You’ve taken every step to secure protected health information at your agency, but have you done the same at home? A Connecticut hospital learned this lesson the hard way after a home robbery led to the possible exposure of 8,000 patients’ PHI.
The case: A Connecticut hospital hired a subcontractor to work on its computer systems, and one of the subcontractor’s employees left a laptop containing the unencrypted PHI of 8,000 people at home. When the home was robbed, the laptop disappeared, and although the hospital reports that none of the PHI has been used inappropriately, the hospital and subcontractor will pay a combined $90,000 penalty. Both entities must also put privacy practices into place going forward.
The takeaway: Ensure that all PHI is encrypted, whether it’s on your agency-owned devices, those used by contractors, or even employees’ personal devices if they are taking PHI home with them at night. It’s too risky to simply hope that your devices don’t fall into the wrong hands.