Imagine you have left your laptop unattended in your car while you quickly run into the grocery store. As you come back out with groceries, you notice your window is smashed, and the laptop has been stolen.
Is the information on your laptop encrypted? Or, are there other reasonable safeguards in place to protect the information in the event the laptop is stolen? Can sensitive information be accessed?
Not having reasonable and appropriate security measures in place could prove to be costly.
In a news release last week it was reported that two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential HIPAA Privacy and Security violations. These violations were a result of significant risk to security of PHI possessed by unencrypted laptops and other mobile devices.
OCR opened a compliance review on an entity upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities. The entity had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing ePHI was a critical risk. Encryption steps were taken, but not complete, and inconsistent over time leaving patient PHI vulnerable through the organization. In addition, the entity had insufficient security management processes in place to safeguard patient information. To settle the potential violations, the entity agreed to pay OCR $1,725,220 and the entity will adopt a corrective action plan to evidence their remediation of these findings.
The second entity mentioned in the news release was in regard to a breach notice OCR received in February 2012 reporting that an unencrypted laptop computer containing the ePHI of 148 individuals was stolen from a workforce member's car. The entity encrypted their devices following discovery of the breach. However, OCR's investigation revealed the entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules. The entity agreed to a $250,000 monetary settlement and was required to provide HHS with an updated risk analysis and a corresponding risk management plan that includes specific security measures to reduce the risks and vulnerabilities of its ePHI. The entity was also required to retrain its workforce and document its ongoing compliance efforts.
"Covered entities and business associates must understand that mobile device security is their obligation," said Susan McAndrew, OCR's deputy director of health information privacy. She goes on to say "our message to these organizations is simple: encryption is your best defense against these incidents."
Our recommendation
We recognize encryption and decryption are considered the best ways to protect electronic health information; however, they may not be reasonable for all covered entities.
Under HIPAA, encryption and decryption is an addressable implementation specification. An addressable implementation specification means covered entities may use any security measures that are reasonable and appropriate.
We recommend considering encryption and decryption as a safeguard to ensure health information is adequately protected in the event of theft, or from information being illegally accessed.
If encryption isn't a reasonable option, here are some reasonable steps you can take to protect electronic health information:
- Laptops and other handheld devices are easy targets for theft. Do not leave them unattended.
- Set strong account passwords to protect laptops form being accessed by unauthorized individuals or entities.
- Install anti-theft software, such as Norton Anti-Theft, for laptops, smartphones and tablets.
- When your laptop or other mobile device is not in use, lock it up. For example, instead of leaving the laptop in plain sight when you leave at night, lock it up in a locking drawer or cabinet.
- Consider using the encryption technology bundled with the Windows or Macintosh operations systems to at least provide a layer of protection against casual thieves.
- Access vs storage: some devices, such as tablet PCs and digital phones, can be configured with software that only serves to capture and retrieve data, not store it. In this case, loss or theft of the device is less of a concern from an ePHI perspective. Be aware that if the device is wireless, the device could still be used to gain access to ePHI if the locations of the wireless access points are known (see HIPAA Security Reference Guide: Device and Media Controls for more information).
It is important to train your workforce on how to properly handle, transfer, store, retain, and destroy devices and media containing ePHI. A stolen laptop that doesn't have appropriate and reasonable security measures in place or is accessed illegally can be costly. For two entities it cost $1,975,220 collectively to resolve potential HIPAA Privacy and Security violations, due to stolen unencrypted laptops. These enforcement actions serve as a reminder of the real risks a covered entity or business associate faces when PHI on a laptop or mobile device is accessed and/or stolen. Sensitive information should never be at risk for improper disclosure. For this reason, encryption is the best protection against such incidents.
If you have any questions please do not hesitate to contact one of our professional consultants.