Another HIPAA Settlement: Stolen Laptop Costs $2.5 Million Plus Encryption Requirement

Melanie Curtice, Kiran Griffith, Kurt Linsenmayer, Anne Redman, Margret Warrick Truax, Tomer Vandsburger, Christine A. Williams
Perkins Coie
Contact
LinkedIn
Facebook
X
Send
Embed

Perkins Coie

The U.S. Department of Health and Human Services (HHS) recently announced yet another HIPAA privacy and security settlement involving Protected Health Information (PHI) on a stolen laptop. Although this might be seen as just another stolen laptop, it is a useful reminder that stolen mobile devices (laptops, tablets, smartphones, flash drives, etc.) are at the heart of many HIPAA settlements, and the failure of a Covered Entity (CE) or a Business Associate (BA) to address the security of such devices in its risk analysis and policies and procedures seems very unwise.

Although there is no way to guarantee that a laptop or other mobile device will never be lost or stolen, a carefully considered set of policies and procedures might protect a CE or BA from an HHS allegation of noncompliance. For example, the following are just a few of the issues that should be addressed:

  • Which members of the workforce have permission to remove mobile devices containing PHI from the premises and for how long?
  • What logging process is in place to track the removal and return of mobile devices that contain PHI?
  • What physical security measures must be followed when mobile devices containing PHI are removed from the premises (e.g., do not leave the device in a parked car)?
  • What type of encryption is required for PHI on mobile devices, and how must decryption keys be stored and protected?
  • What remote deletion capabilities and loss reporting requirements exist?
  • What sanctions will be applied to workforce members who fail to follow the policies and procedures regarding mobile devices containing PHI?

In the recent settlement, the CE is a provider of wireless monitoring of patients with certain heart conditions. The PHI on the laptop was not encrypted, and the device was stolen from the car of one of the CE’s workforce members. HHS determined that the CE did not have an accurate and thorough risk analysis in place to identify potential risks and vulnerabilities, did not require encryption of PHI, and did not have final policies and procedures in place to control the movement of hardware and electronic media containing PHI into and out of the CE’s facilities.

In addition to the payment of $2.5 million, the CE agreed to a Corrective Action Plan (CAP) that will be in place for two years and will require, among other things, a risk analysis within 90 days of the settlement, revisions to the CE’s security policies and procedures with particular attention to device and media controls, and revisions to the CE’s HIPAA privacy and security training program. One of the more notable provisions of the CAP is the requirement that the CE certify that all portable media devices are encrypted, even though encryption of electronic PHI is an addressable, but not a required, safeguard under the HIPAA regulations. This suggests that compliance with the HIPAA regulations may often be less expensive and less onerous than the potential consequences of noncompliance.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Perkins Coie | Attorney Advertising

Written by:

Perkins Coie
Perkins Coie
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Perkins Coie on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide