Recently, the U.S. Department of Health and Human Services (HHS) announced a settlement with the Hospice of North Idaho (HONI) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The settlement, which was for $50,000, is unique because it is the first settlement involving a breach of electronic protected health information (ePHI) of fewer than 500 individuals.  To read the Resolution Agreement between HONI and HHS, click here.  It is clear that HHS is sending a strong message that covered entities must take actions to safeguard patients’ health information.

The breach occurred when an unencrypted laptop computer was stolen in June 2010, which contained ePHI of nearly 450 patients.  HONI reported the breach to the HHS Office for Civil Rights (OCR) and OCR conducted an investigation.  OCR determined that HONI did not have policies or procedures to ensure mobile device security, as the HIPAA Security Rule requires.  Additionally, HONI had not conducted a risk analysis to safeguard ePHI.

Entities are required by the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule to report a breach of protected health information of 500 individuals or more to the Secretary of HHS and the media within 60 days after discovery of the breach.  Smaller breaches affecting fewer than 500 individuals must be reported to the Secretary on an annual basis.

OCR has launched a new initiative to provide organizations with practical tips on ways to protect ePHI on mobile devices.  Here are some of the top tips from OCR:

  1. Password Protect Mobile Devices.  This is one of the simplest things organizations can do to provide significant protection.  Providers should require all mobile device users to password protect all devices in use.
  2. Use Encryption.  OCR believes that providers should be using encryption to protect information and providers should expect harsher treatment in the event of a breach where no encryption is used.
  3. Install Remote Wiping or Remote Disabling.  Providers can install software that enables the user to erase all data on the device or disable it remotely.
  4. Prohibit File Sharing Applications.  While file sharing applications can be convenient when used within an organization, there are safer ways for providers to share information with each other.
  5. Install and Update Security Software.  Every mobile device should have security software installed to protect against malicious applications, viruses, spyware, and malware.  Additionally, the software should be updated frequently to ensure its continued effectiveness.

To access all of the tips from OCR, click here.

Our Insight.  Your Advantage.  The start of a new year is a great time to evaluate the safety of ePHI within your organization.  Organizations are taking advantage of mobile technology to provide quicker, better care to patients.  However, mobile devices provide significant opportunities for breaches of ePHI.  In order to protect your organization, conduct an assessment to determine the greatest risks and institute changes to ensure the best possible security of your patients’ ePHI.  Learn from the HONI settlement and create or update policies that address mobile device security.  If your organization does this, it will be in a better position to negotiate a settlement with OCR should a breach occur.