If your practice has a security breach, there will be a financial hit with fines and the cost of providing credit watch services for you patients.
Additionally, I’ve long told physicians to be aware of the public relations hit the a practice will take with a loss of patient data.
Here’s another perfect example of what you don’t want to see for your practice and why you need to get your “HIPAA House” in order.
ABERDEEN, Wash., Jan. 21, 2011 /PRNewswire/ — Grays Harbor Pediatrics discovered on November 23, 2010 that a computer backup device was stolen from a Grays Harbor Pediatric employee. The backup device was used for storing copies of paper records. Grays Harbor Pediatrics has notified all patients and patient billing guarantors.
An investigation of the data has revealed that information stored on the back up device may have included personal information ranging from Social Security numbers, insurance details, driver’s license information, medical history forms, immunization records, previous doctor records, and patients’ medical records which were scanned and maintained in a paper format. Banking information was not stored on this digital device and therefore not breached…
So…what simple step did they screw up?
Let’s look at that first sentence again,
“…a computer backup device was stolen from a Grays Harbor Pediatric employee.”
This tells me their process of backing up their servers consisted of:
- Run a backup and save to external storage device (external hard drive or thumb drive)
- Have employee take storage device home (this “counts” as off site backup in their mind)
- Do not encrypt data on external storage device.
We see this situation over and over again.
To save a few bucks, somebody decides to buy a $50 external hard drive, run a backup…
Then you have an employee take that hard drive home.
The employee doesn’t think much of it as they are just “doing what they are told.”
Then, their car is broken into, or their home is robbed…that hard drive is now gone.
Not only is that employee screwed…your practice is screwed.
You employee should be made aware that they can also be fined under the HIPAA regulations.
Backing up data this way is not only a bad business idea, but it violates HIPAA regulations.
You need to know this. Your employees need to know this.
Any employee who has had their annual HIPAA awareness training would know this process is wrong…and they should be put in the position of taking this data home.
Don’t let being a cheapskate ruin your practice.
Don’t let ignorance of HIPAA regulations ruin your practice.
Don’t bring this nightmare upon yourself.