On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.
In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).
OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
The full Resolution Agreement and Corrective Action Plan may be accessed here.
This settlement is a reminder to covered entities and business associates, including wireless health service providers, to ensure that they have complete and up-to-date policies and procedures necessary to comply with the HIPAA Privacy and Security Rules. The HIPAA Security Rule also requires covered entities and business associates to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality, integrity and availability of their ePHI, and implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.
“Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected,” said Roger Severino, director of the OCR, in the press release.
To help covered entities and business associates protect and secure ePHI when using mobile devices, the Office of the National Health Coordinator for Health Information Technology within the HHS, has provided tips and information, available here. Key tips include: (1) use a password or other user authentication; (2) install and enable encryption; (3) install and activate remote wiping and/or disabling; (4) disable and do not install file sharing applications; (5) install and enable a firewall and security software, including regular software updates; (6) research mobile applications before downloading them to your mobile device; (7) maintain physical control of mobile devices; (8) use adequate security to send or receive ePHI over public Wi-Fi networks; and (9) delete all stored ePHI before discarding or reusing a mobile device.