How To Avoid A MILLION Dollar Fine By Choosing The Right Technology

Posted In Disaster Planning | No comments

chiropractor computer support
This is a guest post by Mike Semel. (Semel Consulting) He is a Certified HIPAA Professional with over 30 years in IT, including experience as a hospital Chief Information Officer, and has conducted many HIPAA audits and remediation projects. He is also our partner in helping chiropractic offices ensure compliance with HIPAA security rules.

I have yet to talk to a single chiropractor that has these bases covered properly. Some have gotten close but at the end of the day, the question you have to ask yourself is: “Is it worth it to save a few dollars up front, try to manage your own technology, and then potentially lose everything you have worked for due to a fine for a breach of electronic Protected Health Information (ePHI)?” I struggle every time I see a DC lose data because they either didn’t know, or were too cheap to properly protect their patient data. Don’t be that doc. Reach out and let us show you how to protect yourself properly.  (PS – The free or personal backup programs like Carbonite and Mozy are not sufficient for business data)

While performing HIPAA audits for health care providers, they are often surprised when I tell them that their laptop is a security risk, and that they risk a million dollar fine if it is lost or stolen.

“My laptop????? A million dollars????? You’ve got to be kidding!”

If you are required to comply with HIPAA, you can’t just select the coolest-looking, lowest-priced, lightest, or fastest laptop that you like or has good on-line reviews. If there is EVER ANY CHANCE that you will take patient data with you, your over-riding priorities need to be Security and Encryption.

A Quick HIPAA Primer
The HIPAA Security Rule, which went into effect in 2005, contains a lot of requirements to protect Electronic Protected Health Information (ePHI.) This is not just data in an Electronic Medical Records (EMR) system, but any combination of a patient’s name (or other specific identifier) along with any treatment or diagnostic information. Data can be in any form, including letters, spreadsheets, or e-mails that contains ePHI. (Patient data should only be sent using encrypted e-mail, and never through a text message.)

While HIPAA does not require that stored data be encrypted, the HITECH Act of 2009 modified the data breach rules so that a lost or stolen device does not have to be reported if it is encrypted (which is why I call encryption the HIPAA Get-Out-Of-Jail-Free card.) Protecting a device with a password does not mean the data is encrypted.

HIPAA Enforcement
The HIPAA Security Rule went into effect in 2005 but there was very little enforcement until 2012, when unprecedented penalties were assessed for lost devices. A small hospice paid a $ 50,000 fine when a laptop was stolen. A large hospital paid $ 1.5 million when a doctor’s laptop was stolen while he was in Korea for a conference. In each case, the HIPAA enforcement agency said that if the data was encrypted there would not have been any fine.

What should you do?

  1. When shopping for a new Windows laptop you should skip the consumer models being promoted at low prices and find one that has a business-class operating system. There are several versions of Windows, and the low-priced consumer versions do not include security adequate to protect patient data.
  2. Some higher-end models have self-encrypting drives, or you can purchase software that will encrypt data folders or the entire hard drive.
  3. Make sure you purchase Endpoint Protection software to prevent malware from breaching your data security.
  4. HIPAA requires automatic log-offs, so your screen goes blank and requires your password to log back in after several minutes of inactivity. This may seem inconvenient, but is required for Security.
  5. Inexpensive ways to protect your laptop from being stolen from a hotel room are to use a cable lock, secure storage bag, or the hotel safe.
  6. To make sure your device is really secure, you should have a knowledgeable IT specialist set it up and regularly test your security.
  7. Do you really need to carry patient data around? The best way to prevent a breach is to regularly search your laptop for patient data, and remove it. No data, no breach.

Situational Awareness
It is amazing that so many laptops are left behind at airport security—hundreds every day. One way to minimize this risk is to purchase a ‘Checkpoint Friendly’ computer case that lets you leave your computer in the bag while going through security.

You should also be very careful about where you use your computer. Just last week a friend e-mailed me from his airplane seat to let me know that he was reading patient data through the crack between the seats in front of his. A doctor had logged onto his EMR system, and had no idea he was breaching his patient data. Had this been reported, a simple audit of EMR logins compared to the doctor’s travel schedule would have confirmed the breach, which could have been very expensive and embarrassing.

Summary
A business class laptop, secured with security tools and encryption costs more, but a lot less than a million dollar fine. Spread over the years you will keep it, the additional costs are minimal, compared to the risks.

If you’d like to better understand where your vulnerabilites are, reach out to us for a no obligation consultation.






 Yes I want a Security Audit!

Sign up if you’d like us to contact you about a security audit to see where you are vulnerable.

We respect your email privacy



Leave A Reply (No comments so far)