Jon Tomes
Although encrypting portable devices is not absolutely required by the Security Rule—that is, it is an addressable, not a required, implementation specification—another seven-figure penalty demonstrates that, even if not legally required, encryption is necessary as a practical matter.
The University of Rochester Medical Center (“URMC”) settled for $3 million in lieu of a HIPAA civil money penalty (“CMP”) largely for failure to encrypt mobile devices and other HIPAA violations. The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) investigated two breach reports that URMC had made under the mandatory reporting rule at 45 C.F.R. §§ 164.400-414 involving the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer.
Just because encryption is not a required implementation specification, as I have repeatedly stressed, it certainly doesn’t mean that you can just ignore doing it. Because it is addressable, you must “address” it—that is, determine whether it is reasonable and appropriate for your organization and, if so, do it and document having done so. If it is not reasonable and appropriate, you must determine whether an equivalent alternate measure is reasonable and appropriate, implement that measure, and document it. Or you can do nothing if you find and document that it is not reasonable and appropriate to do so. If you haven’t gone through the drill of doing a risk analysis of the loss and theft of a portable device and documenting your decision on reasonable and appropriate protection, you are at great risk if you lose one. Seven figure risk. Or even six figures could wipe out a small practice.
In the URMC case, it had assessed the risk and determined that the lack of encryption posed a high risk to the confidentiality, integrity, and availability of electronic protected health information (“EPHI”), yet failed to implement encryption when it was reasonable and appropriate and continued to use unencrypted mobile devices that contained EPHI, in violation of 45 C.F.R. § 164.31 2(a)(2)(iv). Failure to implement encryption cost URMC $3 million. Could you or your organization afford such a settlement?
So not only do you have to do risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A), but also you must then implement the security measures that you find to be reasonable and appropriate, to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level. Or document why you did not find them reasonable and appropriate and, hence, did not implement them. The Security Rule requires documentation of the risk analysis. 45 C.F.R. § 164.316(b)(10).
See http://www.hhs.gov/ocr/hipaa for guidance on tools and methods available for risk analysis and management. For example, HHS suggests, in its HIPAA Security Series, that covered entities (and now business associates) ask themselves the following two questions to help determine whether data encryption is appropriate:
- Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
- What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?
Then document the answers. As I have stated many times, for more than two decades now, if it’s not written (for HIPAA) it’s not, under the documentation rule cited above. None of the eight covered entities that I have represented who were investigated by the Office for Civil Rights was found liable because they had their written documentation.
OCR has yet to sanction a covered entity or business associate for failure to adopt a different security measure or equivalent alternate measure as long as they have documented in writing why they did what they did. OCR is not going to say that one encryption package is better than the one that you adopted and try to impose a CMP for your less-than-perfect choice. The one caveat to this scenario is that, if your encryption meets the National Institute for Standards and Technology (“NIST”) Encryption Standard and is lost, it is not reportable under the reporting rule, cited above. This standard is not the toughest and most expensive known to man, but is a good basic standard. See, for example, https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf.
So, unless your portable devices are encrypted consistent with the NIST standard, I implore you to do or update your risk analysis of portable devices. I’ve got enough business without having to defend you for an OCR investigation and possible seven-figure penalty for failing to either encrypt your portable devices or document why your equivalent alternate measure is reasonable and appropriate or you need to do nothing in this regard (hard to conceive of, but perhaps possible).
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMHO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation, including a release of information policy and a right of access policy. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy. Further, Jon Tomes is scheduled to present a webinar on “How to Write HIPAA Policies and Procedures” at 12:00 to 1:00 CST on Wednesday, December 4, 2019. Sign up at www.compliancetrain.com/webinardetails/HIPAA-Policies-and-Procedures.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly, after restarting your heart, if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.
