Just because a laptop is password-protected doesn’t mean that you can avert a HIPAA breach. You must encrypt any and all mobile devices — especially if you use them in the field.
Case in point: Medical device company DJO Global recently notified some of its patients about a breach relating to a stolen laptop, reported attorney Linn Foster Freedman in a Jan. 30 blog posting for the law firm Nixon Peabody LLP. A thief stole the laptop from a DJO consultant’s locked car outside a coffee shop in Roseville, Minn., smashing the car window and taking the consultant’s backpack containing the laptop.
Although the laptop was password-protected, it was not encrypted and contained protected health information (PHI), according to a DJO statement. The laptop contained some patient names, phone numbers, diagnosis codes, DJO products received, surgery dates, health insurer names, clinic names, doctor names, and more.
No credit card information was on the laptop, but a few patients’ Social Security numbers were stored, DJO said. The company claims that immediately after the theft, DJO worked with a data privacy firm to delete all personal information stored on the laptop. The laptop contained logical access control and tracking/remote management software.
“This is another important warning to medical device manufacturers and contractors to implement encryption technology on any laptops that are used in the field,” Freedman warned.
State Laws Will Get You For Improper PHI Disposal, Too
If you hire a company to dispose of your patient records for you, you’d better know for certain that the company will do it the right way — otherwise, you’ll be liable for the breach.
On Jan. 5, the Indiana Attorney General (AG) entered into a consent judgment with dentist Joseph Beck in a Marion County court to address allegations of improper disposal of patient records. The consent judgment stems from an AG complaint for violating HIPAA and the Indiana Disclosure of Security Breach Act, according to a Jan. 12 analysis by Stacy Cook, an attorney with Barnes & Thornburg LLP.
According to the AG’s complaint, Beck hired a private company to dispose of his patient records, and less than one week later 63 boxes of patient records were discovered in a dumpster at a church in Indianapolis. The patient records contained patient names, health information, Social Security numbers, insurance information, birth dates, and state identification numbers.
Under the terms of the consent judgment, Beck must pay a $12,000 fine.
The AG announced that this was the first time Indiana has sued for a HIPAA violation. “This recent settlement serves as a reminder that Indiana, like most states, has its own security breach laws that apply to personal information, which includes, but is not limited to, protected health information,” Cook noted.