Have you encrypted the hard drive or solid-state drive (SSD) on every laptop in your organization? If your business or nonprofit organization handles Protected Health Information (PHI), you should encrypt every laptop as soon as possible! Laptops that store PHI may be one of the greatest vulnerabilities in any organization. Just one stolen laptop can cost millions of dollars in legal fees and fines. Last week, two major major settlements were announced that could have been prevented with proper laptop encryption. North Memorial Health Care of Minnesota agreed to pay $1.55 million, and Feinstein Institute for Medical Research agreed to pay $3.9 million to settle charges that they potentially violated the HIPAA Privacy and Security Rules. I will summarize both cases and explain the simple steps that you can take to protect your organization.
The Feinstein Institute case is straightforward. In 2012, an employee left a laptop containing PHI for 13,000 people in a car, and the laptop was stolen. The laptop was password-protected, but the storage was not encrypted. Feinstein reported the breach, per HIPAA regulations, which triggered an investigation by the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). The investigation found widespread violations of the HIPAA Privacy and Security Rule. According to the OCR press release:
…Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops…
When you consider the legal fees and lost productivity during the four-year investigation and settlement process, in addition to the $3.9 million fine, it is clear that Feinstein would have been much better off if they had complied with the HIPAA Rules in the first place.
The North Memorial case is only slightly more complex. In this case, a laptop containing records for 9497 people was stolen from a contractor called Accretive. Again, the laptop was not encrypted, and the breach was reported in 2011. Although the breach was caused by a contractor, North Memorial was at fault under the Security and Privacy Rules, because they failed to obtain a Business Associate Agreement (BAA) with Accretive prior to allowing the contractor to access their hospital database and on-site patient records. Accretive was allowed to access data in March of 2011, the laptop was stolen in July, and a BAA was signed in October. The investigation also found that North Memorial failed to conduct an adequate risk analysis.
What lessons can you learn from these unfortunate cases? In summary: take all reasonable measures to prevent a breach, and thoroughly document the measures to defend yourself in case of a breach.
- Encrypt every drive that could potentially store PHI–especially on laptops. With modern computers and operating systems, encrypting drives is easy and painless, and there is really no excuse to use unencrypted storage. Even if you have policies in place that govern where PHI can be stored, employees will sometimes make mistakes or willfully ignore policies. Encrypting every drive is your last-ditch defense against disclosure of PHI from lost or stolen equipment. If data is encrypted as specified in the HIPAA Security Rule, the loss of that data is not reportable as a breach if the encryption renders the data, “unusable, unreadable, or indecipherable to unauthorized individuals.”
- Establish simple, clear policies and procedures that explain who is authorized to access PHI and where it is allowed to be stored. Train all employees on your policies and procedures, and document that each employee was trained.
- Keep inventory of all equipment that stores PHI. Establish a process for procurement and disposal of computers. Be very clear about who is responsible for each laptop, and what they are allowed to do with it. Are they allowed to take it home, or on a business trip? Train and document.
- Have a Business Associate Agreement (BAA) with any entity that has access to your organization’s PHI. Note that PHI is not just medical records: a patient’s name, address, and date of birth are sufficient to constitute PHI! Therefore, you need to have a BAA in place with vendors such as billing services. Although HHS provides a Sample BAA, you should find an attorney with HIPAA experience to help you draft a contract that is appropriate for your organization. Do not delay; a six-month delay in signing a BAA lead to the $1.55 million settlement that was paid by North Memorial!
- Conduct and document a Risk Analysis for your organization.
At first, HIPAA compliance may seem complex and intimidating, but it’s not brain surgery. We’ve been through the process multiple times, and Rootwork can quickly develop a step-by-step plan for bringing your organization into compliance. Consider hiring Rootwork to help you.