Why Medical Providers Should Take Caution with Sensitive Information, Especially With Mobile Devices


We continue to hear reports of large-scale data breaches that involve the loss or theft of thousands of records containing personally identifiable information of individuals (PII).  If such a loss or theft is determined to constitute a “breach of security” of the information, certain reporting requirements are triggered.   These requirements are especially of concern to medical providers who may send or receive PII or Electronic Protected Health Information (ePHI) via mobile devices as the reporting often will involve informing patients that the privacy of their sensitive medical information may have been compromised.  

In addition to possible investigatory action by the Department of Health and Human Services Office for Civil Rights (HHS OCR), state Attorneys General are ramping up their efforts to investigate potential security violations under HIPAA and HITECH, even on a relatively small scale.  

Earlier this month, HHS announced its first settlement involving a data breach of less than 500 patient records for $50,000.00: (http://www.hhs.gov/news/press/2013pres/01/20130102a.html).   

In this case, HHS commented that an unencrypted laptop containing 441 records had been stolen and that the covered entity had not conducted the required risk assessment or created the policies and procedures necessary to adequately secure ePHI.   

All HIPAA-covered entities and business associates should revisit their internal security policies and seek experienced legal counsel immediately upon suspecting any loss of PII or ePHI.      

Any entity that handles PII or PHI / ePHI should have an established process to provide legal review of all vendor contracts for information technology services and have an updated Written Information Security Policy (WISP) and Data Breach Response Protocol.     

HHS has released helpful information for providers on the topic of securing mobile devices.   This information can be found online here: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pullman & Comley, LLC | Attorney Advertising

Written by:


Pullman & Comley, LLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.