Unencrypted laptop computers and other mobile devices pose significant risks to the security of patient information, reminds the U.S. Department of Health and Human Services Office for Civil Rights (OCR) in its announcement yesterday that it collected $1,975,220 from two entities collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. All HIPAA covered entities and business associates should review these resolutions agreements as they are instructive to handling a key area of risk for just about any such organization – electronic mobile devices – which are frequently lost or stolen, and not encrypted.

In one of the cases, OCR found that the covered entity, Concentra Health Services:

failed to adequately remediate and manage its identified lack of encryption or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent alternative measure to encryption, if reasonable and appropriate.

In other words, OCR claims that although Concentra identified the lack of encryption as a risk, OCR determined that it failed to adequately remediate or manage the risk. It is also important to note, however, that OCR acknowledged that encryption is an “addressable” standard under the HIPAA Security Rule. This means that covered entities and business associates need not encrypt such devices, provided they determine encryption is not reasonable and appropriate, and implement an equivalent alternative measure(s) to encryption, if reasonable and appropriate, and document that determination.

In the other case, following receipt of a breach notice in February 2012 from the covered entity concerning a stolen unencrypted laptop with protected health information of 148 individuals, OCR investigated and contends that the covered entity failed to comply with multiple requirements of the HIPAA Privacy and Security Rules, including conducting a thorough risk assessment.

So, there are a number of lessons for covered entities and business associates from these resolutions including:

  1. Conduct a risk assessment to identify vulnerabilities. HHS recently released a tool to assist covered entities with this step.
  2. Doing a risk assessment is not enough. Risks identified in the assessment have to be dealt with completely and consistently.
  3. While encryption may be preferred, it is not required so long as the entity identifies and applies alternative measures that are reasonable and appropriate, and documents that determination. But remember that depending on the information stored on the laptops or other mobile storage devices, states such as Massachusetts may require those laptops and devices be encrypted.