Fact: According to the latest HIPAA and Breach Enforcement Stats from the Office of Civil Rights (the arm of Health and Human Services responsible for HIPAA enforcement), theft is the leading cause of reported breaches.

Last year, as a direct result of a breach report of a stolen unencrypted laptop, Concentra Health Services paid OCR $1,725,220 to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. And that’s just one story. There have been plenty more, and the number continues to grow.

First step to thwarting theft of Protected Health Information: Think like a crook.

Walk through the front door of your practice and pretend you’re a crook casing the place. Look around:

  • Are the workstations protected from public access?
  • Are the entrances and exits that lead to locations with PHI secured?
  • Are non-public areas protected by locks or cameras?

Then switch back to being the law-abiding healthcare professional that you are, and ask yourself:

  • What modifications might be needed to make things more secure? (For instance, do any workstations need to be re-located?)
  • Has the staff been trained in where and when to physically put things under lock and key?
  • Are policies in place regarding who has the keys and who is entitled to use them?
  • Are policies in place limiting physical access to machines (including faxes and copiers) with PHI?

This HIPAA Quick Tip deals mainly with on-site vulnerabilities — an office break-in or a brazen heist during hectic office hours. In an upcoming post, I’ll focus on safeguards regarding mobile devices — whether they remain at the office or travel with you.