FYI "two optical disks" probably means CDs or DVDs
FYI Before disk drives, "tapes" were used for computer storage
Further investigation found that 4 laptops were stolen in separate incidents
Key Highlights
A few snippets from case documents
Legend
HIPAA Police are variously referred to as "OCR", "HHS-OCR" or just "HHS"
Patient Data is called "ePHI" or "PHI" or electronic Protected Health Information
HIPAA Rules are written in the "C.F.R." or Code of Federal Regulations
Hospitals, insurers, pharmacies, practices, labs, associates.. who must obey HIPAA are called "Covered Enitites"
HIPAA Rules that have been violated are called "Covered Conduct"
Chief of the HIPAA Police is usually called "OCR Director"
Comments & Questions
This was the first big HIPAA fine - it sent shockwaves
Providence is a big "health system" with lots of hospitals, clinics,facilities, locations, etc
Providence primarily operates in Washington but one thefthappened in Oregon - maybe there was overnight stay involved
This was probably in the I/T department
Employees in the I/T department have to travel to various healthcare locations- probably using their own car
The use of "backup tapes" means that the technology is old- might be mainframes
The I/T employees were probably doing routine maintenance and backupof computer systems
Quote: "pursuant to practice followed at the time ... with knowledge of managers"Means that I/T people were not breaking any policy by leaving the computer equipment in their car - managers were aware that this was occurring
Key evidence: "...stolen laptops were not encrypted" and"the tapes and disks were not encrypted"
My guess is that if Providence could have proven that thestolen computers and computer equipment were using encryption, then this case never happens
Lessons
In the above statement, HHS-OCR is sending a message to thewhole healthcare industry
Quote: "effective compliance means more than just written policies and procedures"- it is not enough to write a "policy document" and have employees "check this box" to say that they have read and understand it
Quote: "ensure that these efforts include effective privacy and security staffing"- every healthcare team needs to dedicate someone to monitor and manage the compliance program
Put somebody in charge of HIPAA- I call this person the HIPAA Specialist
Quote: "employee training" - annual certifications for all employees, regular reminders
Quote: "physical features" - do not leave computers in cars, put locks on doors
Quote: "technical features" - all computers must use encryption and strong passwords
If it isn't documented, then it didn't happen- I recommend everything be documented in a HIPAA Notebook
Implement a new policy today: Do not leave computers in cars
These cases drag on for years - Providence was on probation for 3 years