by Paul Rubell, Esq.
In an era where information is at our absolute disposal, it is imperative for health care providers to maintain the privacy, security, and integrity of their patients’ most personal medical records. Despite this, patient information continues to be vulnerable to both inadvertent as well as intentional disclosure.
Recently, two significant data breaches occurred: one by a national urgent care provider, and the other by a health insurance plan. In each case, inadequate technological measures had been taken to protect patients’ records. As a result, the Federal government imposed very substantial financial penalties upon each provider for their violations of the Health Insurance Portability and Accountability Act (HIPAA).
After investigating these security breaches, the Department of Health and Human Services (“HHS”) ruled that every healthcare business is required to encrypt its laptops and mobile devices to comply with the law, and to avoid imperiling patients’ privacy rights by placing them in harm’s way.
The whopping cash settlements that Concentra Health Services and QCA Health Plan, Inc. were required to pay should be an eye-opener to other healthcare providers, covered entities, and business associates that have not yet awoken to the government mandate to encrypt the data that resides on all of their laptops and mobile devices.
HHS enforces HIPAA’s two cornerstones of healthcare data integrity in America: the Privacy Rule and the Security Rule. The Privacy Rule protects the privacy of an individual’s personal health information (PHI). The Security Rule sets a national standard to secure electronic PHI. Together, these rules are designed to ensure that healthcare providers deploy sophisticated information storage and transmission technologies to prevent security breaches.
Encrypting data on mobile devices is too often overlooked by healthcare providers. It is much easier to secure a hard-wired network than a wireless mobile network. For this reason, the portability of laptops and mobile devices can put patients’ health information in jeopardy.
In Concentra’s case, a thief stole a laptop from a physical therapy center. An investigation by HHS revealed that Concentra was aware that none of its mobile devices used any encryption technology. As a result, Concentra agreed to pay $1,725,200 as a “resolution amount”. It was also required to adopt and deploy a corrective plan to avoid or mitigate future security breaches.
In contrast, QCA’s security breach involved a different but equally important compromise of patient data. An unencrypted laptop was stolen from a QCA employee’s car. The laptop contained personal health information concerning 148 patients. Although QCA had encrypted all of its mobile devices, the government determined that QCA’s efforts did not meet the national minimum requirement set forth in HIPAA’s Security Rule. The federal government compelled QCA to pay $250,000 as a “resolution amount”; to develop and implement a Corrective Action Plan to enhance its security measures; and to retrain its workforce.
In both of these enforcement actions, HHS imposed draconian financial penalties to send a strong signal to the healthcare community to use best practices to secure PHI information, and to treat PHI with the highest punctilio of care.
In light of the panoply of information that is stored on today’s portable electronic devices, providers, and others in the healthcare industry must take meaningful technological steps (including encryption) to prevent sensitive patient information from falling into the wrong hands