HIPAA requirements may just be as complex, at times hard to sort out and thoroughly complete as majority of the people under the healthcare industry experiences. A published settlement by the U.S. Department of Health & Human Services (HHS) on April 2017 showed a wireless health services provider based in Pennsylvania was found non-compliant to the HIPAA requirements and had to settle an agreement to the tune of $2.5 million. Well, if that is not an expensive lesson I do not know what is. The involved provider business’ provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
The issue originated when an incident occurred where one of its employees brought a laptop home. The laptop ended up being stolen while it was inside the employees’ vehicle which at the time was parked outside his/her home. The laptop contained ePHI of 1,391 patients. The company involved then reported the incident to the HHS Office for Civil Rights (OCR). It was later found that the said company was non-compliant on HIPAA requirements. Particularly the HHS OCR investigation concluded that the company had insufficient risk analysis and risk management processes, and no policies and procedures implementing the standards of the HIPAA Security Rule in place.
It is without question that mobile devices such as laptops, cellular phones, tablets, and such, come with another level of security risks. They are easily transported, which makes them easily lost, misplaced and (unfortunately) hot commodities for theft. It is therefore highly encouraged and required that both Covered Entities and Business Associates alike take great care and accountability when it comes to these modern devices. The HHS has enumerated some important reminders and guidelines related to this issue. Check out this link – https://www.healthit.gov/topic/privacy-security-and-hipaa/your-mobile-device-and-health-information-privacy-and-security
However, bear in mind that risk analysis, risk management processes, including policies and procedures related to the HIPAA Security Rule are not exclusive to mobile devices only, needless to say. To find out if your organization or practice is in compliance, the HIPAA Security Compliance Checklist is an informative and quick guide to evaluate your current system. Click on this link to access the checklist – https://epicompliance.com/solutions/hipaa-compliance-checklist