Adult & Pediatric Dermatology, P.C. of Concord, Mass. must pay a $150,000 HIPAA penalty after losing 2,200 patient records. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, the HIPAA penalty occurred when an unencrypted thumb drive was stolen from an employee’s vehicle. In addition, the medical practice failed to identify the thumb drive in a HIPAA risk analysis.
Do you have a proper risk management process in place? Do you secure electronic protected health information (ePHI) stored on various devices? As a healthcare professional, it’s critical to identify and mitigate risks before a HIPAA breach occurs.
The Take-Home Message:
1. You shouldn’t store electronic protected health information (ePHI) on unencrypted devices, including thumb drives.
2. You must identify thumb drives and other devices containing ePHI during a HIPAA and Meaningful Use Risk Analysis.
Where Is Your ePHI?
Many healthcare organizations believe their protected information is only contained in their electronic health records (EHR). However, any file containing diagnostic or treatment information must be protected. The following are few examples of places where ePHI can be found:
Protected information can be stored on any device, including hard drives inside copiers. If you’re storing protected patient data on portable devices, make sure those devices are encrypted to avoid a HIPAA penalty in the unfortunate event that it is lost or stolen.
Tips To Prevent a HIPAA Breach
A HIPAA breach can lead to hefty fines, lost customer confidence, and reputational damage. You can protect your healthcare organization by doing the following:
1. Don’t Export Data From Your EHR System
If you need to access protected data outside the office, use remote access tools to securely access the information without transferring data to a remote or portable device.
2. Protect Your Computers and Network
Create a policy to prevent unauthorized users from exporting data from your EHR system. Also, make sure your network and portable devices are professionally managed to protect confidential data.
3. Encrypt Your Devices
Devices should be encrypted to protect patient data stored on them, including both stationary and portable devices.
4. Hire a Professional To Conduct a HIPAA Risk Analysis
A certified compliance expert can identify problems and solutions that would otherwise go unnoticed. It’s much less expensive to hire a professional than to face a HIPAA breach.
To learn more about HIPAA compliance and how to secure your devices, give us a call at (713) 490-5000 or send us an email at firstname.lastname@example.org. CITOC can help you keep your patients’ information confidential.