An experienced Chief Information Security Officer (CISO) that I know, used to ask this question to new employees. He would generally receive answers that would suggest that you could possibly get $100 at a pawn shop.
This CISO would then ask, “What is the value of the same unencrypted laptop with Protected Health Information?”
In July 2020, Lifespan Health System Affiliated Covered Entity found out that the answer in their case is $1,040,000.
Earlier this year, Lifespan’s parent company reported a breach related to the theft of an employee’s laptop. The report noted that the Protected Health Information of 20,431 individuals was involved. The Office of Civil Rights (OCR) investigated, and OCR alleged that “there was systemic noncompliance with the HIPAA Rules, including a failure to encrypt electronic Protected Health Information (ePHI) on laptops after Lifespan determined it was reasonable and appropriate to do so.” OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation. Lifespan agreed to resolve the matter for $1,040,000 and entered into a corrective action plan.
While laptop encryption is not specifically required by HIPAA, OCR has made it clear that OCR believes that encryption is required. In the OCR press release, Roger Severino, OCR Director stated, “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves.” Failure to encrypt laptops will prove expensive in the long run for an organization. You do not want to find out the “value” of a stolen unencrypted laptop that belongs to your company.
Now is a good time to review your HIPAA compliance with your privacy officer or an experienced health care lawyer.