The single biggest category of the reports of breaches of unsecured protected health information (“PHI”) that must be reported to the Department of Health and Human Services (“DHHS”) involve portable electronic devices. DHHS has imposed six- and seven-figure civil money penalties or settlements for such breaches. Thus, covered entities must implement reasonable and appropriate security measures for such devices, if they have not already done so. Covered entities should also review existing measures to ensure that they have kept up with the changes in technology and any new risks than may have arisen.
DHHS has issued HIPAA Security Guidance on this issue. Its objective is to reinforce some of the ways that a covered entity may protect electronic protected health information (“EPHI”) when it is accessed or used outside the organization’s physical location. The guidance notes that covered entities should be cautious about allowing such offsite use or access and do so only when necessary and when appropriate security is in place. The guidance also stresses the importance of a formal risk analysis of the use of such devices, the development of policies, and proper training. The heart of the guidance consists of the following three tables: “Accessing EPHI,” “Storing EPHI,” and “Transmitting EPHI.” In each of these three tables, risk is on the right side, and possible risk management strategies are on the left.