Recent Enforcement Shows the Importance of Encrypting Mobile Devices Containing Protected Health Information

Foley & Lardner LLP

With headlines every day announcing another release of Protected Health Information (PHI), providers are asking themselves – is there a way to protect against these breaches?

Beyond improving the security of large systems, attention is needed to protect PHI contained in laptops and other mobile devices, which account for a large percentage of PHI breaches.

In order to safeguard the confidentiality, integrity and availability of all electronic protected health information created, received, maintained, or transmitted, all covered entities and business associates must (1) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (2) protect against any reasonably anticipated unauthorized uses or disclosures of such information. 45 C.F.R. § 164.306(a).

One way to comply with this rule is to encrypt electronic PHI to allow access only to individuals who are authorized to view the PHI. 45 C.F.R. § 164.312(a)(2)(iv). Encryption is a standard solution and is an effective tool to prevent against unauthorized access to data.

Encryption under the HIPAA Regulations means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 45 C.F.R. § 164.304.

The safeguard arising from encryption is particularly relevant now because of the widespread use of mobile devices, such as laptops, iPads, and portable disk drives by health care providers. Press reports indicate that several recent unauthorized releases of unencrypted PHI resulted from the loss or theft of these mobile devices.

The 2014 Bitglass Healthcare Breach Report analyzed data from the Department of Health and Human Services breach records and found the following:

  • 68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking; and
  • 48% of breaches involved a laptop, desktop, or mobile device.

As these numbers show, health care providers need to focus on securing and protecting PHI on mobile devices. If possible, physicians and others who have access to PHI on mobile devices should avoid storing PHI on laptops, USB memory sticks, and other mobile devices. If storage of PHI on a mobile device is necessary, health care providers should require that these devices be encrypted, both in transit and in storage, and that they are able to remotely wipe data on lost or stolen devices.

View This Blog

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley & Lardner LLP | Attorney Advertising

Written by:

Foley & Lardner LLP

Foley & Lardner LLP on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.