The Veterans Administration had information on 4000 veterans stolen when a laptop that belonged to a contractor was stolen.
This laptop, with ePHI (electronic patient health information) on it, was not encrypted.
The VA noted that the contract with this contractor did not include a requirement to encrypt data.
Recall that in 2006 information on over 26 million veterans was stolen when that information, on a laptop, was taken home without permission.
Two things stand out here: a lack of encryption and a lack of an agreeement that requires encryption.
When we talk with clients about taking ePHI out of their office, our first response is, don’t do it.
Now and again, an office comes up with a reason why they must take ePHI out of the office.
Example: a physician who’s sole practice is house calls takes his laptop along to his visits. When back at his office, he sync’s that laptop up to his server EHR. This is reasonable. BUT, this laptop must be encrypted.
Quick term drop: in the encryption world, data that is stored on a device, like a laptop is termed as “at rest” data. Data that is transmitted, say over the internet, is called “in transit” data.
So, we have two problems:
- An agreement between contractors that is not specific enough, make sure you have an associate’s agreement that is strong, like this one (click here).
- Lack of encryption – if ePHI must be removed from the office, it must be encrypted. Our answer to this problem is to encrypt the entire laptop or entire external storage device. See our encryption solution here.
- Bonus problem: employees working from home. If you have employees who log into your office network, ensure they are properly trained on how their home computer and network should be configured and gotchas they, and YOU, need to look out for. Our HIPAA Home Office training is specifically for this situation.
Do not become a statistic, make sure you are making every effort to follow all the requirements of HIPAA.