Tip: Even remote management isn’t enough to prevent a HIPAA violation.
Just because a laptop is password-protected doesn’t mean that you can avert a HIPAA breach. You must encrypt any and all mobile devices — especially if you use them in the field.
Case in point: Medical device company DJO Global recently notified some of its patients about a breach relating to a stolen laptop, reports attorney Linn Foster Freedman in a blog post for the law firm Nixon Peabody. A thief stole the laptop from a DJO consultant’s locked car outside a coffee shop in Roseville, Minn., smashing the car window and taking the consultant’s backpack containing the laptop.
Although the laptop was password-protected, it was not encrypted and contained protected health information (PHI), according to a DJO statement. The laptop contained some patient names, phone numbers, diagnosis codes, DJO products received, surgery dates, health insurer names, clinic names, doctor names, and more.
No credit card information was on the laptop, but a few patients’ Social Security numbers were stored, DJO said. The company claims that immediately after the theft, DJO worked with a data privacy firm to delete all personal information stored on the laptop. The laptop contained logical access control and tracking/remote management software.
“This is another important warning to medical device manufacturers and contractors to implement encryption technology on any laptops that are used in the field,” Freedman warns.