I have been discussing the inevitability that government fines for egregious data breaches will eventually reach small medical practices for some time now. In early January my prediction became a reality when the Office of Civil Rights administered a fine for $50,000 for the loss of an un-encrypted laptop by a small hospice facility in Northern Idaho. Their fine for the theft of a laptop with 441 un-encrypted patient medical records sends a clear signal from the Department Of Health & Human Services that even small medical organizations are not exempt from fines for lax security and protection of confidential consumer information. If you need more convincing – spend a few minutes browsing the Office of Civil Rights website and you will find other case examples by type of medical facility.
As more and more employees of physician groups and hospitals bring their own electronic devices such as tablets and smartphones to work, it can only be expected that there will be more of these fines administered unless employers proactively work to protect any confidential information that these devices contain. If you are confused about how to prevent data loss from mobile devices there is excellent advice on mobile security located on the Department of Health and Human Services website. Their article “Five Steps Organizations Can Take to Manage Mobile Security” is even available in a downloadable PDF file.
Don’t be caught unprepared. As embarrassing as it is to suffer through the acknowledgment that you have suffered a breach and have to notify all your patients that were affected, a hefty fine from OCR will add insult to injury.
After you have had a chance to implement all of the necessary safeguards to protect your confidential information, don’t forget to consider Cyber Liability insurance to help repair your balance sheet if you become the next target of the Department of Health & Human Services