$3 Million HIPAA Settlement for Failing to Encrypt Mobile Devices

$3 Million HIPAA Settlement for Failing to Encrypt Mobile Devices

Mobile devices such as laptops, smartphones, and tablets have many beneficial uses in the healthcare facility if the appropriate safeguards are in place! Mobile storage devices such as external hard drives and flash drives can be extremely convenient if properly safeguarded.

These devices without the proper safeguards are at a high-risk compromise if they are lost, stolen, or make in the hands of bad actors.

In November of 2019, one entity agreed to pay $3 million to the Office for Civil Rights (OCR) and take substantial corrective action to settle potential HIPAA Privacy and Security Rules violations. According to OCR's announcement, the covered entity filed reports in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop.

OCR's investigation revealed that the covered entity failed to do the following:

  • Conduct an enterprise-wide security risk analysis (SRA)
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
  • Utilize device and media controls
  • Employ a mechanism to encrypt and decrypt electronically protected health information (ePHI) when it was reasonable and appropriate to do so.

OCR had previously investigated the covered entity, concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to them. OCR mentioned that despite their previous investigation, and the entity's own identification of a lack of encryption as a high risk to ePHI, the entity continued the use of unencrypted mobile devices.

"Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk," said Roger Severino, OCR Director. "When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect."

Have additional questions about mobile device security or additional compliance questions? We can help. Feel free to send us an email: support@hcp.md or reach us by phone: 855-427-0427.