The Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of protecting electronic protected health information (ePHI) stored on electronic devices and storage media.
The HIPAA Security Rule requires HIPAA-covered entities and their business associates to implement appropriate physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of ePHI.
Electronic devices are extensively used in healthcare and they have played an important role in the provision of healthcare services. Many of those devices – laptops, smartphones, and tablets for instance – are portable and can easily be misplaced, lost or stolen resulting in the exposure and impermissible disclosure of ePHI. The same is true for storage devices such as zip drives, memory cards, CDs and DVDs.
If physical controls are not put in place to limit physical access to electronic devices, in addition to data theft, it is possible that malicious individuals could install malware or ransomware, which could jeopardize the confidentiality, integrity, and availability of PHI.
HIPAA 45 CFR § 164.310(a)(1), explains that covered entities and their business associates need to implement policies and procedures to restrict access to electronic devices and media to prevent access by unauthorized individuals and also to the facilities in which those devices are housed.
HIPAA 45 CFR § 164.310(d)(1) requires policies and procedures that govern the receipt and removal of electronic devices and media in and out of the facility.
When developing policies and procedures for managing portable electronic devices and media, it is a good idea for HIPAA covered entities and business associates to consider the following questions:
- Are the devices and media being tracked in terms of current location, movement, and during repairs and upgrades?
- Do policies and procedures cover the full life cycles of all electronic devices and storage media?
- Is the person responsible for each device or storage media included in the movements and tracking records?
- Have all employees (including management) received training on the correct way to handle electronic devices and media to ensure the security of ePHI?
- Are appropriate technical controls being implemented such as encryption, access controls, and audit controls to ensure the confidentiality, integrity, and availability of ePHI?
Tracking electronic devices and media can be done in several ways. Manual tracking can be used by smaller healthcare organizations that only have a limited number of devices/media in use, but this can be difficult when the number of devices increases. Larger organizations should consider using specialized inventory management software and databases for tracking devices and media. Barcode systems and RFID tags make or easier organization, identification, and tracking of electronic devices and media.
Before deciding which device and media controls to implement, healthcare organizations and business associates should consider:
- The results of their risk analysis and ongoing risk management processes
- The size, complexity and capabilities of the hardware devices and software as well as their technical infrastructure
- The cost of implementing security measures
- The probability and criticality of potential risks to ePHI
Consideration must also be given to what happens to electronic devices and media at end of life. Policies and procedures must be developed and implemented to ensure that all ePHI stored on the devices/media is permanently erased to prevent the retrieval or reconstruction of data. This secure disposal of ePHI was covered in OCR’s July 2018 cybersecurity newsletter.
If healthcare organisations fail to implement appropriate controls, policies and procedures, there is considerable potential for the exposure of ePHI. Heavy fines can be issued when OCR determines that HIPAA Rules have not been followed.
The University of Texas MD Anderson Cancer Center was recently ordered to pay a civil monetary penalty of $4,348,000 for the failure to implement appropriate controls to ensure the confidentiality, integrity, and availability of ePHI on portable electronic devices.