Portable Electronic Devices: Invaluable Health Care Tools, or Vectors for Data Breach? (The Answer: Both)
On May 13, 2016, California Correctional Health Care Services reported that a staff member's password-protected, but unencrypted, laptop computer had been stolen from a personal vehicle. As many as 400,000 individuals' personal data may have been compromised. Far from an isolated incident, this is the latest in a series of similar incidents involving loss, theft, or breach of portable electronic devices (PED) belonging to HIPAA covered entities (CE) and their business associates (BA). Regulated entities should be particularly concerned in light of the potential for financial and medical identity theft, and the U.S. Department of Health and Human Services (HHS), Office for Civil Rights’ (OCR) ongoing Phase 2 compliance audits.
PEDs, including laptops, flash drives, external hard drives, tablets, smartphones, backup media, and CDs, are ubiquitous to the point that it is difficult to imagine conducting business without them. They can be invaluable points-of-care in the health care setting, as they allow providers to immediately access a range of critical patient data, whether in the office or in less traditional care settings. But with boons come burdens, including unique data breach risks. The features that make these devices so appealing and useful – their size and portability – can also be their (and their owners’) undoing.
CEs and BAs lose a measure of control over electronic protected health information (ePHI) once it leaves the entity’s premises. According to a 2015 study of 949 large breaches between 2010 and 2013, more than half resulted from loss or theft of portable media or paper. PEDs, by their very nature, are easily lost, misplaced, or stolen. At the same time, in the health care setting, PEDs likely contain or provide users with access to myriad sensitive patient data, including clinical, demographic, and financial information. These two attributes combine to disastrous effect if patient data is not secured, i.e., encrypted or otherwise rendered unusable, unreadable, or undecipherable to unauthorized persons.
Breaches are always troubling and typically quite expensive, as they impose a risk of medical and financial identity theft upon the individuals whose data are compromised, and significant financial and reputational costs upon the CEs and BAs who must contain and mitigate the incidents. This is especially true in an era when electronic health data is more available, more exploitable, and more valuable than ever before.
Consider the following:
The amount of these RA/CAPs alone is testament to the fact that CEs and BAs should not expect OCR to be lenient when investigating breaches involving the loss or theft of unencrypted PEDs. PED security will likely be an area of focus in OCR’s ongoing Phase 2 compliance audits. Commenting on the Massachusetts Eye and Ear breach, former OCR Director Leon Rodriguez emphasized: “In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices .... This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”
Of the 120 breaches reported thus far in 2016 on HHS’s “wall of shame” (i.e., the legally mandated website posting of breaches affecting 500 or more individuals), 19 involve a laptop computer or other PED.
Of the 5 largest of these 2016 reports, two involve the theft of a laptop computer at a health care provider. In addition to the California Correctional Health Care Services breach, a second security incident at a health care provider involved more than 200,000 individuals’ demographic and clinical information. This incident also resulted from the theft of a password-protected, but unencrypted, laptop computer – this time, from the facility’s “locked and alarmed” administrative office.
Many of OCR’s costliest enforcement actions against CEs to date have involved the loss or theft of PEDs:
OCR's First Settlement: Providence Health & Services – July 2008 (Resolution Agreement (RA)/Corrective Action Plan (CAP) and $100,000 resolution amount). On several occasions over a 6-month period, backup tapes, optical disks, and laptops containing unencrypted ePHI of more than 386,000 patients were removed from the CE’s premises, left unattended, and subsequently lost or stolen. More than 30 patients filed complaints with OCR after the CE notified affected individuals under state notification laws and reported the incident to HHS. The Centers for Medicare and Medicaid Services (CMS) and OCR jointly investigated. Although OCR had to date resolved more than 6,700 Privacy Rule and Security Rule complaints by requiring covered entities to take corrective action measures, on this occasion, it chose to enter into its first RA/CAP to address the systemic compliance concerns raised. 
BlueCross BlueShield of Tennessee – March 2012 (RA/CAP and $1.5M resolution amount). OCR opened its investigation after the CE notified it that 57 unencrypted computer hard drives – containing more than 1 million individuals’ ePHI – had been stolen from a leased facility. According to OCR’s investigation, the CE received an alert that a server at the facility was unresponsive, but did not respond or investigate until three days later “because the unresponsive server message did not alert [the CE] that there and been a theft, and the server did not appear to adversely impact operations.”
OCR’s First Settlement With a Public Entity: Alaska Department of Health and Social Services – June 2012 (RA/CAP and $1.7M resolution amount). The CE reported to OCR that a USB hard drive, possibly containing ePHI, was stolen from an employee’s vehicle.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. – September 2012 (Resolution Agreement/Corrective Action Plan (RA/CAP) and $1.5M resolution amount). This breach involved the theft of an unencrypted personal laptop containing ePHI of patients and research subjects. According to OCR’s press release, these issues “continued over an extended period of time, demonstrating a long-term, organizational disregard” for Security Rule requirements.
First Settlement Involving a Breach Affecting Fewer Than 500 Individuals: Hospice of North Idaho – December 2012 (RA/CAP and $50,000 resolution amount). This breach involved the theft of an unencrypted laptop computer containing 441 individuals’ ePHI.
Adult & Pediatric Dermatology, P.C. – December 2013 (RA/CAP and $150,000 resolution amount). OCR opened its investigation after the CE reported that an unencrypted thumb drive containing ePHI had been stolen from a workforce member’s vehicle.
Concentra Health Services – April 2014 (RA/CAP and $1,725,220 resolution amount). OCR opened a compliance review of the CE after receiving a breach report that an unencrypted laptop had been stolen from one of its facilities. According to OCR, the CE had previously recognized in “multiple risk analyses” that lack of encryption for devices containing ePHI was a critical risk. While the CE had taken steps to begin encryption, OCR described its efforts as “incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”
QCA Health Plan, Inc. – April 2014 (RA/CAP and $250,000 resolution amount). OCR received a breach notification from the CE reporting that an unencrypted laptop containing 148 individuals’ ePHI had been stolen from a workforce member’s car. According to OCR, while the CE encrypted devices after it discovered the breach, it had failed to comply with “multiple requirements” of the Privacy and Security Rules.
Cancer Care Group, P.C. – August 2015 (RA/CAP and $750,000 resolution amount). OCR investigated the CE, a private physician practice consisting of 13 radiation oncologists, after receiving a breach report that the ePHI of approximately 55,000 individuals was compromised when a laptop bag containing unencrypted computer server backup media was stolen from a workforce member's car. OCR’s investigation indicated that the CE had neglected to conduct an enterprise-wide risk analysis and lacked policies and procedures governing the removal of PEDs into and out of its facilities, both of which contributed to the occurrence of the breach.
Lahey Hospital and Medical Center – November 2015 (RA/CAP and $850,000 resolution amount). OCR’s investigation began after a laptop containing 599 individuals’ PHI was stolen from an unlocked treatment room at the hospital. The laptop, located on a stand accompanying a portable CT scanner, operated the scanner and produced images for viewing.
OCR Director Jocelyn Samuels emphasized: “It is essential that covered entities apply appropriate protections to workstations associated with medical devices such as diagnostic or laboratory equipment …. Because these workstations often contain ePHI and are highly portable, such ePHI must be considered during an entity’s risk analysis, and entities must ensure that necessary safeguards that conform to HIPAA’s standards are in place.”
North Memorial Health Care – March 2016 (RA/CAP and $1.55M resolution amount). OCR investigated North Memorial Health Care – a comprehensive not-for-profit health care system – after receiving a report that an unencrypted, password-protected laptop was stolen from the vehicle of a BA’s workforce member. This breach impacted the ePHI of 9,497 patients of the CE
Feinstein Institute for Medical Research – March 2016 (RA/CAP and $3.9M resolution amount). The CE – a biomedical research institute – notified OCR that an unencrypted laptop computer containing approximately 13,000 patients’ and research subjects’ ePHI had been stolen from a workforce member’s car.
Compliance Steps to Take Now.
With OCR’s Phase 2 audits underway, and considering the agency’s enforcement history with unencrypted PEDs, mobile device security should be top-of-mind for both covered entities and business associates. CEs and BAs can take important steps in this area to protect patients and themselves from the harmful effects of a PED breach.
1. Encrypt, encrypt, encrypt.
Encryption is an important concept in both the Breach Notification Rule (BNR) and the Security Rule. The BNR requires CEs to notify individuals, HHS, and sometimes the media, only of breaches of “unsecured protected health information.” Further, the BNR requires BAs to notify CEs of breaches of only unsecured PHI. Unsecured protected health information is PHI that has not been rendered “unusable, unreadable, or indecipherable to unauthorized persons” through methods authorized by HHS.
HHS guidance issued in 2009 states that ePHI has been rendered unusable, unreadable, or indecipherable if it has been encrypted by use of an “algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, and the confidential process or key that might enable decryption has not been breached.” The guidance specifies certain encryption processes for ePHI at rest and in motion that NIST has tested and judged to meet appropriate Security Rule standards. Consequently, if ePHI that is stored on a PED that is encrypted pursuant to the HHS guidance is breached, a CE or BA is not required to comply with the BNR’s reporting requirements with respect to the breach.
Further, the Security Rule’s “transmission security” technical safeguard standard requires CEs and BAs to implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network. In the context of PED security, it is important to ensure that appropriate technical security measures are applied to mobile devices that connect to public Wi-Fi networks or unsecure cellular networks transmission.
With respect to both ePHI at rest and in motion, encryption is an addressable implementation specification under the Security Rule, requiring CEs and BAs to implement a mechanism to encrypt ePHI “whenever deemed appropriate.” When is it “appropriate” to encrypt ePHI at rest and in motion? The answer is almost certainly “always,” particularly in the context of mobile device security. Former OCR Deputy Director of Health Information Privacy Susan McAndrew’s comments underscore this point: “Covered entities and business associates must understand that mobile device security is their obligation …. Our message to these organizations is simple: encryption is your best defense against these incidents.”
2. Include PED security as part of your organization’s top-to-bottom compliance.
Reasonableness is a cornerstone of HIPAA compliance. For example, the Security Rule requires that CEs and BAs protect against "reasonably anticipated" threats and hazards to, and unpermitted uses and disclosures of, ePHI. Regulated entities therefore enjoy a degree of flexibility in their approach to Security Rule compliance, and may use "any" security measures that allow them to "reasonably and appropriately implement" the Security Rule requirements.
Although CEs and BAs may take a flexible and reasonable approach to compliance, they still must comply – and comply fully – with applicable Privacy and Security Rule mandates. They cannot pick and choose among requirements, and selective implementation is fraught with enforcement peril.
For example, when investigating the Massachusetts Eye and Ear breach (2012 – theft of laptop computer), OCR determined that the following conduct occurred:
Commenting on this breach, former OCR Director Rodriguez emphasized that organizations must prioritize and implement Privacy and Security Rule compliance throughout the organization, “from top to bottom,” and must pay special attention to safeguarding ePHI held on PEDs.
Failure to conduct a thorough analysis of risk to the confidentiality of ePHI on an ongoing basis, as part of its security management process. Specifically, the CE did not fully evaluate the likelihood and impact of potential risks to confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address these potential risks, document the chosen security measures and rationale for adopting them, and maintain ongoing reasonable and appropriate security measures.
Failure to maintain sufficient security measures to ensure, to a reasonable and appropriate level, the confidentiality of ePHI created, maintained, and transmitted using portable devices. Failure to adequately adopt or implement policies and procedures to address security incident identification, reporting, and response.
Failure to adequately adopt or implement policies and procedures to restrict access to portable devices accessing ePHI to authorized users, or to provide the CE with a reasonable means of knowing whether and what type of portable devices were being used to access its network.
Failure to adequately adopt or implement policies and procedures governing receipt and removal of portable devices into, out of, and within the facility.
Specifically, the CE had no reasonable means of tracking non-CE owned portable media devices containing ePHI.
Failure to adequately adopt or implement technical policies and procedures to allow access to ePHI via portable devices only by authorized persons or software programs. Specifically, the CE did not implement an equivalent, reasonable, and appropriate alternative to encryption that would have ensured confidentiality, or document rationale supporting the decision not to encrypt.
3. Perform an accurate, thorough, organization-wide Security Rule risk analysis.
As part of the required Administrative Safeguards for ePHI, the Security Rule requires that CEs and BAs implement a security management process – policies and procedures to prevent, detect, contain, and correct security violations. A required implementation specification of the security management is a risk analysis, which is “an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by” the CE or BA.
As with all Security Rule requirements, CEs and BAs can take a flexible approach to conducting its risk analysis, considering – among other things – their size, complexity, and capabilities as well as the probability and criticality of potential risks to ePHI. While the Security Rule emphasis is always on what is “reasonable and appropriate” for a particular entity, it is impossible to overstate the importance of the risk analysis as a foundational element of the CE’s or BA’s security management process. OCR’s enforcement bears this out.
4. Implement a Risk Management Plan to address vulnerabilities and risks identified in the Security Rule risk analysis.
The Security Rule requires CEs and BAs to implement a security management process in which it implements policies and procedures to “prevent, detect, contain, and correct security violations.” Risk analysis is the “detection” component, but the process does not stop there. Another required piece of the security management process is risk management: the implementation of security measures “sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level….”
OCR does not intend security management to begin and end with the risk analysis. Identifying vulnerabilities and risks is only half the battle. You also must do something about them. The Concentra Health Services breach (2014 – theft of unencrypted laptop) is but one example. When investigating Concentra, OCR found the CE had noted lack of encryption as a critical risk in “multiple” risk analyses. However, at the time of the breach, the CE had not completed, or consistently implemented, encryption as a protective measure. OCR also determined the following conduct occurred:
CEs and BAs should take a strong message from Concentra: Do not let your Security Rule risk analysis gather dust. The risk analysis should be an active, living document that guides timely corrective action. It should also inform the basis for, and evolution of, a risk management plan. The risk management plan should delineate concrete security measures, as well as timeframes for implementing them, for mitigating any risks to ePHI posed by the use of PEDs that were identified in the Security Rule risk analysis. Only then can it truly be part of a security management process, as the Security Rule intends. 
Failure to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.
Failure to sufficiently implement policies and procedures to detect, contain, and correct security violations under the security management process standard. Specifically, the CE did not adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level.
5. Implement Policies and Procedures that Govern PEDs and train your workforce.
The Security Rule requires CEs and BAs to implement policies and procedures regarding the
receipt and removal of hardware and electronic media containing ePHI into and out of the facility, and the movement of these items within the facility.” In designing such policies and procedures, it is critical for CEs and BAs to consider, at minimum, how PEDs will tracked and inventoried, whether workforce members will be permitted to use their personal PEDs for business purposes, how ePHI stored on PEDs will be backed up, and how PEDs will be sanitized prior to reuse or disposal.
Workforce training is fundamental to the effective implementation of security policies and procedures. The Security Rule makes clear that CEs and BAs must “[i]mplement a security awareness and training for all members of its workforce (including management). This must include training the workforce on the various physical safeguards and security measures the CE or BA has put in place, including policies and procedures that are specific to PEDs. . It is also important to train the workforce on resisting social engineering techniques that compromise PEDs and all ePHI, such as phishing/spear-phishing, pretexting, quid pro quo attacks, and baiting.
6. Execute compliant business associate agreements.
A HIPAA “business associate” is a person or entity that creates, receives, maintains, or transmits PHI to provide certain services to the CE. Both the Privacy Rule and the Security Rule prohibit disclosing PHI to a business associate unless and until the BA has provided “written assurances” that it will appropriately safeguard the information. These assurances must be documented in a “written contract or other arrangements” that meets the requirements of a business associate agreement (BAA). A compliant BAA also clarifies and limits the BA’s permissible uses and disclosures of PHI, based upon the parties’ relationship and the services the BA performs. A BA may only use and disclose PHI as permitted or required by the BAA, or as required by law.
BAs are now directly liable under the HIPAA Rules for uses and disclosures that the BAA does not authorize. BAs are eligible for audit in Phase 2. To aid compliance, OCR offers sample business associate agreement provisions at HHS.gov. Covered entities should also assess (and re-assess as needed) how BAs are safeguarding data stored on PEDs and whether their BAs are ready for a security incident.
HealthIT.gov offers a wealth of information to providers seeking to optimize PED security. Recommended strategies include:
Evaluating your mobile device use policy, and re-evaluating as driven by the Risk Analysis, Risk Management Plan, or changes in the organizational or risk/vulnerability environment.
If your organization has a Bring Your Own Device (BYOD) policy, training workforce members on device registration, configuration requirements (such as installing remote disabling), and management practices.
Installing and activating remote wiping and/or remote disabling.
Disabling, and not installing or using, file sharing applications.
Researching mobile applications (apps) before downloading.
Destroying all stored health information before discarding or reusing the PED. Engage your IT department to ensure this is done correctly (“double deleting” is likely not enough).
Considering multi-factor authentication to secure the device. Strong passwords are necessary, but alone are no longer the “gold standard” for device security. A combination of strong password + biometric or randomly-generated code provides a higher level of protection.
Installing and enabling security software, and keeping it up-to-date.
In the world of health information security, the best defense is a good offense. With medical identity theft on the rise, and given the resulting dangers to patients and providers and the strong enforcement environment, now is the right time to optimize your organization’s Security Rule compliance. A robust risk analysis and risk management plan, well-tailored policies and procedures, and workforce training at all levels (including the c-suite), are essential to keeping your data safe.
For more information about HIPAA compliance and data security, contact Kim Metzger, Deepali Doddi,
or another member of our Data Security and Privacy
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 Liu, V., Musen, MA, and Chou, T. Data Breaches of Protected Health Information in the United States. JAMA 2015; 313(14): 1417-1473. Doi:10.1001/jama.2015.2252. Further, as of August 28, 2015, approximately 30% of the large breaches (i.e., breaches affecting 500 or more individuals) that covered entities and business associates reported to OCR since the Breach Notification Rule went into effect in August 2009 involved laptop computers and other portable electronic devices. See HHS Office for Civil Rights, Lessons Learned from Recent HIPAA Breaches (September 2015), available at http://www.csrc.nist.gov/news_events/hipaa-2015/presentations/2-7-peters-update-hipaa-compli.pdf.
 A week after publicly disclosing the theft and providing the required breach notifications, the second health care provider reported the laptop computer had been returned via U.S. mail. The provider hired a third party to conduct a comprehensive forensic analysis, and determined the laptop had not been powered on since it went missing from the facility. As a result of the forensic analysis and “other circumstances of the case,” the provider reported “there is no evidence that information on the computer was ever accessed causing a breach by any unauthorized third party.”
 If a consumer complaint alleging a violation of the HIPAA Privacy, Security, or Breach Notification Rules is one over which OCR has jurisdiction, OCR may intervene early and resolve the complaint informally, without investigation, by providing technical assistance to the CE or BA. If the agency investigates the entity and discovers noncompliance with the HIPAA rules, it may resolve the complaint by providing technical assistance and/or by requiring the entity to take appropriate corrective actions. OCR may also proactively initiate compliance reviews of CEs and BAs based on news reports, referrals from other agencies, or other evidence indicating potential HIPAA violations. Further, when OCR receives notification of a breach affecting 500 or more individuals from a CE or BA, OCR automatically initiates a compliance review of the CE and/or BA and investigates the reported breach. OCR reviews all reports of breaches affecting fewer than 500 individuals and selectively determines which of these small breaches to investigate. As is the case with complaint investigations, OCR may resolve compliance reviews and small breach investigations by providing technical assistance and ensuring that the regulated entity takes meaningful remediation steps. The vast majority of OCR’s investigations are resolved without settlement or financial penalty. If an investigation uncovers egregious or systemic HIPAA compliance concerns, however, OCR may exercise its enforcement discretion and seek a resolution agreement (RA) and a Corrective Action Plan (CAP) or even a civil money penalty (CMP). An RA is a settlement agreement between OCR and a regulated entity. Under the terms of the RA and CAP, the CE or BA may agree to pay a monetary settlement known as a “resolution amount” – which may be substantial – implement specific corrective actions, and/or agree to a monitoring period during which the CE or BA makes periodic reports to OCR of its compliance with the CAP. However, if an investigation cannot be resolved informally through a RA/CAP, OCR may issue a formal finding of violation and impose a CMP against the entity.
 45 C.F.R. § 164.404(a) (notification to individuals); § 164.406(a) (notification to media); § 164.408(a) (notification to HHS).
 45 C.F.R. § 164.410(a).
 Nevertheless, the loss or theft of an encrypted PED may still constitute a “security incident” that a CE or BA should address in accordance with its security incident procedures, which are required to be in place by 45 C.F.R. § 164.308(a)(6)(i). A BA may also still need to report the loss or theft of an encrypted PED to a CE pursuant to the terms of its business associate agreement with the CE.
 45 C.F.R. § 164.312(e)(1).
 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii)). “Addressable” does not mean “optional.” When a standard includes addressable implementation specifications, the CE or BA must (1) implement the implementation specification of reasonable and appropriate, or (2) document why implementation is not reasonable and appropriate, and implement an equivalent alternative measure if reasonable and appropriate. (See 45 C.F.R. § 164.306(d)(3)).
 45 C.F.R. § 164.306(a)(2) and (3).
 45 C.F.R. § 164.306(b)(1).
 45 C.F.R.§§ 164.308(a)(1)(i) and 164.308(a)(1)(ii)(A).
 45 C.F.R. § 164.308(a)(ii)(B).
 45 C.F.R. § 164.308 (a)(6)(ii).
 45 C.F.R. § 164.308(a)(3)(i).
 45 C.F.R. § 164.310(d)(1).
 45 C.F.R. § 164.312(a)(1).
 45 C.F.R. § 164.312(a)(2)(iv).
 45 C.F.R. § 164.308(a)(ii)(A).
 45 C.F.R. § 164.306(b).
 45 C.F.R. § 164.308(a)(1)(i).
 45 C.F.R. § 164.308(a)(1)(ii)(B).
 45 C.F.R. § 164.312(a)(2)(iv).
 45 C.F.R. § 164.308(a)(1)(i).
 Additionally, the Security Rule further requires CEs and BAs to evaluate their Security Rule policies and procedures in response to any operational changes affecting the security of ePHI within their organizations. See 45 C.F.R. § 164.308(a)(8). Thus, the introduction of a new type of PED into the business environment of a CE or BA warrants an evaluation of whether current security safeguards are sufficient to mitigate any risks to ePHI that would accompany the use of the PED. In turn, if such an evaluation results in the identification of new potential risks and vulnerabilities, the CE or BA should update its Security Rule risk analysis and Risk Management Plan accordingly.
 45 C.F.R. § 164.310(d)(1).
 45 C.F.R. § 160.308(a)(5)(i).
 45 C.F.R. § 160.103.
 45 C.F.R. § 164.502(e)(1) (Privacy Rule); 45 C.F.R. § 164.314(a) (Security Rule).
 45 C.F.R. § 164.502(e)(2).
 45 C.F.R. § 164.502(a)(3).
 OCR makes clear that a CE or BA need not use the sample provisions to achieve compliance, and may change it “to more accurately reflect” the parties’ business arrangements. The provisions are designed to reflect the HIPAA Rules, and alone may not result in a binding contract under state law. Further, relying on the sample provisions may not be sufficient to comply with state law, and “does not replace consultation with a lawyer or negotiations between the parties to the contract.” See HHS Office for Civil Rights, Business Associate Contracts, available at http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html (accessed April 21, 2016).