Hospital Ignored Risk to Security of Patients’ ePHI 11:25, March 23, 2017

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

Hospital Ignored Risk to Security of Patients’ ePHI

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

The US Department of Health and Human Services Office for Civil Rights (OCR) fined a hospital over $3 million for failing to keep patients’ electronic protected health information (ePHI) secure.  To make things worse, the hospital knew that its security was insufficient to protect ePHI, but it didn’t take steps to secure the information until it was too late.

In 2009, someone from Children’s Medical Center of Dallas lost an unencrypted, non-password-protected BlackBerry at the Dallas/Fort Worth International Airport. The device contained the ePHI of approximately 3,800 individuals.

In 2010 an unidentified medical resident lost an iPod that had been synced to the resident’s hospital email account. This resulted in the unencrypted ePHI of at least 22 individuals being placed on the device.

In 2013 a laptop was stolen from an operating room storage area. It contained the unencrypted ePHI of 2,462 individuals.

These breaches happened even though the hospital had arranged for risk assessments from 2006 to 2008, and those assessments (1) recommended that the hospital implement encryption to avoid the loss of ePHI on stolen or lost laptops, (2) determined that the hospital didn’t have a mechanism in place to protect data on devices or thumb drives that were lost or stolen, and (3) identified a “high risk” of the loss of data at rest through unsecured mobile devices. The 2008 analysis recommended that the hospital implement data encryption by the end of 2008.

Therefore, according to the OCR, the hospital had actual knowledge of the risks to unencrypted ePHI by at least 2007. Yet the hospital hadn’t implemented encryption on all devices as of April 2013.

As we’ve mentioned before, the Health Insurance Portability and Accountability Act (HIPAA) requires entities to provide their workforces with appropriate HIPAA security training. These were some issues that the OCR had with how the hospital addressed data security:

  •         The hospital’s information technology (IT) assets were inventoried and managed separately from the inventory of devices used within its Biomedical Department, and the IT asset policies didn’t apply to devices that were managed by the Biomedical Department.
  •         Although the hospital implemented some physical safeguards to the operating room storage area, it also provided access to the area to staff (such as janitors) who were not authorized to access unencrypted ePHI.

ePHI Was Not Encrypted

Some people are surprised to learn that HIPAA doesn’t always require encryption. Encryption is required if a company performs a risk assessment and determines that encryption is a reasonable and appropriate safeguard to protect the confidentiality, integrity, and availability of ePHI. A company that decides that encryption is not reasonable and appropriate must either document that determination and implement an equivalent reasonable and appropriate alternative, or document the rationale for not implementing either the equivalent alternative or any other security measure.

As attorney Charles E. Frayer says, “although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.”

In this case, the hospital’s own risk assessments showed that it should have been encrypting its ePHI.

iPod was Synced to Work Email Account

A lot of stories about ePHI breaches involve hacking, but insider negligence is much more likely to compromise confidential information. Sometimes ePHI is released because an employee wants to be able to work with files both at home and at work. When that happens, more and more people are syncing their personal devices to work devices.

But if the work data isn’t encrypted, that can lead to data breaches like the one in this case, where the medical resident’s iPod was synced to the resident’s hospital email account. The resident might never have contemplated receiving unencrypted ePHI in an email, or the resident might not have considered that having unencrypted ePHI on an iPod wasn’t a secure practice. Data security training  would have informed the resident about the proper way to transmit ePHI through email and how to prevent ePHI from being left on a personal device.

An organization that has good data security habits and training can protect information even when devices are lost or stolen.

Of course, information can be transferred to and from our personal devices in ways other than through email. In fact, in August 2016 the US Federal Trade Commission (FTC) warned people about the dangers of connecting their personal devices to connected rental cars that might automatically download information. So it’s important to be cautious about unencrypted data on devices. The FTC has determined that the failure to take reasonable data security measures may constitute an unfair practice.

Unauthorized Staff Had Access to Confidential Information

The HIPAA Security Rule defines “confidentiality” to mean that ePHI isn’t available or disclosed to unauthorized persons.  In this case, the hospital’s janitorial staff had access to storage areas near operating rooms. Because the janitorial staff wasn’t authorized to see the ePHI, encryption should have been used for ePHI that was stored on devices left in those areas.

It’s important for companies to conduct risk assessments. But it’s just as important that they act, as soon as possible, on the information discovered in those assessments. In this case, the OCR found as an aggravating factor the “amount of time that Children’s continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI.”

It’s worth noting that this fine was imposed (though some of the components of the fine were imposed at the minimum amount) even though there was no proof that any patients were harmed by the breaches. The breaches themselves were the cause for the fine.

“This fine indicates that even with the change of administration, OCR seems likely to continue its aggressive approach to HIPAA enforcement,” says attorney Michael Bertoncini.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.


You might also be interested in...

  • Five States Introduce New Data Security LawsMarch 7, 2017 Five States Introduce New Data Security Laws Five states have introduced new data security laws that either moved forward in the legislative process or failed in 2017. They all require organizations to implement stronger data security efforts when handling personal information, a regulatory boon for a company’s practical efforts to […] Posted in data security
  • Healthcare Compliance Takeaways for All IndustriesSeptember 11, 2016 Healthcare Compliance Takeaways for All Industries Like many industries, the medical field is no stranger to compliance. While its compliance issues may seem inapplicable to industries like tech and banking, we have covered recent developments that provide best practices for all organizations in three main areas: data security, sexual […] Posted in online compliance training, ethical conduct
Christine Day
Christine Day is a legal editor at EverFi. She writes about employment law issues and tracks case law and legislative and regulatory updates. Before joining EverFi she worked in legal publishing, researching and writing about tax law, business law, and employment law. She earned her JD from the University of San Diego Law School and her BA from the University of Southern California.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper


Compliance Course Catalog
  |   Download Catalog