The Henry Ford Health System in Detroit lost a flash drive back in January that contained almost 3,000 patients’ information.
This flash drive was not encrypted.
Problem #1: Why was PHI stored on a flash drive?
Problem #2: Why wasn’t the flash drive encrypted? We don’t like the use of portable storage devices (flash drives) at all, but IF there is a solid justification, then that drive must be encrypted.
The real focus is are these two paragraphs from eweek:
As part of a “zero-tolerance policy” implemented following the Jan. 31 breach, Henry Ford will suspend or terminate employees who leave computers, smartphones or flash drives unsecured, the hospital system reports.
Within 90 to 120 days of its Feb. 23 announcement, Henry Ford also plans to encrypt all electronic devices in its facilities and educate employees about how to safeguard health data on both electronic devices and paper.
So, now if a staffer screws up with PHI one time they could be out the door. What does your Sanction Policy state?
The second paragraph leads me to believe they have no HIPAA training. Why would you need to educate employees about how to safeguard health data if you have a training program in place?
Do you have your staff accomplish annual HIPAA Awareness Training?