Well, what I know is this...I've been reading more and more about HHS being increasingly aggressive about going after organizations regarding HIPAA breaches. Just Google it and you'll see that they are becoming very aggressive about breaches that aren't even a result of someone being directly irresponsible (for instance, someone breaks into your office and steals your computer). For example:
Article about stolen equipment This article is another good one, which also mentions the tool that Sunil mentions above:
No More Excuses Anyway, before the original posting, I'd done a LOT of research to bring our office into compliance with HIPAA mandated privacy and security...but I honestly hadn't realized that a comprehensive security assessment and plan was also part of this. I suspect there are MANY other offices in this same situation. I know of one medical office that has *neither* data security (ie encryption) in place nor any policies or plans to do so. They are just completely oblivious.
It sounds like HHS is also now starting to fine people for not having an adequate security assessment and plan in place on top of the fines for the breach itself. I think that this is something that we're all going to have to come to terms with addressing. It is sure on my plan to do so as soon as I can get some time to get to it.
I purchased a new laptop with a self encrypting drive. I plan on adding the same SED to our server. My server doesn't support an "ATA Password" in the BIOS so i'm going to be getting an OPAL 2 compatible drive and enabling the encryption with software such as WinMagic SecureDoc or Softex SecureDrive. ANY data at my office containing PHI will be on an encrypted drive.
