Practice Management Alert

Question: I’ve been reading a lot about encryption and hearing about it in the news. Do we, as a practice, really need to bother encrypting our mobile devices?

Ohio Subscriber

Answer: Yes. Look to the University of Rochester Medical Center (URMC) if you’re still on the fence. URMC, in Rochester, New York, encompasses several health and hospital systems, and employs more than 26,000 people. In 2013 and 2017, URMC filed HIPAA breaches with the U.S. Health & Human Services Department Office for Civil Rights (OCR) after an unencrypted flash drive and an unencrypted laptop, respectively, were stolen, leading to protected health information (PHI) being “impermissibly” disclosed.

OCR investigated and found that URMC “failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so,” according to an OCR press release.

OCR notes that it investigated URMC in 2010 as well, after a different unencrypted flash drive was lost and that URMC self-identified lack of encryption as a “high risk to ePHI” — but the organization continued to allow the use of unencrypted mobile devices anyway.

URMC agreed to pay $3 million in fines and take “substantial corrective action” in regard to potential violations of the HIPAA Privacy and Security Rules.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR director, in the press release. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”