OCR Announces First "Under 500" Breach Settlement
The first breach settlement announcement of the new year breaks new ground - a $50,000 fine based on theft of a laptop containing 441 patients' unencrypted data. It's the first settlement of a breach involving fewer than 500 individuals. There was no indication that any PHI was improperly viewed or accessed.
In a press release issued January 2, 2013, OCR announced the negotiated resolution of a breach by the Hospice of North Idaho (HONI), which began when HONI reported the June 2010 laptop theft. The investigation revealed that HONI had not conducted a risk analysis to safeguard ePHI and had not adopted policies or procedures to address mobile device security.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”
The Resolution Agreement, which appears here, emphasized the hospice agency's failure to anticipate the risk of loss of unprotected data on mobile devices which were commonly used by its staff in field work:
"In particular, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of electronic PHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures."
The emphasis on a small covered entity's lack of analysis and risk assessment is reminiscent of OCR's settlement with two-physician Phoenix Cardiac Surgery, P.C. announced in April 2012, another case widely considered to be a warning to similarly situated entities. Note that HONI disputes the allegations in its own press release.
OCR also required HONI to enter into a two-year corrective action plan, which requires HONI to investigate any information indicating that any workforce member may have failed to comply with its Privacy and Security policies and procedures, and report the details of any such failure including sanctions imposed and steps taken to prevent recurrence.
Some lessons can be taken away from the HONI settlement.
First, encryption of ePHI is critical! Given the prevalance of breaches associated with lost and stolen laptops, it is often forgotten that the loss of unreadable encrypted data is generally not a HIPAA breach.
Next, all organizations but especially those like hospices, home health agencies and other entities with mobile workforces must prioritize securing mobile devices. For starters, refer to OCR's guidance entitled Your Mobile Device and Health Information Privacy and Security, which is definitely worth reading. Some of the advice seems to be common sense (password protection, remote wiping or disabiling, firewall and security software, avoiding file-sharing applications) but needs to be enforced organization-wide, particularly in today's "bring your own device" environment. OCR has even created a handy one-page Fact Sheet with useful mobile device security tips.
Loss and theft of mobile devices may be inevitable, but protection of the data those devices contain is not as challenging as many think, and effectively implementing such protection should be a priority for 2013.
