Detroit, Michigan hospital -- Henry Ford Health Systems -- had one of its laptops stolen out of an unlocked physician's office in September. The laptop contained certain individually identifiable patient information protected under HIPAA. The Hospital acknowledged that although the laptop was "password protected," this did not represent a health data protection standard required by the Hospital under its updated health information privacy and security policies.
As required by the HITECH Act amendments to HIPAA, the Hospital was required to notify the subject patients within 60 days of the breach. The Hospital is also obligated to notify HHS' Office of Civil Rights (OCR). A recent review of the OCR database of breaches involving 500 or more individuals, which can be accessed at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html, reveals that many of the reported breaches to date involve the the loss or theft of laptops and other types of portable electronic devices that had not otherwise been properly secured by way of "encryption" in accordance with the new HITECH Act amendments to HIPAA.
If you would like additional information, please contact Susan Ziel at firstname.lastname@example.org or (317) 238-6244.