In our previous posts, we covered fines for HIPAA Privacy Act violations for stolen laptops and stolen thumb drives. In most cases, the laptops and thumb drives were stolen from a car and in all cases, the disk drives were not encrypted. To avoid costly HIPAA privacy act fines for stolen computers and thumb drives, you might think enforcing a policy to encrypt all computer equipment leaving the office would suffice. But if we look into HIPAA breach investigations by the US Department of Health and Human Services, we see this is not the case.
As we'll cover in this post, even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.
In April, the U.S. Department of Health and Human Services announced it reached a $1.7M settlement with a covered entity for the theft of an unencrypted laptop from one of its facilities in Missouri. Although it was not determined how many patients were affected, the guidance is clear- HIPAA privacy for data protection and encryption extends to all computers that contain ePHI, regardless of whether they leave the office or not.
Last August, personal information for more than 4,000,000 patients was compromised after four computers were stolen during a burglary of a covered entity in Chicago. While the desktop computers were password protected, they were not encrypted. Shortly after, the incident was reported to the Office of Civil Rights. An investigation is currently underway.
Last October, two laptops were stolen from the administration building of a covered entity near Los Angeles. The building was gated, patrolled by security and had video surveillance. Nevertheless, thieves still managed to make off with the laptops. Despite the heavy building security, since the hard drives were unencrypted, it represents a HIPAA Privacy breach. In total, 729,000 patients had their protected health information stolen by this theft and an investigation is still being performed.
