Many U.S. employers are now allowing employees to use their own personal handheld devices and laptop computers for work-related purposes. As the age of employer-provided devices is coming to an end and “bring your own device” (“BYOD”) becomes more and more common, privacy and data protection issues are starting to occur in unexpected ways. In particular, what protections should organizations that are covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) put in place to protect individually identifiable health information on portable devices? HIPAA requires covered entities and business associates to conduct a security risk assessment, and it is now clear that any such risk assessment should be broad enough to adequately explore and provide a foundation for addressing the increased risks that may arise in the BYOD context.
One business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), learned this lesson the hard way after an employee’s iPhone was stolen. The iPhone was unencrypted and not password protected, and the theft resulted in the loss of protected health information of 412 nursing home residents (including, social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardian and medication information). The Department of Health and Human Services, Office of Civil Rights (“HHS”) recently announced that it reached a settlement with CHCS that includes a payment of $650,000 and a Corrective Action Plan.
In announcing such settlement, HHS reiterated that business associates, like covered entities, are required to implement protections under the HIPAA security rule with respect to the electronic protected health information that it creates, receives, maintains or transmits on behalf of a covered entity. Such protections include the implementation of an enterprise-wide risk analysis and corresponding risk management plan to adequately address potential threats to electronic protected health information. During its investigation, HHS learned that CHCS did not have any HIPAA policies in place that addressed mobile devices containing protected health information that were taken off CHCS’s premises or steps to be taken in the event of a security incident. In addition, CHCS had not conducted a risk analysis or implemented a risk management plan.
Too often business associates fail to complete a sufficiently broad risk analysis and address all the related risks to electronic protected health information, especially risks relating to devices (e.g., smartphones, laptops or tablets) that are owned by employees rather than the covered entity or the business associate. For example, does your organization require that all portable devices be password protected and encrypted? Do you require that portable devices contain a locking feature or automatic log-off? Does your organization have the ability to remotely wipe these devices clean? Do you require employees to register their personal devices with your organization? What happens when an individual is no longer employed by your organization? Can e-mail/system access for former employees be removed remotely? Do you have policies that prohibit employees from sharing their mobile devices with others outside of your organization or from using unsecured, public Wi-Fi networks?
Careful thought and consideration should go into all aspects of your risk management plan and your HIPAA policies and procedures should generally contain clear protocols when portable electronic devices are lost or stolen. Covered entities and business associates should review the Security Risk Assessment Tool which was developed by HHS to assist with HIPAA compliance.