Are You Mobile?

The Office of Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the National Learning Consortium, have joined forces to bring you an accessible educational tool around mobile device security. There are brief sources to read and to watch online. I like the common sense approach and the list of suggested mobile device protections. I also find it amusing that there is a waiver at the end of each page (i.e., following these steps does not guarantee that the regulators will find you in compliance.) Well, it certainly can't hurt.

This resource is important in light of the January 2, 2013 press release regarding Hospice of North Idaho or “HONI,” which became nationally known not for its compassionate end-of-life care, but as the first organization to settle a HIPAA Security Rule/HITECH violation regarding a breach impacting less than 500 individuals.

HONI reported to DHHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  OCR investigated and discovered that HONI had not conducted a risk analysis to find the gaps in its PHI safeguards, and failed to have policies or procedures in place to address mobile device protection as required by the HIPAA Security Rule.  They were hit with a $50,000 penalty and a corrective action plan. The monetary penalty might have been far greater, but HONI got right to work improving its compliance program and processes. That type of immediate action and accountability impresses the OCR, and may lessen the severity of an enforcement penalty.

OCR Director Leon Rodriguez said: “This action [against HONI] sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” He also stated that “[e]ncryption is an easy method for making lost information unusable, unreadable and undecipherable” (which  gives the ePHI a “safe harbor” under the breach notification rule. The provider would not need to report the loss or exposure as a breach.)

This is only the beginning. Although the OCR claims that only a small percentage of reported breaches are investigated, who wants to be one of the few? Protection of the ePHI on your mobile devices, including laptops, tablets, smartphones and flash drives, is a reasonable place to start.