HIPAA compliance may seem daunting, but, believe it or not, there are easy, cost-effective steps you can take right now to help get you there. If you’re responsible for upholding HIPAA law, take a moment to look around your office space. How well is your environment protecting others’ electronic Protected Health Information (ePHI)?
The Department of Health and Human Services’ Office for Civil Rights’ (OCR) most recent newsletter serves as a reminder for all Covered Entities, Business Associates, and Business Associate Subcontractors to physically secure surroundings where there is access to ePHI. The HIPAA Security Rule requires the “[implementation of] physical safeguards for all workstations that access ePHI to restrict access to authorized users.”
The Security Rule specifically references “workstations,” which includes “a computing device, for example, a laptop or desktop computer, or any other device that performs similar functions and electronic media stored in its immediate environment.” What else is meant by “workstations”? Don’t forget about portable electronic devices like tablets, smartphones, and medical devices. While making physical changes seems easy enough, many organizations overlook these types of safeguards because they’re more concerned with their technical (encryption to thwart cyber attackers, for example) or administrative HIPAA obligations (like preparing and implementing a risk assessment). Physical controls are often the simplest and cheapest ways to keep ePHI private and confidential.
The Cost of No Physical Security
Many physical security controls are absolutely free to set up, like ensuring portable electronic devices (laptop computers, portable storage devices, and pen drives) are locked away when they are not in use. Physically locking a device is one of the most effective ways of preventing theft.
Examples of HIPAA Physical Mistakes
The HIPAA Security Rule’s physical safeguard standard has resulted in OCR settlement payments ranging from $250,000 to $3.9 million. In 2015, Lahey Hospital and Medical Center had an unencrypted laptop computer stolen, resulting in the exposure 599 patients’ ePHI. The laptop was stolen from an unlocked treatment room. Lahey Hospital paid $850,000 in HIPAA fines for the mistake, a costly fee for the lack of implementing a free physical security control!
When QCA Health Plan failed in 2014 to implement physical safeguards for their company’s workstations, they were forced to settle HIPAA violations with OCR for $250,000. The workstation included an unencrypted laptop computer that was stolen from the vehicle of an employee.
In 2016, OCR settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute did not physically secure a laptop computer containing the ePHI of 13,000 patients. The device was stolen from the vehicle of an employee.
In July 2016, University of Mississippi Medical Center settled a case for $2.75 million after an unencrypted laptop was stolen from its Medical Intensive Care Unit. The computer contained the ePHI of an about 10,000 patients.
MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) settled with OCR for $2.2 million in January 2017. MAPFRE filed a breach report with OCR indicating that a USB data storage device (pen drive) containing ePHI of 2,209 individuals was stolen from its IT department, where the device was left without safeguards overnight.
Implementing Your Own Physical Security
Covered Entities, Business Associates, and Business Associate Subcontractors should define physical security controls based on their risk assessments and risk management process. Consider implementing the following physical security controls to secure electronic devices and ePHI:
- Position desks to ensure screens cannot be easily viewed by anyone other than the user of a workstation
- Use privacy screens to prevent shoulder surfing
- Use cable locks to prevent electronic devices containing PHI from being stolen
- Install security cameras to deter theft of electronic devices and physical PHI
- Use signage to remind employees of the need to use physical security controls
- Use port and device locks to prevent CD/DVD drives and USB connections from being used on workstations to copy ePHI and install unauthorized software
As OCR highlights in their May newsletter, Covered Entities and Business Associates have had to enter into settlement agreements ranging from $250,000 to $3.9 million for violation of the physical security requirement. Don’t neglect to secure your environment to avoid costly HIPAA fines!