HIPAA settlement highlights importance of mobile device encryption

Bricker & Eckler LLP
Contact

Bricker & Eckler LLP

On July 27, 2020, the U.S. Department of Health and Human Services (HHS) announced that it reached a settlement with a Rhode Island nonprofit health system related to the theft of an unencrypted laptop containing its patients’ protected health information (PHI). Lifespan Health System Affiliated Covered Entity agreed to pay $1,040,000 and to adopt a corrective action plan with two years of monitoring by the HHS Office for Civil Rights (OCR).

In 2017, Lifespan filed a breach report with OCR concerning the theft of a hospital employee’s laptop containing PHI that included patient names, medical record numbers, demographic information and medical information. In all, the laptop contained the PHI of over 20,000 patients.

OCR opened an investigation in response to the breach report and determined that there was systemic noncompliance with HIPAA regulations, including a failure to encrypt laptops even after Lifespan had determined it was reasonable and appropriate to do so. The investigation also uncovered a lack of device and media controls and a failure to have a business associate agreement in place with related entities. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director. 

This settlement announcement should serve as a reminder to all HIPAA covered entities of the importance of mobile device encryption. While the Security Rule’s Implementation Specification for encryption is “addressable,” covered entities must utilize encryption if it is reasonable and appropriate to do so. Further, under the Breach Rule, covered entities are only required to make notifications for breaches of unsecured PHI. Devices that are encrypted as specified in the Security Rule are “secured,” and a covered entity is therefore not required to issue notifications when an encrypted device is lost or stolen.

[View source.]

Written by:

Bricker & Eckler LLP
Contact
more
less

Bricker & Eckler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.