Health Law Gurus

Securing ePHI in a Mobile Health World

Could a lost cell phone or laptop cost your organization millions of dollars?

Mobile devices have enabled vast improvements in the efficiency and quality of healthcare delivery. Through the use of mobile devices, patients and providers can access real-time information that can lead to better health outcomes through improving medication compliance and understanding of treatment instructions, increasing access to care through telehealth and remote care functionalities, and enhancing the quality of physician-patient interactions. Additionally, the ability to collect and track data regarding health outcomes and deviations has enormous benefits for population health research. However, the proliferation of mobile devices in the healthcare space can create issues under the Health Information Portability and Accountability Act (HIPAA). Mobile devices can lead to patient privacy issues and can raise numerous concerns over whether covered entities have sufficient safeguards in place to secure patient protected health information (PHI).

On April 24, 2017, the Office for Civil Rights (OCR), the office with the Department of Health and Human Services responsible for enforcing HIPAA, announced a settlement with CardioNet, a remote mobile provider of cardiac care services. The $2.5 million settlement is the first of its kind involving a mobile health provider and relates to a 2011 breach where an employee’s laptop computer containing unsecured electronic PHI (ePHI) was stolen from the employee’s car. During the investigation, OCR found that CardioNet’s risk analysis and risk management plan were inadequate and that the entity’s required policies and procedures were only in draft form and were never fully implemented. Further, CardioNet had no evidence of the development or implementation of any safeguards for ePHI on employee mobile devices.

This settlement highlights OCR’s heightened concern over the security of ePHI on mobile devices and its commitment to ensuring covered entities that use mobile devices to store ePHI are held accountable. The corrective action plan (CAP) issued as part of the settlement also reflects OCR’s expectations about how covered entities should handle mobile devices containing ePHI going forward. Thus, this settlement has sent an important message to covered entities about best practices for reducing vulnerabilities related to mobile devices.

So how can you minimize your entity’s risk of breaches stemming from the use of mobile devices?

First, it is critical to conduct a robust risk analysis that takes into account all of the ePHI that your entity creates, receives, maintains, or transmits. This risk analysis should be used to develop and implement a risk management plan, which identifies controls that your entity will implement to mitigate risks and outlines how your entity will implement such controls. Taking these steps helps to signal to OCR that your entity takes the security of its ePHI seriously and is working to minimize the risk of unauthorized access or disclosure.

Further, even though the HIPAA compliance process can be long and arduous, it is imperative that covered entities finalize and fully implement all HIPAA policies and procedures. Covered entities should document the implementation of such HIPAA policies and procedures and utilize training sessions to ensure that employees are aware of such policies and understand the magnitude of the potential risk of unauthorized access or disclosure.

Finally, it is important for covered entities to have policies and procedures in place regarding ePHI stored on mobile devices. All covered entities should utilize an encryption method to protect against access or disclosure in the event of the theft or loss of a mobile device. Taking these steps can help protect a covered entity from an expensive settlement with OCR while also enabling the entity to take advantage of the immense benefits of using mobile technology in the healthcare space.

To read a copy of the CardioNet press release, click here.

To ready a copy of the CardioNet Resolution Agreement and CAP, click here.