On Aug. 4, 2016, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced its largest settlement with a single entity for alleged HIPAA violations: $5.55 million with covered entity (CE) Advocate Health Care Network. The underlying incidents included the theft of an unencrypted laptop, from a workforce member's vehicle, containing more than 2,000 individuals' unsecured electronic protected health information (ePHI). This was the third settlement in less than two weeks to address violations stemming in whole or in part from portable electronic devices (PEDs): OCR also entered a $2.75 million settlement with a CE related in part to a stolen unencrypted laptop, and a $2.7 million settlement with a CE related in part to unencrypted laptops and a stolen unencrypted thumb drive.
Far from an isolated incident, this "run" of settlements is latest in a series of similar incidents involving loss, theft, or breach of PEDs belonging to HIPAA CEs and their business associates (BA). Regulated entities should be particularly concerned in light of the potential for financial and medical identity theft, and OCR's ongoing Phase 2 compliance audits.
PEDs, including laptops, flash drives, external hard drives, tablets, smartphones, backup media, and CDs, are ubiquitous to the point that it is difficult to imagine conducting business without them. They can be invaluable points-of-care in the health care setting, as they allow providers to immediately access a range of critical patient data, whether in the office or a less traditional care setting. But with boons come burdens, including unique data breach risks. The features that make PEDs so appealing and useful -- their size and portability -- can also be their (and their owners') HIPAA undoing.
CEs and BAs lose a measure of control over ePHI once it leaves the entity's premises. According to a 2015 study of 949 large breaches between 2010 and 2013, more than half resulted from loss or theft of portable media or paper. PEDs, by their very nature, are easily lost, misplaced, or stolen. At the same time, in the health care setting, PEDs likely contain, or provide users with access to, myriad sensitive patient data, including clinical, demographic, and financial information. These two attributes combine to disastrous effect if patient data is not secured, i.e., encrypted or otherwise rendered unusable, unreadable, or undecipherable to unauthorized persons.
Compliance steps you can take now:
1. Encrypt, encrypt, encrypt.
2. Include PED security as part of your organization's top-to-bottom compliance.
3. Perform an accurate, thorough, organization-wide HIPAA Security Rule risk analysis that specifically includes PEDs.
4. Implement a risk management plan to address vulnerabilities and risks identified in the Security Rule risk analysis, including those associated with PEDs.
5. Implement policies and procedures that govern PEDs, and train your workforce. Enforce a sanctions policy for violations.
6. Execute compliant business associate agreements to ensure your BAs also safeguard protected health information on PEDs.
In the world of health information security, the best defense is a good offense. A robust risk analysis and risk management plan, well-tailored policies and procedures, and workforce training at all levels (including the c-suite), are essential to keeping your PED data safe.
• Kimberly Metzger CIPP/US, CIPM, is a partner at Ice Miller LLP. She can be reached at firstname.lastname@example.org or (317) 236-2296. Deepali Doddi, CIPP/US, is an associate at Ice Miller LLP. She can be reached at email@example.com or (312) 726-7134. To read an extended version of this article, visit: www.IceMiller.com/PEDs This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.