HIPAA privacy violations include stolen office computers

Featured image

Share this article

In our previous posts, we covered fines for HIPAA Privacy Act violations for stolen laptops and stolen thumb drives. In most cases, the laptops and thumb drives were stolen from a car and in all cases, the disk drives were not encrypted. To avoid costly HIPAA privacy act fines for stolen computers and thumb drives, you might think enforcing a policy to encrypt all computer equipment leaving the office would suffice. But if we look into HIPAA breach investigations by the US Department of Health and Human Services, we see this is not the case. As we’ll cover in this post, even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.

HIPAA Privacy Violations Include Stolen Office Computers

Want to display this infographic on your site?

HHS Sets Precedence with a $1.7M HIPAA Privacy fine

In April, the U.S. Department of Health and Human Services announced it reached a $1.7M settlement with a covered entity for the theft of an unencrypted laptop from one of its facilities in Missouri. Although it was not determined how many patients were affected, the guidance is clear- HIPAA privacy for data protection and encryption extends to all computers that contain ePHI, regardless of whether they leave the office or not.

Protecting Office Computers with Passwords Isn’t Enough

Last August, personal information for more than 4,000,000 patients was compromised after four computers were stolen during a burglary of a covered entity in Chicago. While the desktop computers were password protected, they were not encrypted. Shortly after, the incident was reported to the Office of Civil Rights. An investigation is currently underway.

Strong Building Security Isn’t Sufficient

Last October, two laptops were stolen from the administration building of a covered entity near Los Angeles. The building was gated, patrolled by security and had video surveillance. Nevertheless, thieves still managed to make off with the laptops. Despite the heavy building security, since the hard drives were unencrypted, it represents a HIPAA Privacy breach. In total, 729,000 patients had their protected health information stolen by this theft and an investigation is still being performed.

Access Controlled Areas Still at Risk for HIPAA Privacy Violations

In May 2013, a laptop was stolen from a badge-access controlled area of Stanford hospital. Its hard drive was unencrypted and contained ePHI for 13,000 patients. It was the fifth big HIPAA breach for Stanford University. An investigation by OCR is still being done.

Business Associates Need to Encrypt their Office Computers Too

In February, a Business Associate for Los Angeles County had its office broken into. Eight computers and two monitors were stolen and none of the hard drives were encrypted. Protected health information for as many as 168,500 patients was stolen and an investigation is underway by the OCR.

Conclusion

HIPAA Privacy fines and investigations underway by the Office of Civil Rights give clear guidance on data privacy for computers that contain protected health information. They are:

  • If the computer never leaves the office, its hard drive must still be encrypted
  • Protecting a computer with a password isn’t enough
  • Video Surveillance, gated entry, access badges and security guards don’t necessarily mean HIPAA compliance
  • Business Associates fall under the same scrutiny as the Covered Entities they serve
Try Paubox Email Suite for FREE today.
Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022