Hospital Ignored Risk to Security of Patients’ ePHI
The US Department of Health and Human Services Office for Civil Rights (OCR) fined a hospital over $3 million for failing to keep patients’ electronic protected health information (ePHI) secure. To make things worse, the hospital knew that its security was insufficient to protect ePHI, but it didn’t take steps to secure the information until it was too late.
In 2009, someone from Children’s Medical Center of Dallas lost an unencrypted, non-password-protected BlackBerry at the Dallas/Fort Worth International Airport. The device contained the ePHI of approximately 3,800 individuals.
In 2010 an unidentified medical resident lost an iPod that had been synced to the resident’s hospital email account. This resulted in the unencrypted ePHI of at least 22 individuals being placed on the device.
In 2013 a laptop was stolen from an operating room storage area. It contained the unencrypted ePHI of 2,462 individuals.
These breaches happened even though the hospital had arranged for risk assessments from 2006 to 2008, and those assessments (1) recommended that the hospital implement encryption to avoid the loss of ePHI on stolen or lost laptops, (2) determined that the hospital didn’t have a mechanism in place to protect data on devices or thumb drives that were lost or stolen, and (3) identified a “high risk” of the loss of data at rest through unsecured mobile devices. The 2008 analysis recommended that the hospital implement data encryption by the end of 2008.
Therefore, according to the OCR, the hospital had actual knowledge of the risks to unencrypted ePHI by at least 2007. Yet the hospital hadn’t implemented encryption on all devices as of April 2013.
As we’ve mentioned before, the Health Insurance Portability and Accountability Act (HIPAA) requires entities to provide their workforces with appropriate HIPAA security training. These were some issues that the OCR had with how the hospital addressed data security:
- The hospital’s information technology (IT) assets were inventoried and managed separately from the inventory of devices used within its Biomedical Department, and the IT asset policies didn’t apply to devices that were managed by the Biomedical Department.
- Although the hospital implemented some physical safeguards to the operating room storage area, it also provided access to the area to staff (such as janitors) who were not authorized to access unencrypted ePHI.
ePHI Was Not Encrypted
Some people are surprised to learn that HIPAA doesn’t always require encryption. Encryption is required if a company performs a risk assessment and determines that encryption is a reasonable and appropriate safeguard to protect the confidentiality, integrity, and availability of ePHI. A company that decides that encryption is not reasonable and appropriate must either document that determination and implement an equivalent reasonable and appropriate alternative, or document the rationale for not implementing either the equivalent alternative or any other security measure.
As attorney Charles E. Frayer says, “although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.”
In this case, the hospital’s own risk assessments showed that it should have been encrypting its ePHI.
iPod was Synced to Work Email Account
A lot of stories about ePHI breaches involve hacking, but insider negligence is much more likely to compromise confidential information. Sometimes ePHI is released because an employee wants to be able to work with files both at home and at work. When that happens, more and more people are syncing their personal devices to work devices.
But if the work data isn’t encrypted, that can lead to data breaches like the one in this case, where the medical resident’s iPod was synced to the resident’s hospital email account. The resident might never have contemplated receiving unencrypted ePHI in an email, or the resident might not have considered that having unencrypted ePHI on an iPod wasn’t a secure practice. Data security training would have informed the resident about the proper way to transmit ePHI through email and how to prevent ePHI from being left on a personal device.
An organization that has good data security habits and training can protect information even when devices are lost or stolen.
Of course, information can be transferred to and from our personal devices in ways other than through email. In fact, in August 2016 the US Federal Trade Commission (FTC) warned people about the dangers of connecting their personal devices to connected rental cars that might automatically download information. So it’s important to be cautious about unencrypted data on devices. The FTC has determined that the failure to take reasonable data security measures may constitute an unfair practice.
Unauthorized Staff Had Access to Confidential Information
The HIPAA Security Rule defines “confidentiality” to mean that ePHI isn’t available or disclosed to unauthorized persons. In this case, the hospital’s janitorial staff had access to storage areas near operating rooms. Because the janitorial staff wasn’t authorized to see the ePHI, encryption should have been used for ePHI that was stored on devices left in those areas.
It’s important for companies to conduct risk assessments. But it’s just as important that they act, as soon as possible, on the information discovered in those assessments. In this case, the OCR found as an aggravating factor the “amount of time that Children’s continued to use unencrypted devices even after it had actual knowledge that encryption was necessary to ensure the security of ePHI.”
It’s worth noting that this fine was imposed (though some of the components of the fine were imposed at the minimum amount) even though there was no proof that any patients were harmed by the breaches. The breaches themselves were the cause for the fine.
“This fine indicates that even with the change of administration, OCR seems likely to continue its aggressive approach to HIPAA enforcement,” says attorney Michael Bertoncini.
LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.