Precipitating Event: Unencrypted Laptop stolen while lecturing in Asia. (Note: normally we quote and parse the Resolution Agreement with HHS but in this case, the press release from XYZ Hospital was more informative. So we use the hospital's press release as the case study's prime source.)
On February 19, 2010, a laptop belonging to a physician affiliated with the XYZ Hospital was stolen while the physician was lecturing in South Korea. The laptop belonged to Dr. XXXXXX, a neurologist with a particular focus on ringing in the ears, or tinnitus. To date, XYZ Hospital has determined that data owned by XYZ Hospital on Dr. XXXXX’s laptop contained demographic and health information of approximately 3,526 patients treated by Dr. XXXXX at XYZ Hospital between February 3, 1988 and February 16, 2010, and of a small number of participants in research conducted by Dr. XXXXX at XYZ Hospital who were not also Dr. XXXXX’s patients, as follows:
XYZ Hospital has no indication that the information on the stolen computer has actually been accessed or inappropriately used. The computer was password protected and contained a tracking device commonly referred to as “LoJack.” The tracking device contacted LoJack on March 9 when the stolen computer was connected to the internet in South Korea. LoJack was able to monitor the computer’s configuration and on-line use, and determined that: 1.) A new operating system was installed on the computer following the theft, and 2.) Software needed to access most of the information about affected XYZ Hospital individuals had not been reinstalled.
On April 9 it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable.
minor modifications for readibility
"3,526 patients treated by Dr. XXXXX at XYZ Hospital between February 1988 and February 2010"
The pateint data went back 22 years to 1988. It is important to understand all the PHI Hotspots but also the data within the PHI Hotspots (probably a spreadsheet). HIPAA fines are prorated based on the number of patients affected. The $1.5m fine was so large becuase of the large number of patients affected. Another thing to consider is de-identifying the data.
Ask Yourself: Do you have databases or spreadsheets with ancient data?
"has no indication that the information on the stolen computer has actually been accessed or inappropriately used"
This statement is irrelevant. The HIPAA Police do not care - and it is hard to prove either way - if the data was actually read or used.
Ask Yourself: Have you left paper or electronic patient data exposed?
"computer was password protected and contained a tracking device commonly referred to as LoJack."
This LoJack tracking device sounds impressive but it did not help XYZ Hospital avoid a $1.5m fine. Encryption, strong passwords and automatic screen locks are the features that the HIPAA Police trust and cost nothing additional.
Ask Yourself: Are your vendors making slippery claims that their products are 'Fully HIPAA Compliant'?
When a US based doctor is asked to lecture in Asia, it is safe to assume that this doctor is world renown. Prior to the trip, the doctor thought that precautions were taken with this LoJack for Laptops device. Unfortunately, the trip turned into a huge and costly embarrassment.
Note below some of the requried actions stated in the Corrective Action Plan. We'll skip items 1-5 because they have been discussed before but items 6-8 were new statements from the HIPAA Police:
"6. Procedures that specify the proper functions to be performed using workstations that access XYZ Hostpital PHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access PHI;"
"7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain XYZ Hospital PHI into and out of XYZ Hospital’s facility(s), and the movement of these items within XYZ Hospital’s facility(s);"
(The above two points are why the HIPAA Lifeguard App requires that a clinic floorplan be included in the risk assessment.)
"8. Mechanism(s) to encrypt and decrypt portable devices that contain XYZ Hospital PHI to allow access only to those persons or software programs that have been granted access rights;"
There is not such thing as 'HIPAA comliant', but these three things, if documented in a HIPAA Notebook, will get you close: encryption, strong passwords and automatic screen locks. ClinicNerds calls this 'NerdSecured.'