Mobile Devices, HIPAA Compliance & Risk Analysis

Healthcare Law
Written By Reza Ghafoorian

In the first phase of HIPAA compliance audits conducted in 2011/2012, OCR revealed many covered entities were struggling with compliance.  In this first phase, OCR also discovered that failure to conduct a comprehensive, organization-wide risk assessment was one of the biggest areas of noncompliance with HIPAA Rules.  The risk assessment is fundamental to developing a good security posture.  A covered entity will be unaware of security vulnerabilities that pose a risk to the confidentiality, integrity, and availability of ePHI, if it does not conduct a proper risk assessment.  Covered provides should consider implementing risk analysis sooner than later, as OCR embarks on its second phase of HIPAA compliance audits, after a five year delay.

Mobile devices, including cell phones, tablets, and laptops increase the risk associated with breach of electronic Protected Health Information (ePHI).  Entities regulated by HIPAA Privacy, Security and Breach Notification Rules should consider including mobile devices in their HIPAA risk analysis and take steps to reduce risks identified with the use of mobile devices.

OCR Guidance provides the following tips to enhance mobile device security to protect and secure PHI while using mobile devices:

  • Implement policies and procedures regarding the use of mobile devices in the work place – especially when used to create, receive, maintain, or transmit ePHI.

  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.

  • Install or enable automatic lock/logoff functionality.

  • Require authentication to use or unlock mobile devices.

  • Regularly install security patches and updates.

  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.

  • Use a privacy screen to prevent people close by from reading information on your screen.

  • Use only secure Wi-Fi connections.

  • Use a secure Virtual Private Network (VPN).

  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.

  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.

  • Include training on how to securely use mobile devices in workforce training programs.

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general and can apply to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation.  The four categories used for the penalty structure are as follows:

Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.

Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules).

Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.

Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.

Each category of violation carries a separate HIPAA penalty.  It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed.

Category 1: Minimum fine of $100 per violation up to $50,000.

Category 2: Minimum fine of $1,000 per violation up to $50,000.

Category 3: Minimum fine of $10,000 per violation up to $50,000.

Category 4: Minimum fine of $50,000 per violation.

In addition to civil financial penalties for HIPAA violations, criminal charges can be filed against the individual(s) responsible for a breach of PHI.

Tier 1:   Reasonable cause or no knowledge of violation – Up to 1 year in jail.

Tier 2:   Obtaining PHI under false pretenses – Up to 5 years in jail.

Tier 3:   Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail.

Mobile devices are increasingly common in the workplace and their use can be convenient and productive.  However, organizations should realize the risk associated with usage of mobile devices, conduct risk analysis and take proper measures to reduce risks identified with the use of devices to a reasonable and appropriate level.

Reza Ghafoorian
Previous

Diagnostics 101: The Expanding Doctrine of Preemption
Next

Employer Liability, ERISA & Administration of Group Health Benefit Plans