Two recent settlements imposed by the Office of Civil Rights (OCR) draw attention to the unacceptable risk to the security of patient information rendered by unencrypted devices, and the consequences that organizations, both large and small, may face resulting from a breach. Susan McAndrew, Deputy Director of Health Information Privacy, stated it clearly for providers, “Our message to these organizations is simple: encryption is your best defense against these incidents.”
In the first case, Concentra Health Services has agreed to pay $1,725,220 to the OCR to settle potential violations resulting from the theft of an unencrypted laptop, according to the US Department of Health & Human Services (HHS). Although Concentra had taken steps to begin encrypting all devices, OCR found its efforts were “incomplete and inconsistent, over time leaving PHI [protected health information] vulnerable throughout the organization.”
Additionally, and perhaps more concerning to small physician practices is the OCR’s enforcement action against QCA Health Plan in Arkansas. While Concentra’s stolen laptop put the PHI of 870 patients at risk, the laptop stolen from a QCA employee’s car held only 148 individuals’ PHI. This Arkansas insurer was fined $250,000 as the OCR felt that QCA’s “pervasive disregard of HIPAA security rule requirements from the April 2005 compliance date” called for a higher level of enforcement.
This is the second time OCR has taken corrective action against an organization for a breach affecting less than 500 individuals and demonstrates its willingness to enforce HIPAA on any breach—big or small.
If your practice hasn’t started planning for device encryption, now is the time to start. The daily headlines evidence that it is no longer about protecting PHI if you experience a breach, but when. Take the time to protect your patients and your practice. Some steps to consider include:
- Conduct a risk assessment. The first step to safeguarding your patients’ PHI is identifying vulnerabilities in your practice that need to be addressed.
- Document a correction action plan. When critical risks are identified, it is essential to outline a timeline and the expected completion dates of specific security measures in order to evidence the remediation of vulnerability findings. If a device is not encrypted, document why encryption is not reasonable and implement an alternative security measure.
- Check your Mobile Device Security policies and procedures. Does your organization have them? Are all staff members following them? The HIPAA Security Rule requires it.
- Enlist IT help. IT professionals can help ensure that your practice provides secure ways for staff to access data when they are off site. This will also help prevent staff from using unsecured personal devices to access patient data!
- Mind your employees’ mobile devices. If employees access PHI from a mobile device, encrypt the device. Ideally, data should be accessed only through a secure remote desktop application, or a password-protected Internet interface.
- Avoid non-secured email. Make sure your practice uses an encrypted email system or a secure patient portal when transmitting patient information.
- Inventory. Conduct an inventory assessment of all devices in your practice’s environment and identify which devices need to be encrypted, i.e. any that are used to store, access, or transmit PHI. BYOD, or “Bring Your Own Device,” personal devices, such as laptops and smartphones, should also be accounted for and encryption required.
Consider taking advantage of educational programs regarding HIPAA Privacy & Security Rules compliance. OCR offers programs with free Continuing Medical Education credits and includes a program specifically on mobile device security.