By Christopher P. Young, Editor, G2 Compliance Advisor
A mental health organization, Aspire of Indiana, is sending breach notification letters to 45,030 clients and employees after several of its laptops were stolen from administrative offices during a Nov. 7, 2014 burglary. According to a report in Healthcare IT News, an investigation of the incident revealed that data on the laptops, which included emails and other files that may have contained social security numbers and personal medical information, was not encrypted. Had the laptops been encrypted, Aspire would not be facing the problems and expense caused by the burglary.
In the public notice on its Website, Aspire said, “While there is no evidence that suggests any of the information has been misused, Aspire officials have arranged for identity protection services through ID Experts for the affected individuals.” The notice goes on to explain the steps Aspire has taken to help affected employees and provides a toll free phone number to answer any questions affected individuals may have.
Encryption of data is not required by the Health Insurance Portability and Accountability Act (HIPAA) but it is “addressable.” That means if there is a potential vulnerability encryption would correct, the entity must either encrypt the data or use some alternative protection and document why it chose to go that way rather than encryption.
Laboratories and laboratory employees use a variety of electronic devices such as tablets and smart phones as well as laptop computers, and sometimes download sensitive files so they can work at home or away from the office. These devices are often overlooked when it comes to HIPAA security measures. It may be prudent to require these be encrypted before they are taken outside the laboratory.
Aspire’s experience is a lesson to all health care providers, including laboratories, that regardless of the potential problems and inconvenience associated with encrypting all of their laptops and other devices, the problems and cost associated with a breach outweigh any costs associated with data encryption.