This is the fictional, but all-too-likely story of how Penny the Practice Administrator learned a single laptop would cost her $1.5 Million, and what she could have done to prevent it.
Penny’s restful Sunday
After a long week at helm of a busy healthcare practice, Penny the Practice Manager spent a relaxing weekend taking photos in the mountains. She loves having the time to relax and recharge as the past few years have been particularly stressful for her. She’s recently led her practice through an EHR adoption in order to take advantage of Meaningful Use (MU) funds and the substantial shift in the delivery of healthcare. It’s a good thing she rested over the weekend, because what she finds as she enters the office on Monday will require all her focus.
Penny’s chaotic Monday
Before she can open her email and have her first cup of coffee, she gets a call from Cathy, a member of the practice’s billing team. Cathy is frantic as she explains to Penny that she got behind in her work late last week and decided to take her company laptop (with patient data) home over the weekend to catch up. Unfortunately, when she stopped to get groceries on the way home Friday night her car was burglarized and several items, including the practice’s laptop, were stolen. Mondays are usually hectic for Penny, but this one just got much more complicated.
Fortunately, Penny’s been preparing her team’s annual HIPAA training, so she immediately thinks to visit the Department of Health and Human Services (HHS) website. There she stumbles across the “Breach Notification Rule.” Her jaw drops and she feels a knot in her stomach as she realizes she very likely has a Breach to address.
The hard truth
Penny learns that according to HHS’ Office of Civil Rights (OCR), a Breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”
She sighs. “There was patient data on that laptop, so it must be a breach,” she thinks to herself. To be sure, she keeps reading:
“An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.”
Penny realizes that the data on Cathy’s laptop was very easily identifiable, and, since there is no way to know who stole her computer, Penny faces the hard truth.
“Yes”, Penny says, shaking her head, “this is a Breach. But what do I do now?”
What happens next
Quickly, she finds the Breach Notification Requirements and reads that she must notify several parties involved in the Breach:
- The individuals whose Protected Health Info was compromised
- The local media, since the data loss likely included over 500 patient records
- The Secretary of HHS (Over 500 records)
In addition, her practice will be listed on the OCR’s “Wall of Shame.” All because of a single stolen laptop.
Penny also learns that in addition to the notification requirements, the costs of notifying patients, and the damage to the practice’s reputation, her practice is also open to several different civil penalties, in some cases up to $1.5 Million.
“Not good, not good at all”, she thinks. She wonders if there is anything she could have done, or could do in the future, to prevent this from happening in the first place. “Laptops get stolen or lost all the time in this country. Isn’t there a way to prevent this from happening in the first place?”
![endpoint encryption]()
An ounce of Encryption…
After some investigation, she finds reference to something called “Encryption Safe Harbor.” It turns out that if Cathy’s laptop had been encrypted Penny could have claimed that the data on it was “inaccessible to impermissible use or disclosure.” In short, if Cathy’s stolen laptop had been encrypted, this wouldn’t have been a Breach. Penny remembers her IT company recommending she encrypt the practice’s computers a few months back, but she thought it was an unnecessary expense and highly unlikely that her practice would ever need it.
“Wow,” she says, regretting the gamble she made. “Encryption could have saved me and my practice from all of this.”
…Is worth a pound of cure.
Encryption is a simple tool that can save you and your practice tremendous time, energy, and money before it even happens.
Please don’t find yourself in the same position as Penny…ask about Encryption today.
Click here to learn more or contact us.
The post Penny’s Gamble: A Practice Administrator’s Game of HIPAA Roulette appeared first on Claris Networks - IT Support Company | Knoxville Chattanooga | Information Technology Services | Consulting | Cloud Computing | Hosting | EMR Solutions.