Why Medical Providers Should Take Caution with Sensitive Information, Especially With Mobile Devices


We continue to hear reports of large-scale data breaches that involve the loss or theft of thousands of records containing personally identifiable information of individuals (PII).  If such a loss or theft is determined to constitute a “breach of security” of the information, certain reporting requirements are triggered.   These requirements are especially of concern to medical providers who may send or receive PII or Electronic Protected Health Information (ePHI) via mobile devices as the reporting often will involve informing patients that the privacy of their sensitive medical information may have been compromised.  

In addition to possible investigatory action by the Department of Health and Human Services Office for Civil Rights (HHS OCR), state Attorneys General are ramping up their efforts to investigate potential security violations under HIPAA and HITECH, even on a relatively small scale.  

Earlier this month, HHS announced its first settlement involving a data breach of less than 500 patient records for $50,000.00: (http://www.hhs.gov/news/press/2013pres/01/20130102a.html).   

In this case, HHS commented that an unencrypted laptop containing 441 records had been stolen and that the covered entity had not conducted the required risk assessment or created the policies and procedures necessary to adequately secure ePHI.   

All HIPAA-covered entities and business associates should revisit their internal security policies and seek experienced legal counsel immediately upon suspecting any loss of PII or ePHI.      

Any entity that handles PII or PHI / ePHI should have an established process to provide legal review of all vendor contracts for information technology services and have an updated Written Information Security Policy (WISP) and Data Breach Response Protocol.     

HHS has released helpful information for providers on the topic of securing mobile devices.   This information can be found online here: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

[View source.]

Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pullman & Comley, LLC | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »


Our firm has played an active and distinguished role in the Connecticut and New England business... View Profile »

Follow Pullman & Comley, LLC:

Reporters on Deadline

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.