Properly encrypt and protected electronic protected health information (ePHI) on laptops and in other mediums!
That's the clear message of the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) in its announcement of its first settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving a breach of ePHI of fewer than 500 individuals by a HIPAA-covered entity, Hospice of North Idaho (HONI).
The settlement shows that the Office of Civil Rights stands ready to penalize these healthcare providers, health plans, healthcare clearinghouses and their business associates (covered entities) when their failure to properly secure and protect ePHI on laptops or in other systems results in a breach of ePHI even when the breach affects fewer than 500 individuals.
HIPAA Security & Breach Notification For ePHI
Under the originally enacted requirements of HIPAA, covered entities and their business associates are required to restrict the use, access and disclosure of protected health information and establish and administer various other policies and safeguards in relation to protected health information. Additionally, the Security Rules require specific encryption and other safeguards when covered entities collect, create, use, access, retain or disclose ePHI.
The Health Information Technology for Economic and Clinical Health (HITECH) Act amended HIPAA, among other things to tighten certain HIPAA requirements, expand its provisions to directly apply to business associates, as well as covered entities and to impose specific breach notification requirements. The HITECH Act Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a "breach," of 500 individuals or more (Large Breach) to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals (Small Breach) must be reported to the Secretary on an annual basis.
Since the Breach Notification Rule took effect, the Office of Civil Rights' announced policy has been to investigate all Large Breaches and such investigations have resulted in settlements or other corrective action in relation to various Large Breaches. Until now, however, the Office of Civil Rights has not made public any resolution agreements requiring settlement payments involving any Small Breaches.
Hospice Of North Idaho Settlement
On January 2, 2013, the Office of Civil Rights announced that Hospice of North Idaho will pay the Office of Civil Rights $50,000 to settle potential HIPAA violations that occurred in connection with the theft of an unencrypted laptop computer containing ePHI. The Hospice of North Idaho settlement is the first settlement involving a breach of ePHI affecting fewer than 500 individuals. Read the full HONI Resolution Agreement here.
The Office of Civil Rights opened an investigation after Hospice of North Idaho reported to the Department of Health and Human Services that an unencrypted laptop computer containing ePHI of 441 patients had been stolen in June 2010. Hospice of North Idaho team members regularly use laptops containing ePHI in their field work.
Over the course of the investigation, the Office of Civil Rights discovered that Hospice of North Idaho had not conducted a risk analysis to safeguard ePHI or have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, Hospice of North Idaho has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.
Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
While the Hospice of North Idaho settlement marks the first settlement on a small breach, this is not the first time the Office of Civil Rights has sought sanctions against a covered entity for data breaches involving the loss or theft of unencrypted data on a laptop, storage device or other computer device. In fact, the Office of Civil Rights' first resolution agreement — reached before the enactment of the HIPAA Breach Notification Rules — stemmed from such a breach (see Providence To Pay $100000 & Implement Other Safeguards).
Breaches resulting from the loss or theft of unencrypted ePHI on mobile or other computer devices or systems has been a common basis of investigation and sanctions since that time, particularly since the Breach Notification rules took effect. See, e.g., OCR Hits Alaska Medicaid For $1.7M+ For HIPAA Security Breach. Coupled with statements by the Office of Civil Rights about its intolerance, the Hospice of North Idaho and other settlements provide a strong warning to covered entities to properly encrypt ePHI on mobile and other devices.
Furthermore, the Hospice of North Idaho settlement also adds to growing evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA encryption and other Privacy and Security responsibilities. See OCR Audit Program Kickoff Further Heats HIPAA Privacy Risks; $1.5 Million HIPAA Settlement Reached To Resolve 1st OCR Enforcement Action Prompted By HITECH Act Breach Report; and, HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. Covered entities are urged to heed these warnings by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures.
Office of Civil Rights Director Leon Rodriguez, in OCR's announcement of the Hospice of North Idaho settlement, reiterated the Office of Civil Rights' expectation that covered entities will properly encrypt ePHI on mobile or other devices. "This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information." said Rodriguez. "Encryption is an easy method for making lost information unusable, unreadable and undecipherable."
In the face of rising enforcement and fines, the Office of Civil Rights' initiation of HIPAA audits and other recent developments, covered entities and their business associates should tighten privacy policies, breach and other monitoring, training and other practices to reduce potential HIPAA exposures in light of recently tightened requirements and new enforcement risks.
In response to these expanding exposures, all covered entities and their business associates should review critically and carefully the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Office of Civil Rights' investigation and enforcement actions, emerging litigation and other enforcement data, their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.
New Office Of Civil Rights HIPAA Mobile Device Educational Tool
While the Office of Civil Rights' enforcement of HIPAA has significantly increased, compliance and enforcement of the encryption and other Security Rule requirements of HIPAA are a special focus of the Office of Civil Rights.
To further promote compliance with the Breach Notification Rule as it relates to ePHI on mobile devices, the Office of Civil Rights and the HHS Office of the National Coordinator for Health Information Technology (ONC) recently kicked off a new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information. The program offers health care providers and organizations practical tips on ways to protect their patients' health information when using mobile devices such as laptops, tablets, and smartphones. For more information, see here.
For more information on HIPAA compliance and risk management tips, see here.
