Failure to Encrypt Hardware Results in $3 Million Fine – Lexology

On November 5, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that a New York Medical Center (Medical Center) will settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying a civil penalty of $3 million and entering into a Corrective Action Plan. The Medical Center is a HIPAA covered entity that includes hospital and academic medicine components.

According to OCR, the Medical Center had experienced several issues with lost or stolen unencrypted devices. OCR investigated the Medical Center in 2010 in a matter relating to an unencrypted flash drive and had provided technical assistance to the Medical Center. In the course of receiving that technical assistance, the Medical Center identified a lack of encryption as a high risk to its electronic protected health information (ePHI). Despite identifying this risk, the Medical Center continued to allow the use of unencrypted mobile devices. In 2013, the Medical Center notified OCR of the breach of unsecured ePHI, specifically the loss of an unencrypted flash drive. In 2017, the Medical Center notified OCR that an unencrypted personal laptop that contained Medical Center ePHI had been stolen, which resulted in the Medical Center impermissibly disclosing the ePHI of 43 patients.

OCR did not consider the risk analysis conducted by the Medical Center to be an accurate and thorough analysis of all potential risks and vulnerabilities to the confidentiality, integrity and availability of all of the ePHI the Medical Center was responsible for safeguarding. Further, OCR determined that the security measures implemented by the Medical Center to reduce risks and vulnerabilities to a reasonable and appropriate level were insufficient. OCR further found that the policies and procedures governing hardware and electronic media, including receipt and removal and movement of such hardware and electronic media in, out and within the Medical Center were also insufficient. Finally, OCR determined that the Medical Center did not implement mechanisms that were sufficient to either (1) encrypt and decrypt ePHI, or (2) document why encryption was not reasonable and appropriate while implementing an equivalent alternative measure to safeguard ePHI.

The Corrective Action Plan requirements include conducting a risk analysis, developing and implementing a risk management plan and updating policies and procedures and training materials.

Practical Takeaways

As a result of this enforcement action, covered entities and business associates should take note of the following:

More:
Failure to Encrypt Hardware Results in $3 Million Fine - Lexology