,000 patients was compromised after four computers were stolen during a burglary of a covered entity in Chicago. While the desktop computers were password protected, they were not encrypted. Shortly after, the incident was reported to the Office of Civil Rights. An investigation is currently underway.
Strong Building Security Isn't Sufficient
Last October, two laptops were stolen from the administration building of a covered entity near Los Angeles. The building was gated, patrolled by security and had video surveillance. Nevertheless, thieves still managed to make off with the laptops. Despite the heavy building security, since the hard drives were unencrypted, it represents a HIPAA Privacy breach. In total, 729,000 patients had their protected health information stolen by this theft and an investigation is still being performed.
Access Controlled Areas Still at Risk for HIPAA Privacy ViolationsIn May 2013, a laptop was stolen from a badge-access controlled area of Stanford hospital. Its hard drive was unencrypted and contained ePHI for 13,000 patients. It was the fifth big HIPAA breach for Stanford University. An investigation by OCR is still being done.
Business Associates Need to Encrypt their Office Computers TooIn February, a Business Associate for Los Angeles County had its office broken into. Eight computers and two monitors were stolen and none of the hard drives were encrypted. Protected health information for as many as 168,500 patients was stolen and an investigation is underway by the OCR.
ConclusionHIPAA Privacy fines and investigations underway by the Office of Civil Rights give clear guidance on data privacy for computers that contain protected health information. They are:
- If the computer never leaves the office, its hard drive must still be encrypted
- Protecting a computer with a password isn't enough
- Video Surveillance, gated entry, access badges and security guards don't necessarily mean HIPAA compliance
- Business Associates fall under the same scrutiny as the Covered Entities they serve