ESPN reported back in June that a laptop containing the medical records of thousands of NFL players was stolen from the car of a Washington Redskins’ trainer. The team released a statement saying no health information protected under HIPAA guidelines was at risk, but the incident shows that EMRs are vulnerable, no matter the size of your company. That’s why you need to have all medical records completely protected, no matter where they’re being stored.
Though the Redskins’ situation was bad, an NFL spokesperson stated that the NFL EMR system was not compromised and the league believes that the thief was unable to gain access to the intercepted computer or its files. However, this does not mean the situation is resolved. The team is now in the process of informing every person who could be affected.
Not only is this embarrassing, the Redskins could also be vulnerable to civil lawsuits from players affected—even if no HIPAA-protected information was accessed. If this sensitive data had been breached, the team would have faced a significant fine from the federal government in addition to these lawsuits.
According to Bloomberg Business News, a Massachusetts hospital was required to pay the federal government $850,000 for HIPAA violations last year after a laptop containing private health information was stolen. This event triggered a system-wide analysis, which revealed several other areas of non-compliance. Not only was the hospital required to pay the fine, it also had to invest heavily to upgrade their technology systems.
These two stories can serve as a valuable learning tool for any organization that stores documents or files regulated under HIPAA guidelines. For starters, it’s important to understand that while email threats like phishing are very real and dangerous, the easiest way for a person to gain access to medical records is to simply take the device the records are physically stored on.
That’s why it’s absolutely vital to have any device—smartphone, computer, or tablet—be password protected and encrypted if it stores or transmits medical information of any kind. This, however, is simply the bare minimum. You might want to consider additional security measures such as two-factor authentication to add an extra level of protection to your devices.
Another thing to consider is storing your EMR using the cloud. When files are stored on the cloud, it means you have complete control over who is able to access these documents and where they can be accessed from. In the case of a missing laptop, once it’s been reported as lost, you can immediately block it from retrieving any files and you can perform a remote wipe, which will erase anything currently stored on it.
It’s important to remember that every device, even those at companies that use the cloud for document access and storage, still needs to have strong passwords and encryption in place. Also, it should be noted that transferring HIPAA-protected data to the cloud is a process that must be handled with care. There are several things that must be addressed to ensure your data is protected and meets all government regulations. Bringing in a cloud service provider who specializes in HIPAA storage can make this process a smooth one for you, your staff, and your patients or clients.
Interested in learning more about using the cloud to store your documents? Contact us today. We’re experts in HIPAA-related matters, ready to help your information remain safe and in compliance.