An employee of Philadelphia’s Department of Behavioral Health and Intellectual disability Services (DBHIDS) lost an unencrypted laptop on public transportation. The laptop contained the personal health information (PHI) of 1,500 individuals. DBHIDS informed affected individuals on the same day that the HIPAA breach was discovered.
David T. Jones, Commissioner of the Department of Behavioral Health and Intellectual disAbility Services, stated, “Once we learned about the lost laptop within our Intellectual disAbility division, we immediately implemented actions to inform anyone who may have been impacted, provided additional training to our workforce and implemented additional controls to prevent this type of incident from occurring in the future.”
An investigation uncovered that although no data had been accessed by unauthorized individuals, information such as patient names, birthdates, service provider names, MCI numbers, and information on Medicaid waiver services, were contained on the missing laptop.
Although the majority of DBHIDS’ laptops were encrypted, there were some laptops that had not been encrypted. DBHIDS is conducting an investigation as to why some of their laptops were not encrypted. Spokeswoman for the organization, Alicia Taylor, wrote in a statement, “DBHIDS is thoroughly investigating causes of this incident and taking appropriate corrective actions, including re-training the employees involved, providing additional privacy/security training to the DBHIDS workforce, and continuing to review practices and implement additional controls to prevent this type of incident from occurring in the future.” All unencrypted laptops have since been encrypted.
Encryption Can Prevent HIPAA Breaches
Even though encryption is not explicitly mandated by the HIPAA Security Rule, the Department of Health and Human Services (HHS) recommends that healthcare organizations encrypt data. Encryption masks data ensuring that it is unreadable to unauthorized individuals. With encryption in place, in the event of a data breach, PHI is protected.
The HHS mandates that adequate safeguards be in place to protect PHI, however they state, “If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate.” This means that after conducting a security risk analysis (SRA), a healthcare organization may find that encryption is not warranted. If the organization determines that they don’t need encryption, they need to provide documentation that encryption was considered but deemed unnecessary.
However, when it comes to safeguarding PHI, organization’s should err on the side of caution. HIPAA breaches have become increasingly common over the years, with health information a top commodity on the black market. Therefore, encrypting sensitive data is always a good idea.
Need Help with HIPAA Compliance?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and MSP security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.