The HITECH amendments to HIPAA require covered entities to report what HITECH considers a "breach" of unsecured electronic Protected Health Information (EPHI). If unsecured EPHI is compromised, the HITECH amendments require an analysis to determine if the compromise rises to the level of a "breach" under HIPAA that must be reported. If the entity determines that the compromise is a reportable breach, the covered entity must notify the individual whose data was compromised and the Department of Health and Human Services (HHS). Since self-reporting began in 2009, there have been more than 450 reported incidents. Of the twenty largest HIPAA HITECH breaches reported since January 2011, only 3 were due to internet hacking. Loss or theft of portable devices was the most frequent cause of a reportable breach. Employee training and diligent IT policies could have prevented some of these breaches.
Encryption Exemption to Breach: A diligent IT policy requiring the encryption of all portable devices possibly could have prevented the loss or theft of the device from becoming a reportable event (inviting an investigation from HHS). In order to be a reportable breach under HITECH, the incident must involve:
- unauthorized access to
- unsecure data, the access to which data presents a
- significant risk of financial, reputational or other harm, and
- no exception to the breach is available under the regulations.
If an encrypted device were lost or stolen, the data could be considered secure and not subject to a reporting obligation because of the encryption.
Employee Training and Distribution Policies: Employees of covered entities and business associates should communicate clearly their expectations regarding mobile devices. Covered entities and business associates should have employees sign documents and training should specifically address mobile device security. Some common issues that should be addressed in policies and training include:
- Are employees permitted to leave the mobile device unattended in a hotel room? If yes, is it the expectation that the device be locked in a hotel safe?
- Is it permissible to leave the device in the employee’s car? If yes, is it permissible for the device to be left in the vehicle’s interior or only in the trunk?
- Are employees permitted to transfer data to USB storage devices? If yes, are there separate rules of behavior for securing the device?
The percentage of HITECH breach by loss or theft indicate that there is still much covered entities can do to prevent reportable breaches. The suggestions above are just a few common examples of how we can all learn from the mistakes of others. If you have any questions, please contact PR@BASusa.com.