Client Alert: What's the Value of a Used Laptop?

Shumaker, Loop & Kendrick, LLP

Shumaker, Loop & Kendrick, LLPAn experienced Chief Information Security Officer (CISO) that I know, used to ask this question to new employees. He would generally receive answers that would suggest that you could possibly get $100 at a pawn shop.

This CISO would then ask, “What is the value of the same unencrypted laptop with Protected Health Information?”

In July 2020, Lifespan Health System Affiliated Covered Entity found out that the answer in their case is $1,040,000.

Earlier this year, Lifespan’s parent company reported a breach related to the theft of an employee’s laptop. The report noted that the Protected Health Information of 20,431 individuals was involved. The Office of Civil Rights (OCR) investigated, and OCR alleged that “there was systemic noncompliance with the HIPAA Rules, including a failure to encrypt electronic Protected Health Information (ePHI) on laptops after Lifespan determined it was reasonable and appropriate to do so.” OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation. Lifespan agreed to resolve the matter for $1,040,000 and entered into a corrective action plan.

While laptop encryption is not specifically required by HIPAA, OCR has made it clear that OCR believes that encryption is required. In the OCR press release, Roger Severino, OCR Director stated, “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.” Failure to encrypt laptops will prove expensive in the long run for an organization. You do not want to find out the “value” of a stolen unencrypted laptop that belongs to your company.

Now is a good time to review your HIPAA compliance with your privacy officer or an experienced health care lawyer.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Shumaker, Loop & Kendrick, LLP | Attorney Advertising

Written by:

Shumaker, Loop & Kendrick, LLP

Shumaker, Loop & Kendrick, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.