Posted by: Robert Markette
September 16, 2006

I was reading this weeks issue of Home Health Line, as I try to do every week, and noted the lead story involved another HHA who had a laptop stolen when an agency employee left a laptop in her car overnight. The Agency incurred a great deal of expense as a result of the lap top theft, over $170,000 all told. Another agency incurred even more costs and is defending a class action lawsuit.

The costs these agencies incurred may be larger than most agencies, but it reinforces a key point the cost of responding to a privacy or security breach can be significant. Even small agencies will have significant costs resulting from notifying patients of a breach.

Now most agencies will not need to set up call centers to handle privacy violation hotline calls, but even small agencies will have to have someone respond to calls regarding the incident. This will take time, time the employee might spend on other work. It is worth considering these costs, because it may lead you to conclude a few more security steps are worthwhile. Especially when you consider the incidents in these case were the result of agency employees failing to follow policies or making obvious security errors.

The first thing to consider is more employee education. For example, making sure your employees do not write their passwords on their computers, something the employee in the HHL story had done. It never ceases to amaze me that even now, people still write their passwords down on their computers. The best security software in the world is absolutely worthless if your employees write their passwords down on or near their computers.

The article pointed out that, after, the incident, the agency checked all of their laptops to see if any other agency employees were doing this. Perhaps, the real lesson here is that if you use laptops, you should consider as part of any ongoing audit process, checking that employees are not writing down passwords and usernames. (you should probably do this for all computers.) This should be accompanied by disciplinary action against any violators and education efforts to your staff to explain to them why they should not write down their passwords on their laptops. (Would they leave their keys in their front door at night or in their cars ignition? Then why would they leave the keys to their laptop in the door.)

Another point to audit and educate employees about is leaving laptops or other electronic devices in their cars overnight. Not only does this pose a security risk to your information, but the computer is not cheap. You can bet the employees would not leave their own laptop or PDA in their car overnight. They would be conscious about bringing it inside. They should treat your equipment similarly.

Another aspect of the story was another agency whose employees were taking electronic records home with them as backups, against company policy. Again, the agency has run into huge liability, including a class action, because the agencys employees failed to follow the agencys policies.

The moral of these stories is that you should not assume your employees are following your policies. In fact, you should be more proactive in checking to make sure that your policies are being followed and educating your employees even on points you may think are obvious.

News

Security Policies and Procedures - are they being followed?

News

Health Care

Topics

Recent Updates

Archives

Web Resources



	Home \| Attorneys \| Contact Us \| Site Map
	The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.