On February 1, the HHS Office of Civil Rights (OCR) announced a $3.2 million HIPAA settlement with a children’s hospital. In 2012, the hospital filed a timely breach report involving an unencrypted Blackberry that was lost at the airport - and contained ePHI for 3,800 patients. In 2013, the hospital filed another breach report, involving a stolen unencrypted laptop, with ePHI for 2,462 patients.
The easy lesson here is: Encrypt, Encrypt, Encrypt. And, until you can encrypt: No PHI on unencrypted devices. Period.
There’s a broader lesson, too. When the OCR investigated, it found multiple HIPAA violations: the hospital did not implement risk management plans, even though it had been warned to do so. The OCR also found that the hospital knew about the risk of unencrypted PHI in 2007 – and continued to issue unencrypted BlackBerries to nurses until 2013. In other words: once a provider knows about a risk, the OCR expects mitigation to happen fast.
It's time for a quick HIPAA check-up. Can you say with confidence that the following statements are true?
- We conducted a HIPAA Security Risk Assessment within the past year.
- All laptops and workstations that store ePHI are encrypted.
- All portable devices, such as USB devices, that store ePHI are encrypted.
- Staff have been trained on encryption and remote access policies within the past 6 months.
- We have mitigated all security risks we are aware of.
If one or more of the above statements is not true for your organization, it's time to focus on HIPAA.