Laptops have become extremely common in medical practices. Their portability allows for physicians to take them from room to room to chart patient visits. But their portability is also what makes them a potential HIPAA nightmare. What happens when a practice has a stolen laptop that contains Electronic Protected Health Information (ePHI)? In this week’s case study, we examine a case where a single laptop was stolen and a large number of patient records were exposed. We will also cover how you can protect your own practice from this potentially, very costly mistake.
In July 2012, a laptop belonging to an employee from Cancer Care Group (CCG) was stolen from the employee’s car. The stolen laptop contained records of over 55,000 current and previous patients of CCG. This data included patient names, addresses, insurance information, Social Security numbers, birth dates, and clinical information.
The Department of Health and Human Services Office of Civil Rights(HHS OCR) received notification of the breach on August 29, 2012.
What was the result?
In OCR’s investigation, they found that CCD had a culture of widespread non-compliance with the HIPAA Security Rule. CCG had not performed a practice Risk Assessment. OCR also found that CCD did not have written policies concerning the removal of hardware, such as the laptop, that contained ePHI from its practice. It was determined that these two lapses had allowed the breach to have occurred. Because of this, OCR was forced to initiate action against the practice. Unencrypted devices or media that contained ePHI should never have been allowed to leave the practice. A Risk Assessment, had it been performed, would have discovered the possibility of a breach should one of these devices been lost or stolen.
“Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information. Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”
OCR Director Jocelyn Samuels
You can read the full press release here from OCR.
OCR issued a $750,000 fine against CCG and a corrective action program designed to address the lapses that were discovered.
Stolen laptops can lead to massive breaches and even larger fines
Laptops and other mobile devices are great for their portability. But it is that portability that can also lead to them becoming a HIPAA nightmare.
Encryption is an addressable requirement under HIPAA regulations. Addressable means that the law doesn’t specify how you will handle your compliance with it. If your Risk Assessment found that there is no chance a laptop could be stolen, perhaps because each night all laptops are stored in a safe, then it might be reasonable not use encryption on these devices. It is up to the entity to determine if encryption is necessary given the threat level it faces. However, mobile devices, by their very nature, are easy to lose or be stolen. Because of this, it makes far more sense to use encryption on them.
A stolen laptop can result in very expensive fines as we see in this case.
Another item to consider is that most practices do not carry insurance against these sorts of events. While cyber insurance is becoming more popular, it is important to remember that these insurances also require you to do your part. Not performing a Risk Assessment, not having written policies about if devices are allowed to be removed from a practice, and not performing basic protection on these devices would likely be grounds for an insurance company to deny a claim.
Encryption is here to help
While encryption is not required under HIPAA, it can help to prevent breaches of this kind. If you are using a supported version of Microsoft Windows, then you likely already have the necessary software built into Windows. You can enable drive encryption on all of your laptops at no additional cost. Because of that, there is no reason not to make use of it. You can read more about HIPAA and encryption here.
In the case of CCG, not using encryption on the stolen laptop was not the violation. The violations occurred because a Risk Assessment wasn’t performed. In addition, not having written policies that addressed how an employee can remove a device from the practice compounded the issue. A Risk Assessment would have shown that removing a laptop from the practice that contained ePHI and was not encrypted posed a serious risk of a breach.
If your practice uses mobile devices, it is highly recommended that you enable encryption on them. This would also protect you in the event that your practice was robbed.
If you haven’t already performed your Risk Assessment, then do so immediately. This will identify the areas that you will need to address in your practice.
Once you have performed the assessment, be sure you remediate any issues that are discovered.
From there, make sure you have written policies and procedures for your practice. But be sure you follow what you have in those policies.
For laptops and other mobile devices, consider using encryption. For most devices, it is already included for free. There really is no reason not to use it. If you determine that it is not needed, be sure to document your reasoning in your HIPAA documentation.