Health care providers integrate many forms of technology into their practices. For instance, laptops, desktops, EMR tablets, iPads, iPhones, iPods, thumbdrives, CD backups, external hard drives, photo copiers, fax machines, thumb/jump drives, etc. However, many practices have not implemented strict policies and procedures requiring that office staff complete a privacy and security audit to keep track of all forms of electronic storage devices. Moreover, the policies should be prepared to enable staff members to identify a missing electronic storage device as part of their daily risk analysis.
For Georgia’s UHS-Pruitt Corporation, it had two laptops stolen within a two-week period. “Both laptops held unencrypted patient data on their hard drives, and were stolen from employee cars.”
The first incident, which occurred on September 26, involved information from 1,300 patients at its nursing facilities, including names, dates of birth, Medicare numbers, resident ID numbers, and Social Security numbers. The affected patients were current or former residents of Heritage Healthcare of Ashburn, UniHealth Post-Acute Care Augusta Hills, Heritage Healthcare of Fitzgerald, Heritage Healthcare at Osceola, Palmyra Nursing Home and Sylvester Healthcare. This laptop and the information on it were used to process healthcare service payments for the facilities.
On October 8, a laptop belonging to a UniHealth SOURCE employee was stolen. Less information was available in this instance, limited to names and diagnoses, as it was only used for quality assurance audits. The 4,500 affected patients were current and former patients of UniHealth SOURCE, UniHealth Select, and Blue Ridge Community Based Services.” Article.
Not only did Georgia’s UHS-Pruitt Corporation not properly encrypt the laptops, it could have been proactive by implementing and following proper protocols to discover that the laptops were not accounted for in their normal place within the facility. Health care providers are held to a higher standard and should know that their electronic storage devices containing protected health information is: 1) properly encrypted; and 2) properly accounted for.
Tell us how your organization protects its information? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.