On January 2, 2013, the U.S Department of Health and Human Services, Office of Civil Rights (OCR) announced its first HIPAA breach settlement involving less than 500 patients. OCR took action against a hospice provider in Idaho that had a laptop stolen containing health information on 441 patients. The provider was required to pay OCR a fine of $50,000 and enter into a corrective action plan to settle the investigation.
The mere fact that a laptop was stolen was not the only reason for OCR's investigation. Instead, OCR alleged that the provider did not "conduct an accurate and thorough analysis of the risk to the confidentiality of [electronic health information] on an on-going basis as part of its security management process…." This included a failure to evaluate potential risks to information as a result of maintaining and transmitting data on mobile devices and take necessary steps to mitigate these risks.
Significance of Action
While many are aware that OCR has been ramping up enforcement of HIPAA breaches in recent years, this settlement is significant for two reasons:
First, OCR pursued this action in a case that involved far fewer patients than previous enforcement actions. Indeed, while breaches of more than 500 patients' data must be reported to OCR immediately, smaller breaches do not require notification to OCR under the HIPAA data breach rules until January/February of the following calendar year. In this case, the breach happened in June 2010 and notice to OCR did not occur until in February 2011. OCR pursued an investigation and action against the provider only after this annual report, rather than as a result of an individual complaint, as is often the case.
Second, this action relates to the most common cause of data breaches: lost or stolen mobile devices. OCR took issue with the fact that the provider had not conducted a risk analysis with respect to these common breaches and did not have policies and procedures in place to address mobile device security. This is an area of concern that is greatly increasing due to advancements in mobility of data and the nearly ubiquitous nature of mobile devices. The stepped up enforcement by OCR means that entities covered by HIPAA will want to take proactive, rather than reactive, measures to address mobile device security.
Proactive Steps to Take
As a reminder, the HIPAA rules and regulations apply to health care providers, insurers and their business associates (entities that perform activities on behalf of providers and insurers and have access to health information). This means that a large swath of the health care industry is subject to the data breach provisions of HIPAA, including, but definitely not limited to, health care providers.
All entities subject to HIPAA are required to take proactive measures to evaluate the safety and security of their electronic health information. Due to the high prevalence of data breach issues, these measures should include a review of methods to safeguard data on mobile devices utilized by personnel and contractors. Underscoring the importance of such proactive measures, OCR has launched a website to assist entities in understanding the risks of utilizing mobile devices and making a plan for proper, secure use of such technology.