Recent Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforcement action highlights that health care entities still have work to do in the area of encrypting devices, other than computers and laptops, that contain protected health information (PHI). OCR recently entered into a $3 million settlement agreement with the University of Rochester Medical Center in this regard. The settlement addressed reported breaches that involved the impermissible disclosure of PHI stemming from the loss of unencrypted laptops and flash drives. Although many health care organizations have gone through the process of properly encrypting their computers and laptops, it is important not to overlook other electronic devices that could contain PHI, such as mobile phones, tablets, or flash drives. These devices can contain large amounts of PHI and be even more vulnerable to loss or theft due to their small size.
Health care organizations should consider the following questions when deciding whether to encrypt devices other than computers and laptops:
- Is it necessary for workforce members, including providers, to have access to PHI on their phones, tablets, or removable devices such as a flash drive?
- Has the organization put in place policies and procedures limiting who may use a flash drive or company issued phone or tablet?
- Has the organization put into place policies and procedures limiting what information can be put onto those devices?
- Does the organization require workforce members to get permission from the IT Security team or Security Officer before using a flash drive to store data?
- Is the organization keeping an accurate log of all devices issued, to whom, and what data is permitted on the devices? if so, does the organization ever audit this log?
- Has the organization adopted a policy of encrypting relevant smaller devices? If not, has the organization conducted and documented a proper risk analysis to substantiate their decision not to do so?
OCR has made it clear that although encryption is not required by the HIPAA Security Rule, it is a large hurdle to justify not using encryption to protect PHI on the health care entity’s systems and devices. Organizations should not overlook these smaller devices that can cause breaches of the same magnitude and significance as those stemming from lost laptops or unencrypted desktop computers.Subscribe to blog