On November 5, 2019 the Office of Civil Rights announced a settlement with the University of Rochester Medical Center where URMC agreed to pay $3 Million Dollars to the OCR and take “substantial corrective action” to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). It was alleged the actions of URMC violated both the Privacy Rule and the Security Rule under HIPAA. So what did URMC do to warrant such a huge settlement amount? They failed to encrypt.
In 2013 and again in 2017 URMC discovered that protected health information had been improperly disclosed when it was determined a flash drive had been lost and a laptop had been stolen and neither of them were encrypted. URMC had never conducted an enterprise wide risk assessment to look at how protected health information came into, flowed through, was used or stored or how it left the various departments of URMC. In other words, URMC had very little idea about how secure PHI was within the organization. In addition URMC failed to “implement proper security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level, to utilize device and media controls” and most importantly, they failed to “employ a mechanism to encrypt and decrypt electronic protected health information when it was reasonable and appropriate to do so.” Even after two prior investigations, and after identifying the lack of encryption as a high risk, URMC still permitted the use of unencrypted mobile devices such as flash drives and laptops.
Encryption is an addressable specification under HIPAA which means a covered entity must either implement the specification as written, implement an alternative with a written explanation as to why, or provide a written explanation as to why implementation of the specification is not appropriate for the organization. Having said that, if the OCR knocks on the door to investigate an impermissible disclosure of PHI on an unencrypted mobile device, the first question they will ask is “why was encryption not used?”
The cost of encrypted flash drives has plummeted in the last 18 months; every laptop, tablet and cell phone sold now comes with built in software that allows the user to encrypt the device, and email encryption services are a dime a dozen these days. There really is no reason not to utilize encryption with all electronic protected health information.
A solid enterprise wide risk assessment is required but it isn’t a “one and done” type proposition. Providers should use the risk assessment to prioritize their compliance efforts and make sure if a risk area is identified, a mitigation effort is put into place to address the identified risk. When it comes to preventing a HIPAA violation, a little bit of insurance (risk assessments and encryption) goes a very long way!