If you or your practice store financial or patient information on laptop computers, you could face hefty fines if those devices are lost or stolen.
In 2018, the Department of Health and Humans Services (HHS) Office for Civil Rights (OCR) documented 27 breaches that each included protected health information (PHI) of more than 500 patients that were accessed from a lost or stolen laptop.
With fines ranging from $100 to $50,000 per violation, penalties are steep and can add up quickly.
Thankfully, one important step toward protecting patient data, and yourself, is simple thanks to widely available encryption tools.
Encryption modifies data into a format that cannot be read unless a specific key is used to decrypt it. Anyone looking at encrypted data would see a jumbled combination of characters with no meaning.
Although encryption is not required to comply with HIPAA security rules – it is known as an addressable implementation specification – it would be very difficult (some say almost impossible) to meet HIPAA security standards without encryption. Recent OCR settlements indicate that OCR takes failure to encrypt mobile devices seriously.
Additionally, it is important to note that HIPAA only requires breach notification for unsecured PHI. For this reason, it is a good idea for physicians to follow HHS’ Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. This HHS guidance discusses appropriate encryption techniques for PHI.
The best news is, you don’t have to be an IT professional to encrypt your laptop, and most modern laptops include encryption tools already.
For Windows laptops, there are several options. Windows 10 devices may already come set up with encryption. Determine whether your laptop has encryption enabled by going to Settings> System> About and scrolling to Device Encryption.
If not set up by default, Microsoft also offers another built-in encryption tool called BitLocker on the Professional version of Windows. If you have the Home version, you can upgrade for a relatively small fee. BitLocker requires creating a second password, or key, to unlock the encrypted data, but it is straightforward to set up and is already installed on your Windows laptop. The BitLocker password should not be stored with the laptop. Other free and “for a fee” solutions exist if you can’t or don’t want to use one of these free tools.
Apple laptops purchased in the past 15 years or so include a feature called FileVault that will encrypt the entire system. To enable, open your Mac preferences, select Security and Privacy, and turn on the FileVault encryption. It also requires a decryption password, so be sure to store your password somewhere safe in case you forget it.
It probably goes without saying, but don’t store your password on the laptop you’re encrypting. Otherwise you won’t be able to access the password if you forget it.
If you have other questions about HIPAA, contact the Texas Medical Association Knowledge Center at (800) 880-7955 or go to the HIPAA Resource Center on the TMA website.
NOTICE: This information is provided as a commentary on legal issues and is not intended to provide advice on any specific legal matter. This information should NOT be considered legal advice and receipt of it does not create an attorney-client relationship. This is not a substitute for the advice of an attorney. The Office of the General Counsel of the Texas Medical Association provides this information with the express understanding that 1) no attorney-client relationship exists, 2) neither TMA nor its attorneys are engaged in providing legal advice and 3) that the information is of a general character. Although TMA has attempted to present materials that are accurate and useful, some material may be outdated and TMA shall not be liable to anyone for any inaccuracy, error or omission, regardless of cause, or for any damages resulting therefrom. Any legal forms are only provided for the use of physicians in consultation with their attorneys. You should not rely on this information when dealing with personal legal matters; rather legal advice from retained legal counsel should be sought.