A Rhode Island hospital recently paid a $150,000 fine for failure to protect medical records. That’s not all that surprising. As we previously reported, HIPAA related fines are on the rise with more cases in the pipeline. Also, more hospitals and physician practices are facing difficult security scrutiny after a privacy breach, and the OCR random security audit program will resume this fall. What may come as a surprise is that the fine wasn’t paid to the Office for Civil rights (OCR), but to the Massachusetts Attorney General, and the hospital isn’t even located in Massachusetts.

According to Massachusetts Attorney General Martha Coakley, the fines in this case stem from an April 2012 incident in which the Women & Infants Hospital of Rhode Island (WIH) realized that it was unable to locate 19 unencrypted backup tapes from two of its Prenatal Diagnostic Centers. Coakley got involved when it was determined that protected and sensitive data from over 12,000 Massachusetts residents was on the lost tapes, including patient’s names, dates of birth, Social Security numbers, and results from diagnostic testing.

Given the impacts of these breaches, it’s important that your hospital understand how to avoid them.

Here are five things your hospital needs to do to ensure this doesn’t happen to you:

• Be aware of State-specific privacy laws. Generally speaking, more restrictive state laws are not pre-empted by HIPAA, and as this case clearly shows, even state laws from other states may apply.
• Perform a complete security risk analysis and work to remediate any risks. This case clearly shows that loss of media containing patient information is clearly a risk.  Tapes and CDs are second only to laptops in terms of portable data storage that hold large quantities of patient data that can easily be lost or stolen. This fact alone makes them worthy of careful attention.
• Encrypt everything you can. If these tapes were encrypted, the information would almost certainly not have attracted the attention of OCR and probably not the Massachusetts AG either. Encryption provides a safe harbor under HIPAAA  and review of the HHS “wall of Shame” shows that lost media and laptops are very common breaches of Privacy rules.
• Perform a complete assessment of the location and protection on your easily transportable media, such as backup tapes, CDs, and thumb drives. Don’t forget to pay careful attention to media that is mailed or transported by courier. There are numerous examples of media being “lost in the mail” that resulted in significant enforcement activity. As a result of this breach settlement, WIH agreed to maintain an “an up-to-date inventory of the locations, custodians, and descriptions of unencrypted electronic media.”
• Finally, consider a test scenario. As a CIO, calling the staff together first thing in the morning and requesting an emergent effort to provide a complete listing of all backup media with descriptions of the data and the physical and electronic protections on that data can be a very instructive exercise.

Bottom line — portable repositories of data like unencrypted backup tapes are a clear risk to any organization. Take active management steps to mitigate this risk, or face the potential of large breaches and fines.

If you would like to know more about how to perform a security risk analysis, request a consultation with a risk expert.