What You Need to Know About HIPAA and Lost or Stolen Devices
October 8, 2017
How HIPAA is enforced and what you can do to secure your devices
HIPAA non-compliance is painful and costly. If your organization is guilty of non-compliance, you may be held liable for litigation, legal expenses, hefty fines, and huge settlements. Back in April, when Roger Severino became the Director of the HHS Office of Civil Rights (OCR), he made it clear that he was looking for a “big, juicy, egregious” HIPAA breach to set an example for other non-compliant organizations. He also made it clear to smaller organizations that he wasn’t just going after large healthcare organizations.
“Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law (sic). You won’t be.”
And he’s not just making threats. He’s following through. According to this HIPAA Journal article, between the time he became OCR Director until early September, 8 settlements have been reached and one has a civil penalty. Of those, two concern us:
Children’s Medical Center of Dallas had a case where an unencrypted laptop was stolen from Cardionet. This breach exposed the records of 1,391 patients and potential violation of HIPAA compliance. Civil Penalty: $3.2 million.
Concentra Health Services was another case where unencrypted laptops were stolen, leading to a settlement in excess of $1.7 million for potential violations of HIPAA.
It’s important to point out that these weren’t fines levied after running each case through the courts. These settlements reached before any non-compliance litigation started.
Why these cases are important
What makes them particularly relevant is the fact that unencrypted laptops, most likely containing ePHI records, were stolen. If you’re a CIO, CISO, or Compliance Officer, this bit should grab your attention. Stolen laptops led to settlements in excess of one million dollars. Which means all it takes is a single stolen laptop to cost you as much as $3 million or more.
So, what can be done about this? The first step is to assess PHI exposure risks throughout your organization.
Too often, risk assessments aren’t taken seriously. If you haven’t conducted a rigorous risk assessment for HIPAA compliance, you need to formulate a strategy and begin the assessment as soon as possible. If this sounds dramatic, it’s not - the Director of OCR is dead serious about enforcement and he’s backing it up. If you experience a PHI breach and haven’t performed a risk assessment, it’s gonna be ugly and expensive, even if you never step foot into a courtroom.
Assessments are all well and good, but just what exactly should a HIPAA compliance risk assessment look for? The best resource for this information is from the Office of the National Coordinator for Health Information Technology (ONC), which has published a risk assessment tool you can use to assess the HIPAA compliance risks in your organization, available as a download from this Healthit.gov article. There are multiple links throughout the page to download and run the tool on any operating system along with a link to the guide to help you with it.
Of the three areas the tool covers, we want to focus on Physical Safeguards. More specifically, we want to perform risk assessment on how easy it is for unauthorized persons to access laptops and the ePHI stored in them.
Risk Assessment: Carefully review policies and procedures that limit physical access to ePHI, particularly with respect to laptops used for healthcare purposes. Some questions might include:
How secure are the laptops that are being used to record ePHI?
Can anyone snatch a laptop and walk off with it? Why or why not?
What kind of scenario may lead to a situation where a laptop is stolen?
How can that scenario be prevented from happening?
What kind of protection is installed on each laptop?
How does it provide protection?
Is it HIPAA compliant? Will it prevent an unauthorized employee or thief from accessing ePHI on a laptop?
Is the laptop itself adequately protected from theft with software and/or tools?
Is the hard drive on the laptop encrypted so that, if it’s stolen, the thief won’t be able to access any ePHI?
Does each laptop automatically lock after it sits idle for a short time, say five minutes, requiring the user to log back in?
Can the laptop be remotely locked and/or wiped if it is stolen?
If you can’t answer “yes” to all of these questions, it’s time to sit down and create a HIPAA compliance strategy and implement it right away.
When it’s all said and done, even the most well-conceived compliance strategy will have holes in it. The best protection you can provide your organization from huge settlements is to have a well-documented risk assessment in place, a HIPAA compliance strategy, and documentation on how you ensure the fullest compliance when Severino or one of his enforcers comes knocking. At the very least, be able to truthfully tell him that the stolen laptop had a fully encrypted hard drive.