Share this article on:
The theft of laptop computers containing unencrypted Protected Health Information (PHI) account for a high proportion of HIPAA breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
The Medical College of Wisconsin will join that list of organizations to suffer a laptop-related HIPAA breach after the device was stolen from the car of a physician. In this case, the theft only resulted in one patient record potentially being exposed; however paper files containing the PHI of approximately 400 of the physician’s patients were also taken in the theft.
Under the Health insurance Portability and Accountability Act (HIPAA), Covered Entities (CEs) are required to report breaches of PHI to the OCR via its breach reporting portal. CEs have up to 60 days to report breaches involving more than 500 individuals, although there is only an annual requirement to report breaches of fewer than 500 records.
A public announcement was issued via a CBS Affiliate, WDJT Milwaukee, regarding the data breach and notification letters were quickly dispatched to all affected individuals to advise them that their medical records had been exposed.
The statement advised the public – and the affected individuals – that the incident was a breach of hospital policy, which prohibits the downloading of PHI on to laptop computers and other devices, while documents containing PHI are required to be transported securely.
The statement explains that the incident occurred on Feb 15, 2015 and the physician concerned will be subjected to disciplinary action. The University will also be updating its policies and procedures and will take steps to ensure that future breaches are prevented.
The incident highlights how easy it is for HIPAA Rules to be violated, in spite of the best efforts of healthcare providers to secure healthcare data. Physicians and other healthcare providers who are given access to PHI can accidentally violate HIPAA rules, even when their actions are made with the best intentions.
Many physicians have to deal with slow operating systems and increasing time pressures, and in some cases the downloading of patient files onto a portable device is seen as an easy way to save time and see more patients.
In order to tackle this issue and prevent insider HIPAA breaches, employees required to come into contact with PHI must be provided with full training on HIPAA rules and regulations regarding data privacy and security. They should also be advised of the implications for breaking those rules.
The Office for Civil Rights can impose stiff financial penalties on healthcare providers for HIPAA breaches, and a data breach can trigger a full compliance audit. Individuals can also be held accountable for their actions and may receive a heavy fine and a prison sentence for causing a HIPAA breach.
The threat of data breaches from within may not be able to be eliminated entirely, but action can be taken to keep the risk to a bare minimum level.