The one thing you can say is that there are no 3 strikes and you are out when it comes to HIPAA breaches. Stanford Hospital in Palo Alto, Calif. recently suffered its 5th HIPAA breach since 2009.
The most recent breach involved a stolen unencrypted laptop that contained 13,000 patient records. What makes this even more interesting is that 3 of the 4 previous breaches were caused by stolen unencrypted laptops.
Stanford clearly saw the need for encryption and put in a program to implement laptop encryption.
Following Stanford’s most recent HIPAA breach in January, hospital officials said they were “redoubling efforts to ensure that all computers and devices containing medical information are encrypted.”
Failure to destroy PHI
The reason the most recent laptop was not encrypted is because the screen was broken
“It is important to reiterate that in the recently reported breach at Packard Children’s Hospital, the stolen device was an older, non-functioning laptop with a seriously damaged screen,” he explained in an emailed statement to Healthcare IT News. “The employee had already begun using a newer, non-damaged laptop that was encrypted.” Diane Meyer is the chief compliance and privacy officer at Stanford Hospital & Clinics and Lucile Packard, and Ed Kopetsky was hired in 2009 as the hospital’s chief information officer.
The need for a data destruction policy
Stanford is the model case for implementing a data destruction policy that ensures that PHI on any device that is no longer being used is be properly destroyed. In this case the hard drive of the laptop should have been removed and physically destroyed or put into another computer so that proper data destruction programs could be run.
It is worth noting that desktops, servers, smartphones, tablets, USB drives, DVD drives and copier machines all can contain PHI. It is critical to ensure that any PHI is destroyed before the devices are disposed, recycled, resold, donated or return to a vendor after a lease.[framed_box bgColor=”#ffd390″] Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
understand the HIPAA Risk Assessment process