Violations of HIPAA

HIPAA and Laptops

The objective of this study is to answer the questions of what ethical issues exist when health information privacy is not protected and what some of the reason were for enacting HIPAA in addition to protecting privacy. This study will additionally address whether under the laws of HIPAA the nurse whose laptop with patient information and which was stolen is at fault and whether her employer is at fault.

According to the U.S. Department of Health and Human Services, stolen laptops lead to important HIPAA settlements and specifically stated is that "two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health and Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules." (p. 1)

It is reported that entities and business associates covered under these HIPAA rules "must understand that mobile device security is their obligation…our message to these organizations is simple: encryption is your best defense against these incidents." (U.S. Department of Health and Human Services, 2014, p. 1) Under a California law SB 1386 which was put into effect in September 2003, all businesses that have information that is personal in nature on residents of the state of California are required to immediately report any breaches of security that might result in theft of identity. For this reason ChoicePoint disclosed a large breach in security that affect millions in the state. The rule of thumb reported is that if a child would not be left in the car for 10 minutes then the laptop should not be left in the car for that long.

ChoicePoint admits that before this policy was established that their staff was lax in relation to security and privacy measures. Furthermore, management admits that they often saw paperwork with private information in view in the cars of employees. The nurse whose laptop was stolen had not locked her car while parked in the garage and it is recognized that the regulation is specific about the "administrative, physical and technical safeguards" that are required so that that risk for laptops being stolen is minimized.

It is clear that the Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA is violated when a nurse loses or has their laptop stolen and in addition, the employer of the nurse who has their laptop stolen or is lost is also in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. It is important that patient information only be on laptops that remain within the healthcare facility and that these laptops are equipped with sufficient security measures that should anyone steal the laptop that they are unable to access patient information.