General Surgery Coding Alert

Reader Question:

Encrypt Mobile Devices or Face ORC

Question: I heard that the Office for Civil Rights can collect damages for lost mobile devices that contain protected health information — is that true?

Codify Subscriber

Answer: Yes, the OCR can slap you with fines for HIPAA violations if you have a breach from a mobile device due to lack of appropriate security.

In fact, in a Feb. 2017 case, Children’s Medical Center of Dallas was fined $3.2 million for HIPAA violations dating back to a 2010 lost BlackBerry that impacted 3,800 individuals’ ePHI, and an unencrypted laptop in 2013 that contained the ePHI of 2,462 individuals. While Children’s did implement some security measures after the first breach, the healthcare organization didn’t fully protect its devices and a second breach followed in 2013, an OCR report suggests.

“Ensuring adequate security precautions to protect health information, including identifying any security risks and immediately correcting them, is essential” said Robinsue Frohboese, OCR acting director in a prepared statement. “Although OCR prefers to settle cases and assist entities in implementing corrective action plans, a lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.”

Resource: To read the OCR release, visit https://www.hhs.gov/about/news/2017/02/01/lack-timely-action-risks-security-and-costs-money.html.