HIPAA Fines for Smaller Breaches Spells Trouble for Midmarket Healthcare
A smaller hospice in Northern Idaho was fined Fifty Thousand Dollars by the Department of Health and Human Services (HHS) for a breach that involved the loss of just a few hundred patient records. This marks the first time that a breach of fewer than 500 medical records drew a fine from HHS. This could be a message that smaller health care providers are now squarely in the sights of the HIPAA enforcement authorities.
The Hospice of Northern Idaho was the victim of the data breach when an unencrypted laptop containing patient’s personally identifiable information (PII) was stolen from a workers car. Though the thief was apprehended, the laptop was never recovered. Luckily, it seems none of the sensitive information was used for any type of fraud or theft.
The Hospice itself only has about 100 employees and an equal amount of volunteers; it claims to serve thousands in its community. The bigger picture though is that this could have been any midsize or smaller health care provider. The Hospice is a non-profit and the 50k fine will cut deep. Think about what a 50k fine would do to any midmarket business. HIPAA is not just for large health care providers anymore.
One of the factors at play here is the fact that the stolen laptop data was not encrypted. HIPAA regulations call for the encryption of all PII. Many speculate that the reason the HHS came down hard on the hospice is not that the laptop was stolen, but that the data was not encrypted.
There are many options to encrypt your data and disks today. On Windows laptops, Microsoft themselves offer a disk encryption tool. There are free, open source encryption tools like TrueCrypt, that can also do the job without costing anything for the software. If the data had been encrypted, the PII would have been useless even if the laptop was stolen.
Encryption regulations are not just for health care providers and HIPAA. Other regulations like PCI DSS also call for the encryption of confidential data. Whether you keep this data only on servers or on laptops and other endpoints (phones and tablets offer data encryption options as well), you need to be encrypting confidential data.
The number of records lost here were not many, it should serve as a wakeup call that this kind of thing can happen to any organization. Don’t be the next example by HHS or the PCI Council, take the time to encrypt your confidential data today.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.