I don’t understand why, with all the high six-figure and seven-figure resolution agreements (basically, settlements), covered entities do not provide adequate security for laptops and other portable equipment and media. Yes, I know that you are overwhelmed by too much regulation, too little compensation, rising costs, and the like. And I know that HIPAA is unnecessarily vague and complex, although I’ve greatly clarified and simplified it for you in my books and other compliance materials. But it is neither too vague nor too complex to understand the need to protect the protected health information (“PHI”) on a portable and thus easily lost or stolen device.
This need is clearly demonstrated by the following:
- Required implementation specification in the Security Management Standard of the Administrative Safeguards to conduct a risk analysis, 45 C.F.R. 164.308(a)(1)(i).
- Provisions of Device and Media Controls Standard under the Physical Security Safeguards, 45 C.F.R. 164.310(d)(1).
- Provisions of the Access Control Standard at 164.312(a)(1), including Unique User Identification, Automatic Logoff, and Encryption and Decryption.
- Technical Safeguards requirements for Audit Controls, 164.312(b), Person or Entity Authentication, 164.312(d), and Transmission Security, 164.312(e)(1).
- DHHS Guidance that PHI that has been encrypted sufficiently to comply with the National Institute for Standards and Technology (“NIST”) standrds is not readable and that hence there is no need to report its loss or theft unless the key to decrypt is also lost or stolen (never store them in a file on the device). Data at rest standards are in NIST Special Publication 800-111,Guide to Storage Encryption Technologies for End User Devices at http://csrc.nist.gov/ and data in motion standards are in NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated. Although this guidance does not say that you must encrypt, if you do the PHI is unreadable and hence “secure” so that any breach thereof need not be reported to DHHS so as to lead to a sanction, such as that suffered by Lahey Hospital, below, among dozens of others.
Encryption under the relevant standards is addressable—not required. That term “addressable” means that you must evaluate (and document) whether encryption is reasonable and appropriate or not. If it is, encryption becomes required. If it is not, you have two other options. One, implement an equivalent alternate measure, such as that the laptop is on a secure VPN (Virtual Private Network), or two, do nothing because the risk is so low that no need exists to encrypt or use an equivalent alternate measure. Such a low risk was not the case for Lahey Hospital, and because the laptop in question was not encrypted, the hospital had to report its theft to DHHS.
Following the report from Lahey, a not-for-profit teaching hospital affiliated with Tufts Medical School, that a laptop had been stolen from an unlocked treatment room sometime during the night, the DHHS Office for Civil Rights (“OCR”) investigation revealed that the unencrypted laptop, which was on a portable CT scanner stand, was used to operate the scanner and produced images for viewing through Lahey’s radiology information system and its picture archiving and communication system. The computer’s hard drive contained 599 individuals’ PHI.
OCR’s breach investigation found the following non-compliance issues:
- Failure to conduct a thorough risk analysis of all of its electronic protected health information (“EPHI”);
- Failure to physically safeguard the workstation that accessed EPHI;
- Failure to implement and maintain policies and procedures regarding the safeguarding of EPHI maintained on workstations used for diagnostic/laboratory equipment;
- Lack of a unique user name for identifying and tracking user identity with respect to the workstation in this incident;
- Failure to implement procedures that recorded and examined activity in the workstation; and
- Impermissible disclosure of 599 individuals’ PHI.
The Director of OCR stated: “It is essential that covered entities apply appropriate protections to workstations associated with medical devices, such as diagnostic or laboratory equipment. Because these workstations often contain EPHI and are highly portable, such EPHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”
This settlement follows the $750,000 settlement announced in September with Indiana-based Cancer Care Group, P.C., for a breach involving a stolen unencrypted laptop that affected 55,000 current and former patients. See my September 11, 2015, blog post “Latest HIPAA Settlement—a Lesson Still Not Learned at http://www.veteranspress.com/latest-hipaa-settlement-a-lesson-still-not-learned-hipaa-hitech-act-blog-by-jonathan-p-tomes.
Considering these and other six- and seven-figure settlements (and lost or stolen laptops is the single biggest category of six- and seven-figure settlements), the clear requirement to protect EPHI, and the fact that encryption is far less expensive and user-surly—the opposite of user friendly—than it used to be, it would seem well worth expending the resources to address encryption for portable devices (and for all PHI that you maintain electronically) and implement it if reasonable and appropriate and, if not, consider equivalent alternate measures. You should also consider other security, such as physical security, such as a cable locking the laptop to an immobile object. And make absolutely sure that you document what you did and why in your risk analysis. None of the settlements were for not encrypting—they were for not addressing encryption so that they had documentation that it was not reasonable and appropriate to do so in their situations!
For cost-effective help in conducting a Risk Analysis, consider buying my HIPAA Compliance Library, which contains a CD of editable forms for conducting your own Gap Analysis and Risk Analysis, or hiring me through EMR Legal, Inc., as your consultant to conduct either an onsite or an offsite Gap Analysis and Risk Analysis with you. Many of my clients prefer the middle ground of buying our online Gap Analysis and Risk Analysis, completing the forms themselves, and having me review their work with them through my written report and followup phone conference. Check out the possibilities at http://www.veteranspress.com/products/hipaa-hitech-compliance-tools. Call us at 855-341-8783 for more information and to schedule consulting.