The Office of Civil Rights’ recent assessment of a $1.5 million fine for HIPAA violations should be a shrill wakeup call to all health care organizations that use (or allow their physicians to use) portable devices containing patient identifiable information. The sanction stems from a physician’s lost laptop computer containing protected health information (ePHI).
Importantly, the OCR’s investigation could not establish whether ePHI was used or even accessed, partly because the device was lost in a foreign country. However, it was not necessary to definitively conclude if any data had been compromised; the OCR was more concerned that the offending provider had not implemented appropriate measures mandated by the HIPAA Security Rule which could have reduced, mitigated or eliminated the risk altogether. For the OCR, the heart of the matter was the fact that the covered entity failed to fully assess and evaluate the risk to the confidentiality and security of ePHI on portable devices used by its physicians in their personal activities, and failed to have a process to address when such devices are lost. In this case, it was the incident itself that caused the organization to formalize and take responsive measures. The barn door was closed after the horse got out. To the OCR, the covered entity’s reactive, rather than proactive approach, was totally at odds with HIPAA Security Rule concerns and the mandated obligations of covered entities.
The facts are fairly simple. A research physician from a Massachusetts specialty hospital facility was traveling to South Korea to give a lecture when he misplaced his backpack in a public area. A personal laptop, containing health information of several thousand patients, was in the backpack. The computer was eventually “detected” a few weeks later when it was connected to the internet, and its hard drive was later remotely “wiped”, however, the device was not recovered. The incident was then reported to the OCR in accordance with the breach notification requirements of the HIPAA Security Rule.
This is an instructive case for a number of reasons. For one, it is important to recognize that the OCR’s investigation was prompted by the obligatory “breach notification” it received from the provider. The OCR’s inevitable investigation in turn revealed that there was significant noncompliance with multiple aspects of the Security Rule. Notably, the OCR determined that the covered entity had lax control over, and little knowledge concerning its own physicians’ use of laptops issued to them by the organization. Physicians were permitted unfettered access to the entity’s information, took their devices off-site where they were used for personal activities, and could remotely download information and install applications freely to these personal devices. Further, while the laptop in question was password protected and had “LoJak” tracking and wiping software, encryption was not employed. Further, many weeks passed before a hard drive wipe was effectuated and only after it was determined that the device had been connected to the internet. In short, the OCR concluded that the entity had neither conducted an adequate security assessment nor established necessary policies or procedures addressing laptop use, and had not promulgated an appropriate response procedure. Instead, it reacted to the lost laptop in a scramble of ad hoc activity and only instituted organization-wide changes as a result of this episode.
The most significant issue for the OCR in assessing a $1.5 million fine was not whether the incident caused actual harm to any patient, but the degree of risk of potential harm and whether reasonable steps and safeguards should have been in place to mitigate any data breach. In short, the entity should have anticipated laptops would be lost and it should have addressed the attendant risks through a deliberate process and in a manner that is “situationally” appropriate for the organization. Here, the organization abrogated such a duty, thus prompting a fine that may be disproportional to the perceived harm. This outcome should prompt providers to seriously regard the HIPAA Security Rule, and the OCR’s enforcement efforts, and to abandon any “no harm, no foul” notions they might apply when security breaches occur and must be reported