Was it made of gold? Encrusted in diamonds? No. Read on to learn how one laptop ended up being worth a massive one million dollars.
The U.S. Department of Health and Human Services (HHS) recently closed an investigation into Lifespan Health System Affiliated Covered Entity for a stolen laptop incident reported back in 2017. That laptop contained…ready for this? …20,431 individual patient records that all contained protected health information (PHI). And it wasn’t encrypted. HAD it been encrypted, this would not have constituted a breach, and while problems would have resulted from the theft, one of them wouldn’t have been a million-dollar fine.
It doesn’t always end with a fine when you’re in violation of HIPAA. All recommended policies and procedures will still need to be implemented, but as in this example, HHS put additional requirements in place. Those include the corrective action plan and two years of monitoring by the HHS Office for Civil Rights (OCR).
Lifespan had a variety of exposed non-compliance issues within their system that were discovered by the OCR investigation, including a lack of encryption on devices. Additionally, business associate agreements were not in place with their related entities.
Encrypt, Encrypt, Encrypt
The OCR has acknowledged that theft occurs daily with devices including laptops, cellphones, and mobile phones. But encryption can reduce the damage done in these cases and lessen the impact to the company and their patients.
Healthcare companies must look at their own business with a whole health perspective. The entire life cycle has to be protected. This includes a solid HIPAA compliance plan that addresses hardware and software from purchase to theft, or loss of use for other reasons. With remote work now a normal part of the business landscape, the risk of “end of life” being out of control of an IT department is to be expected. Employees must know how to handle these situations of disposing of equipment properly, which should be outlined in your policies and procedures.