Another story that is becoming all-too-common. From HIPAA Journal: “Lost Laptop Sees PHI of 3,725 Veterans Exposed.”
What is the moral of this story for your health clinic?
- Properly Decommission Computers: Any device, when it’s taken out of production and had any sort of access to PHI needs to be completely wiped and properly decommissioned. That means doing a thorough scrubbing or destruction of the data on the hard drive of the computer. Refer to 45 CFR 164.310(d)(2)(i) and 45 CFR 164.310(d)(2)(ii) for more information.
- Encrypt All laptops: The data on all laptops should be encrypted at all times as it’s your Get Out Of Jail Free card. If a laptop is lost with properly documented fully encrypted data, there is no way for it to be recovered and it does not have to be reported as a breach.