logo_fullcolour

Lost Electronic Devices Could Lead to Serious Fines

Does your company store any protected health information on electronic devices?
 
If yes, you should know that if any of these devices are lost or stolen you could incur significant fines from the Department of Health and Human Services (“HHS”).
 
This past month a private physician practice agreed to pay $750,000 as part of a settlement with HHS over a stolen laptop.  In August 2012, the physician practice informed HHS that it had a company laptop stolen from an employee’s car.  The laptop contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 of the practice's past and present patients. 
 
After being notified, HHS conducted an investigation into the practice’s Health Insurance Portability and Accountability Act (“HIPAA”) compliance.  The federal agency found that the practice had failed to conduct a risk assessment regarding threats to the confidentiality of electronic protected health information.  HHS also found that the practice did not adopt policies and procedures regarding the receipt and removal of the company’s electronic devices.
 
In addition to the $750,000 fine, the physician practice had to incur costs for the following compliance measures:
•    Conducting a HIPAA risk assessment;
•    Developing and implementing a risk management plan;
•    Reviewing and revising its compliance with the HIPAA Security Rule; and,
•    Reviewing and updating its HIPAA Security Rule training program.
 
Your business should conduct a thorough review of its practices to determine whether you have any protected health information stored on electronic devices and, if so, how you can protect that information.  Taking preventative measures now may help protect against a device being lost or stolen.  It may also minimize any potential fines in the event that a device is lost or stolen.
 
If you have questions about securing protected health information on electronic devices or about electronic data and devices, in general, contact our office at 814-870-7600 or complete this form on our website.