The Adult & Pediatric Dermatology settlement made it clear the HHS Office for Civil Rights (OCR) isn’t messing around when it comes to punishing HIPAA violations.
In the APDerm case, an unencrypted thumb drive containing electronic protected health information of about 2,000 patients was stolen and never recovered. The subsequent investigation found the practice hadn't conducted an accurate analysis of potential risks to ePHI confidentiality, nor was it in compliance with requirements to have policies and procedures in place for handling breach notifications.
“Device management or mismanagement has been the No. 1 source of data breach in the health care industry,” says Christopher Burgess, CEO and president of Prevendra Inc. “The October 2013 Horizon Blue Cross Blue Shield of New Jersey breach of more than 839,000 identities is an excellent case in point.” In that instance, two laptops containing ePHI were stolen. The laptops were password-protected, but unencrypted.
Here’s what you need to know about devices that pose a HIPAA risk:
- Desktop computers and servers can be vulnerable to breaches as high-tech as a hacking attempt or as routine as the wrong person looking at information they aren’t authorized to view.
- Laptop computers used to store data and patient reports can be stolen or lost, as in the Horizon BCBS case.
- A study by Manhattan Research found that 72 percent of the 3,000 physicians it surveyed use tablets. The traits that make them useful for healthcare settings -- portable, easy to use and easy to share -- can make them vulnerable to security breaches.
- Pagers and smartphones pose special challenges because of the HIPAA rules that apply to transferring information via text messages.
- HIPAA rules permit downloading ePHI to thumb drives for easy transfer, but their convenient size makes them easy to lose.
Burgess points out that keeping devices secure takes more than simply knowing where they are and controlling access to them. “Laptops, hard drives, USB sticks -- if any of them contain PII or PHI, they must be encrypted,” he says.
An emerging challenge is text messaging. For example, if an off-duty health care employee receives a text message, the PHI could be displayed on the screen. Or, the employee might ask someone to read it out loud to him to find out what it says. Sharing PHI in this example must comply with the HIPAA Security Rule, just as any other transmission of ePHI.
HealthIT.gov has a storehouse of tips and information for organizations about keeping mobile devices secure. Keeping up-to-date on tracking devices, securing and encrypting ePHI and performing a regular HIPAA risk assessment can help your organization stay both compliant and secure. The stakes are high when it comes to information security. Ensure your organization gets it right.
If you need more information about HIPAA compliance and how IT can help your health care organization get it right, watch our recent webinar "HIPAA Risk Assessments: What You Need to Know," or contact us for help.
Logan Solutions is the health care technology company with a clinician's perspective. We provide clinical documentation expertise to customers using Dragon Medical with eClinicalWorks and other electronic medical record systems. Contact us to learn how our clinical and technological expertise can help your practice with Dragon Medical software and training, HIPAA compliance tools and EMR consulting.