The United States Department of Health and Human Services (HHS) announced on January 2, 2013 the first settlement involving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule involving less than 500 patients. An Idaho-based hospice provider was found at fault due to the theft of an unencrypted laptop computer containing the electronic protected health information (ePHI.) of 441 patients. The $50,000 settlement is due in large part to the hospice provider’s failure to apply adequate policies or procedures to address mobile device security as required by the HIPAA Security Rule. In addition, the HHS Office for Civil Rights found the hospice provider did not conduct a proper and thorough assessment of potential risk to the security of ePHI on an ongoing basis or as part of a security management process.
The HIPAA Security Rule
The HIPAA Security Rule states that covered entities should commit to a series of administrative, technical and physical security procedures in order to ensure the security of ePHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act includes within it an order to improve enforcement of the HIPAA Security Rule. From that order, the resulting HITECH Breach Notification Rule requires those same covered entities to report any unauthorized use or disclosure of protected health information or a breach of 500 individuals (or more) to the HHS Secretary and the media within 60 days after discovering the breach. Breaches affecting less than 500 individuals must be reported to the Secretary on a yearly basis, within 60 days of the end of the calendar year that the breaches occurred. For example, a breach that occurred in the calendar year 2012 must be submitted by March 1, 2013.
In addition, the HITECH Breach Notification Rule requires covered entities to take note of and implement the following:
- Have written policies and procedures in place regarding breach notification process
- Train employees on policies and procedures of breach notification
- Develop and apply appropriate sanctions against employees who do not properly comply with the policies and procedures of breach notification
Results of ePHI Breach
Laptops containing ePHI were regularly used by the Idaho Hospice provider as part of routine field work. Although the provider indeed properly reported the breach to HHS, the investigation revealed the provider had not implemented specific safeguards required by the HIPAA Security Rule. This includes vital policies and procedures that address mobile device security. In addition, the provider failed to conduct any risk analysis to safeguard ePHI as required by the HIPAA Security Rule.
This sizable monetary fine emphasizes the need for all healthcare providers and their business associates who create, receive and maintain forms of ePHI to have proper HIPAA Security Rule policies and procedures in place. It also shows the need for healthcare providers to assess HIPAA Security Rule policies and procedures on a regular maintenance schedule. For example, these policies and procedures are vital for those providers or business associates who use laptops, smart phones, iPads, other mobile devices or desktops for viewing, submitting, transmitting, storing or recording ePHI.