Recently there was a story in the news that revealed two different hospital associations had to pay OCR fines of $1,975,220. The fines were due to two unencrypted laptops being stolen.
I’m not sure what else we need to read to get the seriousness of encrypting laptops. Although encryption is not required, it is our best defense against breaches due to the loss or theft of a laptop. Studies have shown that a laptop disappears every 43 seconds in the United States. That equals about 12,000 laptops per week. Remember 46 percent of the breaches analyzed are from physical theft or lack of encryption.
What I really found interesting when I dug into this story was that part of the fine was due to the fact that the facility didn’t encrypt and didn’t have a policy concerning why it didn’t encrypt. The security rule allows for flexibility under 45 CFR 164.312. However, you must explain why you are not going to encrypt and also have alternative measures in place. And yes, you need policies.
The other facility was fined for having a lack of security policies. They were not fined as much for the lack of encryption as the lack of these security policies. We also need to remember that both of these facilities will have years of compliance reporting that they will need to provide OCR. If you add that to the almost $2 million in fines, these are serious penalties.
If you are still confused about security, OCR has educational programs about compliance on various aspects of the HIPAA Privacy and Security Rules. They also work for CECs for those who need them.
Learn more at http://www.hhs.gov/ocr/privacy/hipaa/understanding/training.
More information about the above story can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/stolenlaptops-agreements.html
No related posts.