Laptops and Other Media Devices

by Jodie Cannon, BS, HCISPP, OSHA/HIPAA Consultant

Are you utilizing laptops within your Practice that are being transported out of the office?  Do you have staff that are telecommuting with the use of laptops?  Are laptops being transported to multiple satellite locations?

It is highly recommended to encrypt all media devices that may contain electronic protected health information (ePHI) and to implement a written Device & Media Control Policy.  Practices should consider implementing the reasonable and appropriate safeguards for the protection of ePHI such as encryption.

An employee’s laptop was stolen at Life Span Health System containing ePHI consisting of names, demographic information, Medicaid information, & medical record information.  Life Span Health System, an affiliated covered entity (ACE) of Life Span Corporation, failed to implement encryption of ePHI (electronic protected health information) resulting in a penalty of $1,040,000 with the Office for Civil Rights (OCR).

Additional violations were discovered during the OCR investigation to include: the lack of Device & Media Controls and not having a signed Business Associate Agreement in place with Life Span Corporation.

As Practices (Covered Entities), it is required that we assess our environment and security of our systems and devices by performing a Security Risk Assessment to identify our risks and vulnerabilities. Apply security safeguards to reduce the identified risks and vulnerabilities.

Let Modern Practice Solutions assist you with your HIPAA compliance to reduce the likelihood of a breach and huge penalties.