If you are a physician who carries confidential patient information on a laptop, tablet, iPad or other portable devices, please read on.
By now, you probably have been bombarded with articles and reports describing responsibilities of so-called “covered entities” regarding Protected Health Information (PHI). PHI can appear in many forms: patient letters, patient lists, patient phone numbers and addresses, patient photos, surgeon reports, emails, billing information, lab results, research data, and so forth.
It has been my experience that many physicians do not necessarily remember if, when and/or how much PHI is/was stored on their portable, computing devices. Should one’s computer be lost or stolen, and the PHI breached, the owner of the device can be subject to significant sanctions under both federal and Missouri state laws.
There are a few important points to be considered. First, if a physician knowingly placed PHI on a laptop that is later misplaced or stolen, and that PHI is subject to compromise because it wasn’t properly protected, there can be allegations of “willful disregard”. That is, under HIPAA and HITECH expectations, a physician might be subject to greater sanctions because he/she did not have in place appropriate administrative or physical safeguards to protect that PHI. Second, the costs associated with notifying the affected patients and protecting their identities can be extraordinary. And, depending on the scope of the breach, there is the potential embarrassment stemming from a requirement to notify media outlets that the breach has occurred.
At KASS, we recommend physicians encrypt the entire contents of their portable computers. This is typically done by installation of specialized software that does not permit access to any contents on the hard drive without a unique user ID and password. It is an easy, inexpensive and effective way to set aside the worries, hassles and costs associated with lost or stolen devices containing PHI.