HIPAA and mobile devices is an area that many entities fall short because its easy to forget that these highly portable devices can contain so much information. We take for granted just how much they can carry until one goes missing. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) found out the hard way when a device belonging to them was stolen. An investigation by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) found numerous lapses that resulted in a massive fine.
CHCS is a healthcare business that offers management and computer services to skilled nursing homes. They performed this service as a Business Associate.
In 2014, an iPhone belongs to CHCS was stolen containing the PHI of 412 patients. The device was not encrypted or password protected. This exposed the records of those patients. The data included Social Security numbers, diagnosis and treatment information, procedures, and contact information for family members or guardians.
In addition, CHCS did not have any policies in place to handle HIPAA and mobile devices in their business. They had performed no Risk Assessment to know that these devices posed an enormous risk to the security if their PHI. Furthermore, they did not have policies in place to handle a breach after a device was stolen.
What was the result?
The investigation by OCR resulted in a fine of $650,000 and a corrective action plan for two years.
Keep in mind that this was a breach of only 412 patients. However, since CHCS had not even performed a Risk Assessment and had no policies in place to handle this kind of breach, the fine was much higher. This sort of action could be considered willful neglect.
“Business associates must implement the protections of the HIPAA Security Rule for the electronically protected health information they create, receive, maintain, or transmit from covered entities. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels
What do HIPAA and mobile devices have to do with each other?
Healthcare has changed a great deal in the last ten years. Computers are now commonplace but so are mobile devices such as phones and tablets. these devices can carry an enormous amount of data on them and when lost or stolen, can cause a great deal of damage to many patients.
This is why the HIPAA Security Rule has encryption requirements. These requirements are designed to protect data on easily stolen devices such as phones, tablets, and backups.
When most entities think about their PHI and where it is, they usually just consider computers and servers. Mobile devices are usually forgotten. However, these devices are often a much bigger risk due to the chances of theft or being lost.
What can you do about complying with HIPAA and mobile devices in your practice?
The first step is to perform a thorough Risk Assessment. Identify the threats that your practice is exposed to. What areas are the most likely? If you use mobile devices, where and when are they used? Do they leave the practice?
Once you have identified the threats, make a plan to reduce, or mitigate the risk. This is usually done by using device encryption and strong passwords. That way, if the devices are stolen or lost, the data is still safe.
Are there other areas of your practice where encryption should be used? All workstations and servers should utilize encryption, especially if your Risk Assessment identifies your area as having a higher risk of burglary or insider theft.
Before deploying mobile devices in your organization, ensure that the proper risk analysis has been performed. In addition, create the policies and procedures to protect the data on these devices. Don’t let convenience cause a breach in your compliance.
According to Verizon, 25% of all healthcare organizations in the United States have had a breach due to mobile devices in 2018. As these devices become more prevalent, that number will only go up. The study also found that of the breaches involving mobile devices, 67% were found to be major breaches and of those, 40% had major repercussions where remediation was documented as being both expensive and difficult.
Based on these numbers, it appears that most organizations are not reporting these breaches as required under HIPAA regulations.
CHCS had an iPhone containing the patient information of 412 patients stolen. The iPhone was not encrypted or password protected. In addition, a Risk Assessment had never been performed and no policies were in place on how to handle a breach of this type or how to handle HIPAA and mobile devices within the organization.
As a result, OCR fined CHCS $650,000 for the breach and required a two-year corrective action plan.