An Unencrypted Thumb Drive Costs a Medical Practice $150,000.


January 21, 2014

HIPAA Thumb drive security breach

Adult & Pediatric Dermatology, P.C. of Concord, Mass. must pay a $150,000 HIPAA penalty after losing 2,200 patient records. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, the HIPAA penalty occurred when an unencrypted thumb drive was stolen from an employee’s vehicle. In addition, the medical practice failed to identify the thumb drive in a HIPAA risk analysis.

Do you have a proper risk management process in place? Do you secure electronic protected health information (ePHI) stored on various devices? As a healthcare professional, it’s critical to identify and mitigate risks before a HIPAA breach occurs.

The Take-Home Message:

1.   You shouldn’t store electronic protected health information (ePHI) on unencrypted devices, including thumb drives.

2.   You must identify thumb drives and other devices containing ePHI during a HIPAA and Meaningful Use Risk Analysis.

Where Is Your ePHI?

Many healthcare organizations believe their protected information is only contained in their electronic health records (EHR). However, any file containing diagnostic or treatment information must be protected. The following are few examples of places where ePHI can be found:

  • Letters
  • Spreadsheets and reports
  • Faxes and scanned images
  • Medical images and photographs
  • Voice files

Protected information can be stored on any device, including hard drives inside copiers. If you’re storing protected patient data on portable devices, make sure those devices are encrypted to avoid a HIPAA penalty in the unfortunate event that it is lost or stolen.

Tips To Prevent a HIPAA Breach

A HIPAA breach can lead to hefty fines, lost customer confidence, and reputational damage. You can protect your healthcare organization by doing the following:

1.    Don’t Export Data From Your EHR System

If you need to access protected data outside the office, use remote access tools to securely access the information without transferring data to a remote or portable device.

2.   Protect Your Computers and Network

Create a policy to prevent unauthorized users from exporting data from your EHR system. Also, make sure your network and portable devices are professionally managed to protect confidential data.

3.   Encrypt Your Devices

Devices should be encrypted to protect patient data stored on them, including both stationary and portable devices.

4.   Hire a Professional To Conduct a HIPAA Risk Analysis

A certified compliance expert can identify problems and solutions that would otherwise go unnoticed. It’s much less expensive to hire a professional than to face a HIPAA breach.

To learn more about HIPAA compliance and how to secure your devices, give us a call at (888) 330-8808 or send us an email at [email protected]. Integris can help you keep your patients’ information confidential.

We're Integris. We're always working to empower people through technology.

Keep reading

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...

7 Signs Your Denver Business Needs a Tech Update

Regardless of size or industry, technology is an essential part of every Denver business. That being said, technological improvements and advancements can develop quite quickly, leaving some businesses scrambling to keep up. While many businesses cite expenses in the...

Cybersecurity best practices for Boston Businesses

Securing your businesses sensitive data, networks, and devices is non-negotiable in the technologically-driven world we live in. Whether you are a small business or or corporation in Boston, it is imperative that you prioritize cybersecurity. It is no longer enough to...