It’s an unfortunate (but inevitable) fact of life: Laptops get stolen, and the consequences can be devastating. If those laptops have electronic protected health information (ePHI) on them, they fall under HIPAA regulations and the theft must be reported.
Even if the thief doesn’t look at the data, the company can’t prove it: everyone should take precautions to protect themselves against not just fallout from lost data, but from the potential fines that can accrue: install remote wipe capabilities, encrypt your drives, and don’t store ePHI on your local drive.
Hopefully, the next time a laptop grows legs, you will be better prepared to mitigate the damage.
What is The HIPAA Privacy Rule?
The HIPAA privacy rule explains how to use, manage, and protect personal health information (PHI or ePHI). Congress wrote the HIPAA Privacy Rule to protect patient data, and those rules apply to covered entities: the people that that transmit, store, manage, and access personal health information.
What Information Does the Privacy Rule Protect?
The HIPAA Privacy Rule defines PHI as individually “identifiable health information” stored or transmitted by a covered entity or their business associates, in any form or media (electronic, paper, or oral).
The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payments or arrangement of payments made by an individual.
In the simplest terms: any and all data having to do with all doctor visits, ever, including (but not limited to):
- Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
- Contact information: telephone numbers, addresses, and more
- Social Security numbers
- Medical records numbers
- Finger and voice prints
- Any other unique identifying number or account number
To Whom Does the HIPAA Privacy Rule Apply?
The HIPAA Privacy Rule protects individual PHI by governing the practices of the covered entities.
Covered entities are the people and organizations that hold and process PHI data for their customers – the ones required to report HIPAA violations and who are responsible to pay fines imposed by the Office of Civil Rights if and when a HIPAA violation occurs.
These organizations are considered Covered Entities under HIPAA:
Health Care Providers
- Nursing homes
- Health insurance companies
- Company health plans
- Government provided health care plans
Health Care Clearinghouse
- These entities process healthcare data from another entity into a standard form.
What Happens if a HIPAA Data Breach Occurs?
According to the HIPAA breach notification rules, a covered entity is supposed to report data breaches to each individual affected within 60 days of discovery.
If the breach affects over 500 individuals, the covered entity must also report the breach to the Department of Health and Human Services within 60 days, which in turn opens an investigation with the Office of Civil Rights. On top of that, if the breach falls within that over 500 club, the covered entity is required by HIPPA rules to issue a press release to media outlets local to the affected individuals.
Not only is a PHI data breach potentially bad for the bottom line, but it’s also government mandated bad press.
HIPAA compliance isn’t just the law, it’s good business practice. Protecting an individual’s personal data and preventing data breaches affects both the bottom line (no fines) and company image (no bad press).
The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy – sign up for a free email course on HIPAA compliance, or get started with a demo to see the state of your HIPAA security.