A worker for Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) was given an iPhone with electronic Private Health Information (ePHI) of 412 nursing home patients. The iPhone was stolen.
Because the information on the iPhone was not protected, CHCS had to report the data breach and was then investigated. Because CHCS was not complying with several HIPAA rules, it was fined $650,000. It was also given a corrective plan which the government will monitor for two years to ensure compliance.
According to the California Department of Justice, more than half of the ePHI breaches are from devices being physically stolen from a practice’s office, car or home.
Burglers broke into a Rocklin, CA dentist’s office and stole everything that wasn’t bolted down, including his main unencrypted computer. To comply with the law, he notified his patients, the media, the State of California and the U.S. Government. While he waits for his two-year investigation, he is a quite stressed.
He thought his data was thoroughly encrypted by an earlier version of Dentrix Dental Practice software, but it was not.
Data breaches can happen with storage devices, as well. For example, a dermatology practice’s employee had a thumb drive with 2200 patients’ ePHI stored on it. The thumb drive was stolen from the employee’s locked car. It was not encrypted.
After two years of interaction with Health and Human Services, the practice reached an agreement with the agency, paid a $150,000 fine and agreed to comply with a corrective plan, just like CHCS.
Can any of your devices with ePHI be stolen? Of course!
However, even if a device is stolen, your patients’ ePHI is protected IF you encrypt it first.
You and your staff probably use passwords to open your office computers. However, getting around your passwords is pretty easy.
A good analogy would be if you print out all of your patients’ ePHI, put the papers in a box and lock it with a password lock. If a burgler steals the box, it’s easy for him to break open the box and read the ePHI.
Protecting your valuable data with just a Windows or Mac password is not very secure. Even a novice hacker knows several easy ways to get around your computer’s password system. For example, you can download tools from the internet that bypasses the computer’s password. A hacker can also just take out the hard drive and connect it to another computer. No password is needed to access the ePHI on your hard drive.
When you encrypt your data, it’s as if you take your ePHI pages, shred them and then put them into the box with a password lock. If someone breaks into the box, all they find are shredded, useless bits of paper.
However, when you use your password to open the lock, all the shredded bits of paper in the box go the reverse way through the shredder and are magically restored to their original condition.
Of course, if you forget your password, the data is gone forever. There is no special key, program or back door that anyone can use to unencrypt your data. That is the purpose of encryption.
The BIG Benefit of Encryption
If one of your devices with ePHI with 500 or more patients is lost or stolen, but is not encrypted, you need to go through the routine of notifying patients, the press and government agencies. You will be investigated and then wait for up to two years to learn how big your fine will be.
If, however, that same device is encryption protected, you are safe. By law, you do not even need to report the loss to anyone! There is no data breach.
Congress provided an important exception to the data breach reporting requirement by defining a breach to NOT include ePHI protected “with the use of a technology or methodology” that “renders protected health information unusable, unreadable, or indecipherable.” Namely, encryption.
Encrypting your ePHI is not required by HIPAA, but it’s a very good idea.
1. Ask your software company or your computer person about encrypting all of your computers, devices and backup records for you. Ensure the encryption system is HIPAA-level secure.
Each device may use a different system. For example, your office server may already have a Windows encryption system.
New PCs with Windows 10 have one built in while some of the earlier versions of Windows had a program called BitLocker. The Mac operating system includes a whole-disk encryption system. Your phone may also have an encryption system built into it.
If not, you can buy encryption systems online, such as EasyLock, Eset and Alertsec.
If you just want to encrypt your backup files, you can get a cloud system that automatically backs up your data, encrypts the copy and stores it in a secure facility.
You can also buy thumbdrives and external hard drives that encrypts everything you store on them.
2. The best solution is to move up to the cloud. Use an online practice management system.
They encrypt your patient’s PHI and keep it securely backed up, as well.
Once you move your patients’ ePHI to your online system, there is no reason for you or your staff to have any ePHI in your office or on your devices. You can securely access the ePHI from any device, wherever you are, whenever you like.
3. If your data cannot be encrypted because your hardware is too old, and you do not want to move up to the cloud, then make your computers and other devices extremely difficult to steal.
For example, put your unencrypted, pass-word protected server in a deadbolt locked closet and then bolt it to the floor. Store your unencrypted pass-word protected backup drives, disks or tapes in a safe deposit box or in a home safe that is bolted to the floor. Keep unencrypted ePHI off of laptops, tablets, phones, thumb drives and so on.
A HIPAA investigation is one of the most stressful, expensive and lengthy disasters you will ever face. Take action now to reduce this risk to its lowest level so you can focus on what you love to do.