cyber secuity

The case of the HIPAA violation by an employee of Howard University Hospital was clearly an intentional criminal act of selling patient information. The employee’s sole purpose was to sell the patient information for monetary gain. In the consultant case of the stolen laptop there was no intentional act of providing patient information to an outside entity, which involved no criminal intent on the consultant’s part. At the time of the article there was no evidence the patients’ files had been accessed.

I do not believe the consultant should have been charged due to lack of criminal intent. Rather it was an act of a few questionable actions. First the consultant should not have downloaded the patient information unto their laptop as it violated hospital privacy rules. The data was password protected but not encrypted, which is not a good decision. Secondly the consultant should not have left the laptop in a vehicle, possibly visible to anyone passing by the vehicle. A third questionable decision was not deleting the Howard University patient files when the consultant’s contract ended.  

Precautions the hospital could have taken, and did take, in the stolen laptop include not allowing hospital records to be loaded to a consultant’s laptop. This download of information was a violation of the hospital’s privacy rules as well as federal law. Another precaution would be to require encryption of the files in addition to password protection. According to Healthcare Innovation, Howard University Hospital strengthened its contractor policies requiring encryption. In addition, any laptops issued by Howard University personnel will be encrypted. The hospital could have provided a company laptop to the consultant, which would have resulted in the consultant’s laptop not being stolen.

Where the employee sold patient information the hospital could have used encryption technology to allowing texting of information, both sender and receiver must have the technology installed on their devices. Regardless of the individual being a hospital employee or the physician’s employees, HIPAA trained needs to be required. In the case of the employee, without more details, I do not know how the information was transferred to the buyer, it is difficult to say what other mitigations could have prevented this breach. Clearly the employee was performing a criminal act for monetary gain.

References: