$3.9 Million Fine for Stolen Laptop: Does your compliance budget cover this?
All business owners have a fiscal responsibility to be budget conscious, and dentists are no different. However, as illustrated in the case below, lack of compliance can take a huge bite out of your budget.
Feinstein Institute for Medical Research (FIMR) reported that an unencrypted laptop containing protected health information (PHI) of 13,000 patients was stolen from the car of one of its employees.
The HHS investigation concluded that FIMR:
- Impermissibly disclosed the ePHI when the laptop computer was left unsecured in the back seat of an employee’s car.
- Failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities of all of its ePHI, including the ePHI on the aforementioned laptop computer.
- Failed to implement policies and procedures for granting access to ePHI by its workforce members.
- Failed to implement physical safeguards for a laptop that contained ePHI to restrict access to unauthorized users.
- Failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of the facility, and the movement of these items within the facility.
- Failed to implement a mechanism to encrypt ePHI or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption to safeguard ePHI.
Would your practice survive the financial impact of this type of event? Simply because FIMR is a large facility doesn’t mean a breach couldn’t happen in smaller dental practices. It’s easy to bury your head in the sand or slip into complacency. In this case, complacency consists of relying on a few free forms and occasional staff training without fully implementing the remainder of the requirements. Full HIPAA compliance also includes customizing policies and procedures, training employees upon hire, conducting annual security risk assessments.
Remember the saying about penny wise and pound foolish? Consider it money well-spent to budget for qualified training for your Privacy/Security Officer.