Precipitating Event: Unencrypted laptop and backup disks stolen from employee cars
(1) On or about December 30, 2005, protected health information (PHI) on four backup tapes and two optical disks were left unattended overnight in the personal vehicle of an employee of XYZ Health and were stolen. The employee took the disks and tapes from XYZ Health, pursuant to a practice followed at the time by the XYZ Health I/T Staff with the knowledge of some of XYZ Health managers. The PHI on the tapes and disks was not encrypted.
(2) On the following dates, laptops containing PHI were left unattended and were stolen from members of the workforce of XYZ Health:
(a) September 29, 2005
(b) December 7, 2005
(c) February 27, 2006
(d) March 3, 2006
The PHI on the stolen laptops were not encrypted.
minor modifications for readibility
"left unattended overnight in the personal vehicle of an employee"
Says that PHI is leaving XYZ Health’s facility. There should be policies and procedures for PHI that stays in the facility. There should be policies and procedures for PHI that leaves the facility.
Ask Yourself: Are employees allowed to leave the clinic with PHI?
"with the knowledge of some of XYZ Health managers"
Says that managers are responsible for setting and enforcing policies. An unwritten policy is still a policy. Managers were aware that this PHI was leaving the facility and was in personal vehicles.
Ask Yourself: Does your clinic have unwritten rules or polices?
The source documents for this case study mention the word 'encryption' eight times.
The BIG DISCONNECT: The expectations of the HIPAA Police do not at all reflect the realities of the healthcare industry. The HIPAA Police have the expectation that all computer devices are encrypted. (Computer storage has encryption enabled)
The reality of most healthcare organizations is that they are concerned, intimidated or worried about turning on encryption. They correctly fear that they will lose data, lose productivity, or will have interrupted workflows. We call this Encryption Anxiety and are working to help relieve it. The expectation that every computer is encrypted is disconnected from the reality that most computers are NOT encrypted. ClinicNerds intend to help close this gap.