A laptop computer containing patient records is missing from a Louisiana hospital. Information on the laptop contained PHI (protected health information) for 17,130 patients, gathered for a study from 2000 to 2008. A search was initiated as soon as the hospital learned of the disappearance of the missing device, which police are still investigating. The missing laptop has not resurfaced as of date.
“Because of the incident, hospital officials said they are taking aggressive steps to examine new ways to further secure data and prevent similar occurrences. The plan includes additional education, greater physical and encryption controls and an organization-wide personal device inventory.” Click here to read the full story.
What does this mean for me?
“This means, for example, that if a hacker were able to gain access to a physician practice’s computer system that contained patient information, the physician practice would have to inform all patients and the Department of Health and Human Services (HHS) of the breach. In some cases, the physician practice would also need to notify the media.” As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
“The one and only exception to this new requirement is encryption technology: If the electronic PHI (or ePHI) is stored and transmitted in encrypted form, then you do not need to notify patients, even if there is a security breach.”
Click here for HIPAA & Communication: Prevent Your Mobile Devices from Causing a HIPAA Violation.
Learn how to encrypt your records and what falls under the category of mobile device.
Download a mobile device policy
Receive easy-to-use HIPAA required inventory forms