The Office of Civil Rights (OCR) recently handed out a $1.O4M penalty to Lifespan for a stolen laptop that was unencrypted. In this instance an employee had a work laptop stolen out of their car. Key violations that incurred the penalties included the following:
- Failure to implement policies and procedures to encrypt PHI
- Failure to implement policies and procedures to inventory and track all devices that contain ePHI or access the network
- Failure to have business associate agreements in place
All devices, including cell phones, iPads, laptops, tablets, and desktops computers must be inventoried and appropriately configured to protect ePHI. This includes personal employee devices that are used to access ePHI. Encryption covers both data at rest and in transit which would include activities such as cloud storage, emails, EMRs, etc. HIPAA Policies 6.007 – PHI/ePHI and Proprietary Data: Confidentiality, use, Disclosure & Access, 6.017 – Remote Use Of / Access to ePHI, and 6.109 Business Associates & Business Associate Agreements specifically along with the entire HIPAA Manual cover these items. It is important to ensure you are fully implementing these policies in your practice to protect PHI/ePHI and prevent a data breach.
As many employees are working remotely, teleworking, or traveling back and forth with ePHI containing devices it is even more critical to ensure that your employees are aware of/reminded of their obligations to protect their devices and maintain appropriate security (confidential password, fingerprint/face scan, encryption, etc.). When you share security reminders and password management tips be sure to document this as it qualifies as part of your Security Awareness Program as required under HIPAA 6.009 – Security Risk Management: Risk Analysis, Risk Mitigation & Program Evaluation Assessment Policy.
If you have questions about how you can ensure you are not in violation of any HIPAA/HITECH Rules, please feel free to contact us.