The U.S. Department of Health and Human Services (HHS) recently announced yet another HIPAA privacy and security settlement involving Protected Health Information (PHI) on a stolen laptop. Although this might be seen as just another stolen laptop, it is a useful reminder that stolen mobile devices (laptops, tablets, smartphones, flash drives, etc.) are at the heart of many HIPAA settlements, and the failure of a Covered Entity (CE) or a Business Associate (BA) to address the security of such devices in its risk analysis and policies and procedures seems very unwise.

Although there is no way to guarantee that a laptop or other mobile device will never be lost or stolen, a carefully considered set of policies and procedures might protect a CE or BA from an HHS allegation of noncompliance. For example, the following are just a few of the issues that should be addressed:

• Which members of the workforce have permission to remove mobile devices containing PHI from the premises and for how long?
• What logging process is in place to track the removal and return of mobile devices that contain PHI?
• What physical security measures must be followed when mobile devices containing PHI are removed from the premises (e.g., do not leave the device in a parked car)?
• What type of encryption is required for PHI on mobile devices, and how must decryption keys be stored and protected?
• What remote deletion capabilities and loss reporting requirements exist?
• What sanctions will be applied to workforce members who fail to follow the policies and procedures regarding mobile devices containing PHI?

In the recent settlement, the CE is a provider of wireless monitoring of patients with certain heart conditions. The PHI on the laptop was not encrypted, and the device was stolen from the car of one of the CE’s workforce members. HHS determined that the CE did not have an accurate and thorough risk analysis in place to identify potential risks and vulnerabilities, did not require encryption of PHI, and did not have final policies and procedures in place to control the movement of hardware and electronic media containing PHI into and out of the CE’s facilities.

In addition to the payment of $2.5 million, the CE agreed to a Corrective Action Plan (CAP) that will be in place for two years and will require, among other things, a risk analysis within 90 days of the settlement, revisions to the CE’s security policies and procedures with particular attention to device and media controls, and revisions to the CE’s HIPAA privacy and security training program. One of the more notable provisions of the CAP is the requirement that the CE certify that all portable media devices are encrypted, even though encryption of electronic PHI is an addressable, but not a required, safeguard under the HIPAA regulations. This suggests that compliance with the HIPAA regulations may often be less expensive and less onerous than the potential consequences of noncompliance.

HHS has published some advice on protecting PHI on mobile devices, which is available here. 

© 2017 Perkins Coie LLP