Healthcare Mobile Device Encryption: Is It Required?

Encryption of mobile device technology has become essential in the eyes of the OCR.  Although HIPAA treats encryption as an “addressable” safeguard –as opposed to a “required” safeguard— under the Security Rule, the following OCR settlements involving unencrypted mobile devices indicate that encryption is obligatory for HIPAA compliance.

As new technologies emerge and the use of mobile technology in healthcare expands, Covered Entities and Business Associates must ensure that they are monitoring administrative and security measures to keep pace with evolving risks. In each case, below, the sanctioned party failed to properly implement a risk management plan and deploy encryption to protect the data stored on mobile technology.

Stolen USB results in $2.2 million settlement

On January 18, 2017, OCR announced a HIPAA settlement with MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) after a USB data storage device containing electronic protected health information (ePHI) of 2,209 individuals was stolen from MAPFRE’S IT department.

In September 2011, MAPFRE filed a breach report after a USB data storage device was stolen from the IT department where it was left without safeguards overnight; the device included complete names, dates of birth, and Social Security numbers of the affected individuals. OCR’s investigation revealed that MAPFREE failed to conduct a risk assessment and implement security measures sufficient to reduce risk to a reasonable and appropriate level. MAPRE also failed to implement policies and procedures, workforce training for security awareness, and did not deploy encryption or an equivalent alternative measure on its laptops and removable storage media.

In addition to paying $2.2 million, MAPFRE agreed to conduct a risk analysis, implement a risk management plan, develop policies and procedures, conduct workforce training, and provide ongoing reports to OCR.

Lost mobile phone and laptop results in $3.2 million civil money penalty

On February 1, 2017, OCR issued a Notice of Final Determination including a civil money penalty for HIPAA violations against Children’s Medical Center of Dallas (Children’s) after two impermissible disclosures of the unsecured ePHI of over 6,200 individuals stored on mobile technology devices. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation.

Children’s filed a breach report in January 2010, reporting the loss of an unencrypted, non-password protected Blackberry device containing ePHI of 3,800 individuals at the Dallas/Fort Worth International Airport. Then in July 2013, Children’s filed a separate breach report indicating an unencrypted laptop containing ePHI of 2,462 individuals was stolen from its premises.  OCR’s investigation revealed that Children’s failed to implement a risk management plan even with prior recommendations to do so, as well as a failure to deploy encryption on its laptops, work stations, mobile devices, and removable storage media. Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed workforce members to continue using unencrypted laptops and other devices until 2013.

Laptop stolen from workforce member’s car costs wireless health services provider $2.5 million

On April 24, 2017, OCR announced a $2.5 million settlement with CardioNet after the unsecured ePHI of 1,391 individuals was impermissibly disclosed when a workforce member’s laptop was stolen from a vehicle parked outside the employee’s home. The laptop was unencrypted.  CardioNet is a Pennsylvania based wireless health services provider, offering remote mobile monitoring and rapid response to patients at risk for cardiac arrhythmias.

OCR’s investigation revealed that CardioNet failed to conduct a risk assessment and finalize and implement policies and procedures for compliance with the HIPAA Security Rule. OCR also cited gaps in policies governing the receipt and removal of hardware and electronic media into and out of its facilities, the encryption of such media, and the movement of mobile devices within its facilities.

According to the Corrective Action Plan, CardioNet agreed to conduct a risk assessment, develop and implement a risk management plan, implement secure device and media controls, review and revise its HIPAA training program, and produce ongoing reports for HHS.

For additional information about the use of encryption technology for HIPAA compliance, see HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Also, see The Office of the National Coordinator for Health Information Technology’s guidance regarding Mobile Device Privacy and Security.

Please contact Anthony Halbeisen or Elana Zana if you have any questions about securing health data on mobile devices.

 

Failure to Provide Communication Aid Costs Hospital $20K

John Dempsey Hospital agreed to pay $20,000 as compensation to a patient after failing to provide auxiliary communication aids during an emergency department visit. The patient, who is deaf and uses American Sign Language for communication, had to rely on a companion for all treatment communications.  In addition to paying compensation to the patient, the hospital is required to undergo a comprehensive review of its corporate policies and procedures to implement changes to enhance access, address intake and grievance procedures, adjust technology capabilities and institute staff training to ensure compliance with Section 1557.

Despite requesting interpreter services upon arrival at the hospital’s emergency department, the patient was not provided an interpreter or video remote interpreting services and had to rely on a companion to interpret throughout the hospital visit. After receiving a complaint about the incident, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), in partnership with the U.S. Attorney’s Office of the District of Connecticut conducted a compliance review of the hospital’s policies and procedures to determine compliance with the nondiscrimination provisions found in Section 1557 of the Patient Protection and Affordable Care Act (ACA). This is the first OCR settlement agreement under Section 1557 which provides for monetary damages specifically to a patient.

In general, Section 1557 expands upon existing federal non-discrimination rules and regulations to prohibit discrimination based on race, color, national origin, sex, age or disability in health programs or activities that receive federal financial assistance. The law applies to most hospitals, skilled nursing facilities, ambulatory surgical centers, home health agencies, hospices, federally qualified health centers, rural health clinics, physician practices, laboratories, pharmacies, outpatient rehabilitation facilities, ESRD dialysis centers, state Medicaid agencies as well as insurers that participate in the ACA’s Health Insurance Marketplace.

HHS issued the final rule implementing Section 1557 in 2016 and as of October 2016, entities subject to the rule must post notices regarding the entity’s nondiscrimination practices and taglines in at least the top 15 non-English languages spoken in the state that alert individuals with limited English proficiency of the availability of language assistance services. See sample notice and tagline documents here.  In addition, entities subject to the rule with 15 or more employees must designate a compliance coordinator and adopt a grievance procedure.  Section 1557 requires health care entities to ensure effective accessible communications with individuals who need interpreters, including individuals with disabilities as well as individuals with limited English proficiency.

The final rule requires health care entities to take appropriate steps to ensure that communications with individuals with disabilities are as effective as communications with others using appropriate auxiliary aids and services, such as alternative formats, sign language interpreters, and remote video interpreters. Health care entities are also required to make all programs and activities provided through electronic and information technology equally accessible. In addition, the final rule requires health care entities to take reasonable steps to provide meaningful access for individuals with limited English proficiency by providing qualified oral interpretation and written translation services. See HHS’s limited English proficiency resources for effective communications for additional guidance.

Where noncompliance of Section 1557 cannot be corrected by informal means, enforcement can include suspension of, termination of, or refusal to grant/continue federal financial assistance, referral to the Department of Justice and any other means authorized by law. Section 1557 authorizes a private right of action to challenge Section 1557 violations and receive compensatory damages. Affected entities are encouraged to develop and implement a language access plan to ensure they are prepared to take reasonable steps to provide meaningful access to each individual.

HHS has created several resources regarding ACA Section 1557 compliance: see general information and FAQs.

For further information or if you have any questions about ACA Section 1557 please contact Anthony Halbeisen.