The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has been actively enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) in 2016. As of August, covered entities and business associates (the organizations who are subject to HIPAA) have paid OCR more than $20 million to resolve allegations of HIPAA violations. A review of several recent OCR settlements highlights the particular compliance challenges that mobile devices – laptops, cell phones and thumb drives – present. These settlements also provide important lessons and takeaways for ensuring HIPAA compliance.
While there are many reasons a covered entity or business associate may want or need to use mobile devices in its business, appropriate precautions need to be taken when those devices contain protected health information (“PHI”). HIPAA breach reports (required to be made by law) involving mobile devices that led to significant settlements include:
- In March 2016, a medical research institute paid OCR $3.9 million after a laptop computer containing the electronic PHI of 13,000 patients and research participants was stolen from an employee’s car.
- In June 2016, a nursing home management company paid OCR $650,000 following the theft of an employee mobile device that contained the PHI of several hundred nursing home residents.
- In July 2016, one university paid OCR $2.7 million after reporting multiple breaches involving unencrypted laptops and a stolen thumb drive while another university academic medical center paid OCR $2.75 million following the theft of a laptop from the medical center.
Two (2) documents that OCR has routinely requested and reviewed in its investigations of HIPAA breach reports involving electronic PHI are the covered entity or business associate’s risk analysis and risk management plan(s).
The risk analysis and risk management plan(s) are the foundational elements for a covered entity or business associate’s compliance with the HIPAA Security Rule. A risk analysis evaluates the potential risks and vulnerabilities to the confidentiality, integrity and availability of the entity’s electronic PHI. The risk management plan is the organization’s strategy for implementing security measures to reduce the risks and vulnerabilities identified in the risk analysis to a reasonable and appropriate level. In order to be effective, the risk analysis and risk management plan must identify and evaluate all electronic PHI – including that stored on mobile devices.
Several lessons should be incorporated into HIPAA compliance plans from recent OCR settlements:
- Ensure risk analyses encompass all electronic PHI across the business enterprise, including affiliated entities;
- When vulnerabilities are identified by a risk analysis, implement measures to address the vulnerabilities in a timely manner;
- Have policies and procedures to address mobile device use and train workforce members on these policies; and
- If workforce members will be using mobile devices containing electronic PHI, have security measures in place to protect the electronic PHI – ideally by encryption.
As technology changes, new and different HIPAA compliance challenges emerge. No matter the type of technology, covered entities and business associates must address HIPAA compliance if PHI will be affected. An effective HIPAA compliance plan will instruct workforce members on how to proceed before implementing or utilizing any new technology affecting PHI within the organization. Proactive compliance may mitigate the harm resulting if a breach were to occur and may help settlement discussions with OCR.
Karilynn Bayus is an associate at Saul Ewing LLP in its Philadelphia office and Vice Chair of the Firm’s Health Care Practice. Karilynn represents health care providers and business in transactional, regulatory and administrative matters. Karilynn regularly writes and speaks on HIPAA issues.