A more extensive article on the topic is available at Laptop Theft and Confidentiality. Feel free to share this important link with your colleagues or to post it on your favorite listserv, chatroom or blog.
Increasing numbers of therapists are traveling with their laptops to conferences, vacations, and between homes and offices. Some estimates suggest that a laptop is stolen every minute and most of them are never recovered. Laptops are stolen from cars, offices, and homes and are mistakenly left behind in cabs, coffee houses, hotel rooms, and restrooms. Stolen laptop computers that contain clients' private and confidential information often result in serious breaches of confidentiality.
In one of the few enforcements ever by HIPAA, Health and Human Services, a Seattle home health company, has been recently forced to pay a $100,000 settlement because laptops and disks containing individuals' health records were taken from company employees' cars. The agreement seems to signal that HIPAA is finally taking a tougher stance toward violations, and they may have started to shift from the education approach they have taken so far to an enforcement mode.
While laptops are here to stay and theft and breaches of confidentiality cannot be always avoided, there are protective measures that psychotherapists, counselors, and administrators should seriously consider.
How to Handle Laptops and Laptop Theft (a partial list):
- The use of laptop computers must be addressed in the informed consent process, and potential drawbacks or risks involved must be discussed along with all precautions taken to preserve and protect each counseling client's confidentiality.
- Therapists may inform clients of electronic storage of clinical records via their Office Policies or, when appropriate, in person. (See also Clinical Forms.)
- If you keep electronic clinical records, it means that you are a "Covered Entity" under HIPAA and must be HIPAA compliant. Becoming HIPAA compliant is not difficult. (HIPAA online course for CE credits.)
- Make sure that your laptop has a security password, virus protection, and a firewall.
- Backup, Backup, and Backup. Keep backup disks off-site.
- As required by HIPAA, document your office policies regarding laptop security.
- Treat the laptop like cash in your wallet and never leave it unattended.
- Comply with HIPAA law and monitor others carefully when you let them access your computer or laptop.
- Therapists who use billing programs might want to contact the software company to see if they have any helpful hints regarding security for their product.
- When deleting confidential records from your laptop, you must use special software to wipe the hard drive clean. Unless you are highly technical, get a techie to help you.
- Strictly follow all security procedures each and every day. It just takes one minute away from your laptop, putting it down unattended for 30 seconds, not backing up data just one time, failing to use password protection one time, or letting virus protection software lapse one day to violate clients' trust and your responsibilities to protect and preserve clients' privacy in every reasonably available way.
- Therapists should assess whether or not a stolen laptop only contains confidential clinical information or also includes billing information, which may provide data (social security numbers, for instance) that can be used to steal the identity of any and all patients.
- Extreme, super-diligent and rarely used methods for protecting your laptop may be worthy of consideration (but are not mandatory):
- Encryption, though often recommended, is rarely, if ever, used by psychotherapists and staff in private practice or small clinic settings.
- Physically securing a laptop with a locking cable whenever you are not personally carrying it.
- Visual locks and restraints to secure your laptop and to act as a deterrent.
- Anti-theft software that can track and locate your laptop through the IP address once the stolen laptop is used to access the Internet.
- Invisible ultraviolet markings.
- Installing a system on your laptop that enables you to remotely self-destruct documents.
After a Laptop is Stolen & Patients' Confidential Information may be Compromised (partial list):
- Notify any clients who may be affected with such breach of confidentiality, unless there are reasons (i.e., client is suicidal or in crisis) not to do so.
- Assess whether the lost computer may also contain personal information that can readily lead to identity theft.
- File a report with police and with other agencies and institutions if, and as, required.
- If appropriate, notify other people (non-clients) who may be significantly affected with such a breach.
- Consult with your state or national ethics committee or your malpractice insurer.
- Consult with your billing software vendor, if you have one.