Earlier this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced two, multimillion dollar settlements relating to “potential” privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both settlements stem from the entity’s reports to OCR of the thefts of unencrypted laptops containing electronic protected health information (ePHI) even though one of the laptops was password protected.

First, on March 16, 2016, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1,550,000 to settle potential violations of the HIPAA Privacy and Security Rules after a laptop containing the ePHI of 9,497 individuals was stolen from the vehicle of one of its contractors in July 2011.

OCR’s subsequent investigation determined that North Memorial failed to enter into a business associate agreement with this contractor, as required under the HIPAA Privacy and Security Rules. The investigation also discovered that North Memorial failed to conduct an organization-wide risk analysis to address all of the risks and vulnerabilities to its ePHI. OCR concluded that North Memorial overlooked “[t]wo major cornerstones of the HIPAA Rules” – conducting a security risk analysis; and entering into business associate agreements to require vendors with access to ePHI to do the same. In its press release, OCR emphasizes this “settlement underscores the importance of executing HIPAA business associate agreements.”

Then, on March 17, OCR announced a similar settlement. Feinstein Institute for Medical Research (FIMR) agreed to pay $3,900,000* to settle potential violations of the HIPAA Privacy and Security Rules following the September 2012 theft of an unencrypted laptop containing the ePHI of 13,000 patients and research participants from an employee’s car.

OCR’s investigation found FIMR had an inadequate security management process, which OCR described as “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” OCR criticized FIMR for failing to adopt policies and procedures for authorizing access to ePHI by its workforce members and for governing the receipt and removal of laptops that contained ePHI into and out of its facilities. OCR also criticized FIMR for failing to “implement proper mechanisms for safeguarding ePHI as required by the Security Rule,” namely encrypting laptops containing ePHI.

*Note that HIPAA sets the maximum penalty for all violations of an identical provision of the law at $1,500,000 per calendar year. Violations of multiple provisions extending over multiple years easily renders a covered entity and its business associate subject to a penalty greater than this per year cap.

Takeaway: Conduct a Security Risk Analysis to Determine Whether to Encrypt

A HIPAA covered entity is not required under the HIPAA Privacy and Security Rules to encrypt laptops and other mobile devices, but it should conduct a risk analysis to determine whether encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of ePHI.

A typical risk analysis focuses on the probability of an occurrence in conjunction with the consequences of an occurrence. In conducting such an analysis, bear in mind that theft is the leading cause of reported healthcare data breaches, by far. As we previously reported in our article entitled “Federal Government Report on Data Breaches in Health Care”, the theft of electronic equipment/portable devices or paper containing ePHI makes up more than half of all reported data breaches. OCR warns, “In most reported theft cases, laptop computers, desktop computers, and other portable electronic devices, such as hard drives and USB drives, either were stolen from a covered entity’s facility during a break-in that occurred after the entity’s regular business hours, or from an employee’s vehicle.” There are also significant financial consequences posed by the thefts of unencrypted laptop computers and other mobile devices. These two recent settlements highlight the millions it may take to resolve potential HIPAA violations, and there are potential additional expenses relating to the legal, investigative and administrative costs of notifying patients about a data breach.

It is also important to note that while covered entities and their business associates must provide notification to patients following a breach of unsecured ePHI, no notification is required if the ePHI is secured, i.e., it has been “rendered unusable, unreadable, or indecipherable to unauthorized individuals” by the process of encryption.