Most of the time when I read a story on a stolen laptop, it is just the singular topic – Hey genius, if you encrypted your laptop this wouldn’t be an issue.
The latest story I’ve come across pulls pieces in from multiple issues that a medical practice needs to consider. Though the incident revolves around a hospital and a contractor, this same situation plays out daily at all sizes of private practices.
This all began, sort of, in the summer of 2011 when Fairview Health System of Minnesota hired a contractor from Chicago to work on some billing issues.
In 2010 this contractor had a laptop stolen from an employee’s car. Fortunately this laptop was encrypted, granting them “safe harbor”, which simple means this incident does not need to be reported as the patient health information (PHI) is not readable.
Back to 2011 – this same contractor had another laptop stolen from another locked car. The problem this time is the laptop was not encrypted – OOPS! Now thousands of patients have to be notified along with the CMS.
“During the theft in Minneapolis, an Accretive Health employee left his laptop in plain view of a thief who broke into the car and stole the computer, the report states. The laptop contained confidential data on about 23,000 patients of Fairview, North Memorial Health Care, as well as data from a hospital in Detroit.”
Well, it turns out that this contractor has actually lost multiple laptops, enough in fact to catch the ear of a U.S. Senator who then got involved.
As you can see, this is not going well and I’m sure you wouldn’t want your practice to get sidetracked by this kind of issue.
This topic could easily turn into a multi-hour discussion, but here are the major issues from this story that concern every private practice physician AND how to deal with them:
- Contractors – every contractor you hire that has any possible access to PHI should sign an Associates Agreement. This agreement should specify that if any PHI will be stored on a portable device, that entire device must be encrypted.
- Encryption – This is a no-brainer. Every laptop in an office should be encrypted.
- Computer Policies – It is apparent from reading the article that the contractor did not have a clear policy as to how employees dealt with laptops. To think management had to tell employees not to leave laptops in plain site of their car is scary. As I always say, your computer policy is the foundation to the way your office operates. If you are not crystal clear you will have problems.
- Whistle blowers – Note that much of the extra information about this contractor was via whistle blowers. If you are not concerned about a whistle blower, you are kidding yourself. Take a look at my recent whistle blower article and don’t be ignorant enough to dismiss it.
Most major HIPAA issues are easy to fix, but they are not always simple to implement. Without a clear set of policies your office is heading down the road to disaster.