Securing ePHI Outside of the Office – Northwestern Memorial HIPAA Breach

LCP_Blog_Data_ProtectionIt is highly advisable to take precautions applicable to notebooks or other devices which leave the office if they are likely to store ePHI. Measures must be taken in order to protect confidential information and avoid costly penalties. At LaSalle Consulting Partners, we recommend that all data be encrypted using the highest encryption standard available before it leaves your location, and that it remains encrypted at all times.

Should the laptop or device become misplaced or stolen, the data contained on its encrypted drive is completely inaccessible without the associated encryption key. This extra level of protection prevents unauthorized users from accessing sensitive information. It also means that organizations are not required to notify those whose ePHI is contained on the device should it be misplaced. In October 2014, a Northwestern Memorial HealthCare laptop computer that was not protected with disk encryption was stolen from an employee’s vehicle. In accordance with the HIPAA Breach Notification Rule, Northwestern Memorial was required to notify the 2,800 patients whose ePHI was contained on the computer (Read more here). Breaches such as this can be easily avoided through the encryption of device hard drives.

Please contact LaSalle Consulting Partners to find out how we can help you develop and implement policies that help safeguard ePHI, even away from the office.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326