If your business is subject to HIPAA regulations, several recent events should make you reevaluate your data security measures. Two companies, Concentra Health Service and QCA Health Plan, were fined $1.7 million and $250,000, respectively, for failure to encrypt computers containing protected health information. In both cases, the laptop computers were stolen, highlighting the importance of HIPAA regulations in the first place.
The fines were levied by the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS), and they demonstrate a growing willingness to levy penalties against companies that do not follow the mandates of HIPAA to the letter. If your company handles sensitive medical information, and you want to avoid fines in excess of $1 million, you need to make data encryption a top priority.
The Encryption Process
Encryption is relatively easy and inexpensive to do, even if you have a large technical infrastructure. But what is important is to carry it out systematically. Protected information can be present on a wide range of devices, not all of which are bound to your workplace. QCA’s problems came to light after a laptop was stolen from an employee’s car, which just illustrates how important it is to encrypt data anywhere and everywhere it is accessible.
The benefits of encryption can help you stay compliant even after a device is taken out of use. Eventually, you will have to dispose of devices that contain sensitive information. This raises a number of important concerns, but the primary one is ensuring that protected information is inaccessible at every point in the chain of custody after it leaves your workplace. With encryption measures in place, it is next to impossible for someone to access data during transport, or while the devices are being stored in advance of disposal.
At Disposition, Encryption is Not Enough
Even with encryption measures in place, you will need to take steps to permanently erase the data from these devices before they are disposed of. Encryption presents a powerful deterrent, but not impenetrable protection. There is always a chance thatencryption measures can be broken, and considering the size of the fines being levied for HIPAA violations, it is not a chance that you want to take. Encryption is the first step, erasure by a certified data destruction vendor is the final step.
Now that you know how serious a HIPAA violation can be, it is time to perform an audit of your own devices. Even if you use encryption measures already, there may be protected information that remains unsecured. Making sure that all your data is encrypted is the easiest and most reliable way to protect your data throughout the entire lifespan of the device.
When Susan McAndrew, an official with OCR, was asked how penalties could be avoided, she succinctly replied “(paying) attention to details.” Considering the scope of the potential fines, the details are more important than ever.
To learn more about common data security myths when it comes recycling your IT assets or erasing your data for good, check out our free guide: 10 Myths about IT Asset Disposition and Data Erasure.
