Most practices assume they have HIPAA covered, but when an actual incident occurs, they find out too late that staff are not prepared, or the practice is missing important compliance documentation.
Any device used in a practice or clinic may contain protected health information (PHI), including laptops, smartphones, tablets, USB (thumb) drives, computers, and servers. Even if the only work-related activity is accessing your email, you may have PHI on your phone right now. Lost and stolen devices are the No. 1 reason for patient data breaches of more than 500 records.
What happens if you can't document your compliance?
If the device contained PHI, and you cannot document that the device was encrypted, you will need to follow the requirements of the HIPAA Breach Notification Rule. Depending on the situation, you can face significant costs and an U.S. Office for Civil Rights HIPAA investigation.
- Since 2010, federal HIPAA fines have ranged from $50,000 to more than $1.9 million for lost and stolen devices.
- 2015 breach costs have risen to $398 per patient record, mostly due to loss of business when patients switch physicians after a breach (2015 Ponemon Study).
- Cyber liability insurance policy claims may be denied due to negligence if the policy requires devices be encrypted.
So what do you do if someone in your office loses a laptop or other device?
- Conduct a risk assessment.
You should have an incident response plan that is specific to a lost or stolen device. Your HIPAA security officer should know how to execute the plan to investigate and respond appropriately to the incident. In almost all situations, there are only two reasons a lost device may not have to be reported as a breach under the HIPAA Breach Notification Rule: (1) no PHI was on the device, or (2) the PHI is unusable - encrypted with FIPS 140-2 encryption (a U.S. government security standard). In both cases, you must have documentation to support your determination, since you no longer have possession of the device.
- Gather compliance documentation.
You will need documentation to support the final determination of your risk assessment, whether or not you determine that a breach has occurred. This may include:
- Lost or stolen devices identified as a threat on your most recent risk analysis;
- Use of FIPS 140-2 (HIPAA-compliant) encryption is identified in your compliance plan as a safeguard;
- Policy to encrypt the device using FIPS 140-2 encryption or policy that the device will not store PHI;
- Up-to-date asset inventory that lists the device that was lost or stolen;
- Documentation that the policy was implemented - date the device was encrypted and type of encryption used or verification that PHI is not stored on the device;
- Documentation that your encryption policy is followed after implementation, including documentation that the encryption has been verified recently; and
- If the device should not have PHI stored on it, documentation that the device had been checked for PHI recently, such as within the last 30 days.
Don't wait until you have an incident. Visit the TMA HIPAA Resource Center to find out more about HIPAA security.
TMA Practice E-Tips main page
Last Updated On
May 30, 2019
Originally Published On
August 25, 2015