Healthcare Mobile Device Encryption: Is It Required?

Encryption of mobile device technology has become essential in the eyes of the OCR.  Although HIPAA treats encryption as an “addressable” safeguard –as opposed to a “required” safeguard— under the Security Rule, the following OCR settlements involving unencrypted mobile devices indicate that encryption is obligatory for HIPAA compliance.

As new technologies emerge and the use of mobile technology in healthcare expands, Covered Entities and Business Associates must ensure that they are monitoring administrative and security measures to keep pace with evolving risks. In each case, below, the sanctioned party failed to properly implement a risk management plan and deploy encryption to protect the data stored on mobile technology.

Stolen USB results in $2.2 million settlement

On January 18, 2017, OCR announced a HIPAA settlement with MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) after a USB data storage device containing electronic protected health information (ePHI) of 2,209 individuals was stolen from MAPFRE’S IT department.

In September 2011, MAPFRE filed a breach report after a USB data storage device was stolen from the IT department where it was left without safeguards overnight; the device included complete names, dates of birth, and Social Security numbers of the affected individuals. OCR’s investigation revealed that MAPFREE failed to conduct a risk assessment and implement security measures sufficient to reduce risk to a reasonable and appropriate level. MAPRE also failed to implement policies and procedures, workforce training for security awareness, and did not deploy encryption or an equivalent alternative measure on its laptops and removable storage media.

In addition to paying $2.2 million, MAPFRE agreed to conduct a risk analysis, implement a risk management plan, develop policies and procedures, conduct workforce training, and provide ongoing reports to OCR.

Lost mobile phone and laptop results in $3.2 million civil money penalty

On February 1, 2017, OCR issued a Notice of Final Determination including a civil money penalty for HIPAA violations against Children’s Medical Center of Dallas (Children’s) after two impermissible disclosures of the unsecured ePHI of over 6,200 individuals stored on mobile technology devices. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation.

Children’s filed a breach report in January 2010, reporting the loss of an unencrypted, non-password protected Blackberry device containing ePHI of 3,800 individuals at the Dallas/Fort Worth International Airport. Then in July 2013, Children’s filed a separate breach report indicating an unencrypted laptop containing ePHI of 2,462 individuals was stolen from its premises.  OCR’s investigation revealed that Children’s failed to implement a risk management plan even with prior recommendations to do so, as well as a failure to deploy encryption on its laptops, work stations, mobile devices, and removable storage media. Despite Children’s knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children’s issued unencrypted BlackBerry devices to nurses and allowed workforce members to continue using unencrypted laptops and other devices until 2013.

Laptop stolen from workforce member’s car costs wireless health services provider $2.5 million

On April 24, 2017, OCR announced a $2.5 million settlement with CardioNet after the unsecured ePHI of 1,391 individuals was impermissibly disclosed when a workforce member’s laptop was stolen from a vehicle parked outside the employee’s home. The laptop was unencrypted.  CardioNet is a Pennsylvania based wireless health services provider, offering remote mobile monitoring and rapid response to patients at risk for cardiac arrhythmias.

OCR’s investigation revealed that CardioNet failed to conduct a risk assessment and finalize and implement policies and procedures for compliance with the HIPAA Security Rule. OCR also cited gaps in policies governing the receipt and removal of hardware and electronic media into and out of its facilities, the encryption of such media, and the movement of mobile devices within its facilities.

According to the Corrective Action Plan, CardioNet agreed to conduct a risk assessment, develop and implement a risk management plan, implement secure device and media controls, review and revise its HIPAA training program, and produce ongoing reports for HHS.

For additional information about the use of encryption technology for HIPAA compliance, see HHS’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Also, see The Office of the National Coordinator for Health Information Technology’s guidance regarding Mobile Device Privacy and Security.

Please contact Anthony Halbeisen or Elana Zana if you have any questions about securing health data on mobile devices.