Imagine your practice filed a breach report with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR – a few years ago – regarding the loss of a smartphone that contained unsecured electronic protected health information (ePHI) for several individuals. As part of the process, you provided notification and included mitigation steps your practice will do to correct the breach and future incidents.
Over the span of a couple of years your practice implemented some changes you think will sufficiently safeguard your devices.
Now, imagine you have the theft of a laptop from your facility. The laptop is contains access to and storage of ePHI for several individuals. Your investigation reveals the laptop is not encrypted and is missing an equivalent alternative measure on your devices containing ePHI.
How might OCR respond to a separate breach report regarding an unsecured device?
OCR recently announced a civil monetary penalty against Children’s Medical Center of Dallas based on its impermissible disclosure of unsecured ePHI and non-compliance over many years with multiple standards of the HIPAA Security Rule. As a result, Children’s Medical Center of Dallas paid a full civil monetary penalty of $3.2 million.
According to OCR’s investigation, Children’s Medical Center of Dallas:
- Was in noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so.
- Failed to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until after the second breach occurred.
What does this tell us?
OCR takes non-compliance with HIPAA Rules very seriously. Your practice must ensure you must comply with HIPAA Rules and ensure you have reasonable and adequate safeguards in place on any devices that may access, create, modify or store ePHI. If you are using an unsecure device for any of these purposes, you should work with your compliance officer to make sure HIPAA requirements are addressed.