We continue to hear reports of large-scale data breaches that involve the loss or theft of thousands of records containing personally identifiable information of individuals (PII). If such a loss or theft is determined to constitute a “breach of security” of the information, certain reporting requirements are triggered. These requirements are especially of concern to medical providers who may send or receive PII or Electronic Protected Health Information (ePHI) via mobile devices as the reporting often will involve informing patients that the privacy of their sensitive medical information may have been compromised.
In addition to possible investigatory action by the Department of Health and Human Services Office for Civil Rights (HHS OCR), state Attorneys General are ramping up their efforts to investigate potential security violations under HIPAA and HITECH, even on a relatively small scale.
Earlier this month, HHS announced its first settlement involving a data breach of less than 500 patient records for $50,000.00: (http://www.hhs.gov/news/press/2013pres/01/20130102a.html).
In this case, HHS commented that an unencrypted laptop containing 441 records had been stolen and that the covered entity had not conducted the required risk assessment or created the policies and procedures necessary to adequately secure ePHI.
All HIPAA-covered entities and business associates should revisit their internal security policies and seek experienced legal counsel immediately upon suspecting any loss of PII or ePHI.
Any entity that handles PII or PHI / ePHI should have an established process to provide legal review of all vendor contracts for information technology services and have an updated Written Information Security Policy (WISP) and Data Breach Response Protocol.
HHS has released helpful information for providers on the topic of securing mobile devices. This information can be found online here: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security