Consider the following scenario: During the pandemic in 2020, a medical facility employee used a laptop to work. The laptop, which contained electronic protected health information (ePHI), was left in the employee’s car and stolen while the vehicle was parked in a public lot. The ePHI contained patient names, medical record numbers, medication information and demographic data for 20,431 patients. An Office for Civil Rights investigation followed with an eventual Corrective Action Plan (CAP) and a monetary penalty for the practice of $1,040,000.
In this scenario, the OCR found that the practice failed to implement required policies and procedures for tracking and inventorying of portable devices containing ePHI. Another finding of the investigation was failure to implement security procedures based on past security risk assessments that identified mobile devices as vulnerable to breach.
Protected health information must be protected wherever it resides or is transmitted, including on mobile devices such as smartphones, tablets and laptops. While there were several security concerns, this case illustrates two critical mobile device security problems often overlooked: technical access to the device and securing ePHI.
The HIPAA Security Rule requires a covered entity to comply with the Technical Safeguard standards and certain implementation specifications. One specification is control of access to the device and the information it contains, i.e., providing users with rights and/or privileges to access and perform functions based on a set of access rules.
Device user authentication is a primary Security Rule Administrative Safeguard requirement, i.e., having “policies and procedures for granting access to electronic protected health information” and implementing “procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” The method of authentication is not specified in the regulations. The most common authentication method is to use passwords but also might include additional two-factor verification, such as an SMS code or bio-authentication, e.g., fingerprint.
Policy and procedure considerations for mobile device ePHI access include:
- Access procedures are consistent with the regulations
- Performance of defined authorization and clearance procedures
- Levels of access based on work requirements
- Authentication by use of something known, possessed or unique to the individual
- Storage of individual authentication information
- Password construction and management
In the above scenario, the laptop ePHI was considered to be breached since it was not secured, i.e., “ … not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified … ” by the Secretary of HHS. “Secured” would mean destruction of the information or encryption. Federal policy does not mandate the use of encryption, but the OCR highly recommends its use. The Security Rule Technical Safeguards require authentication and, when appropriate, encryption of ePHI. Employee training should be clear that there can be no breach of ePHI when information is encrypted.
Policy and procedure considerations for securing mobile device ePHI include:
- Identification and inventory of devices holding ePHI
- Tracking of device locations
- Encryption of ePHI
- Standards for device transmission of ePHI
- Procedures for removal of ePHI
- Disposal of mobile devices containing ePHI
This scenario is also an excellent example of the high cost of medical data breaches. The $1 million monetary penalty was only part of the cost. The entire average cost of an ePHI breach to a medical practice is approximately $429 per record. Obviously, the prevention of ePHI breach is important to protect patient safety, but there are also financial reasons to consider.
In this scenario, a Security Risk Analysis was conducted and identified potential problems, but efforts to mitigate the identified risks, i.e., the use of encryption, were not implemented. The continuing security efforts of every medical practice should address the essential requirement of preventing ePHI breaches by securing the information on mobile devices, including strong authentication and encryption.
HIPAA Webinar – November 16 at noon
For additional insights on preventing an ePHI breach and other HIPAA-related issues, register for LAMMICO’s HIPAA webinar, which will be presented on November 16, 2021, at noon by Kenneth E. Rhea, M.D., FASHRM and Geri F. Cook, RHIA, CPHRM. This complimentary webinar is available to LAMMICO insureds and their practice staff and will address current compliance requirements including the nature of PHI, PHI breaches, security risk analysis, security of internet and remote communications and workforce security training.
To register, log in as a Member and select "Webinars" from the drop-down menu under your name if you are using a desktop or laptop computer or tablet. If possible, please register at least 24 hours in advance of the webinar.
For more information on the webinars, contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211.
LAMMICO/Medical Interactive designates this live internet activity for a maximum of up to one (1) AMA PRA Category 1 Credit(s)™. Physicians should claim only the credit commensurate with the extent of their participation in the activity. LAMMICO/Medical Interactive designates this live internet activity for a maximum of up to one (1) contact hour for nurses. LAMMICO insureds will receive up to one (1) Risk Management Premium Discount Credit.