The Billings Gazette reports that OrthoMontana has recently had a laptop stolen.
Be sure to read that article. If you ever have a breach, you want to be able to answer to the press as OrthoMontana did.
The only reason they were able to answer this way is because they are on top of their HIPAA compliance.
The CEO of OrthoMontana stated that the practice follows & takes HIPAA and the stolen laptop conformed stating:
“The laptop was heavily encrypted — two sets of user names and passwords plus a “biometric finger scan” was required to access its files, he said.”
One must applaud them to apparently doing things right.
The only point I’d make to the above quote is this: encryption and password protection are 2 different animals.
A password protected file or hard drive can be by-passed in under 5 minutes.
A properly encrypted hard drive is essentially useless without the encryption password.
Hence, an encrypted hard drive provides safe passage.
A quick look at the definiction of a breach:
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.
With an encrypted hard drive, since all data is encrypted, there is not disclosure of information.
Of course, as a paranoid HIPAA guy, I constantly preach to NOT have PHI on any portable device.
Quite simply to avoid putting yourself in a situation to defend your practice.
Get your practice in order as it pertains to HIPAA and your life will be much easier.