Home Health & Hospice Week

OCR is pushing entities harder to perform risk assessments.

Two breach cases based on stolen unencrypted laptops share many similarities (see related story, above). Among them are three key steps these companies did not take that could have prevented the breaches in the first place — or at least minimized the breach-associated costs and sanctions.

1. Make Encryption Your Best Friend

Crucial: The best precaution against a multi-million dollar settlement on your company’s books is widely available encryption software, according to an April 24 blog posting by Linn Foster Freedman and Kathryn Sylvia, both Provi-dence, RI-based partners with Nixon Peabody.

Although HIPAA doesn’t require encryption, covered entities (CEs) and business associates (BAs) “should assure that portable devices, including mobile devices and laptops, are encrypted and contain the minimum amount of ePHI necessary for an employee to carry out his or her responsibilities — if it is necessary at all,” Freedman and Sylvia stated.

This high settlement amount indicates that CEs and BAs “who choose not to implement encryption standards must be able to explain themselves,” wrote Elana Zana in an April 28 OMW Health Law blog posting for Ogden Murphy Wallace Attor-neys, a law firm headquartered in Seattle. But there really is no other effective way for most providers to protect data other than encryption.

Loophole: “If a laptop or other mobile device is encrypted according to HHS standards, the loss or theft may fall within a legal safe harbor,” Freedman and Sylvia pointed out. “This fact alone should compel healthcare entities to consider using encryption technology.”

2. Perform A Risk Analysis

One of the big problems in these HIPAA breach cases was, in addition to not encrypting the laptops, the entities didn’t perform a risk analysis. You must “do a solid risk analysis,” stresses Jim Sheldon-Dean of Lewis Creek Systems in Char-lotte, Vt.

Although unlike Concentra, QCA had no direct fault for failing to encrypt its laptops. Instead, the QCA settlement focused on its lack of sufficient HIPAA security policies and procedures, Zana explained. Specifically, HHS found that QCA failed to conduct a security risk assessment and failed to implement security measures, especially physical safeguards.

3. Implement A Risk Management Plan

Implementing a risk management plan is part of both settlement agreements, which should give you a good idea of how important this task really is. The CAP for QCA was different from Concen-tra’s in that QCA’s focused on workforce training and reporting of workforce noncompliance, rather than on encryption requirements, Zana noted.

Lesson learned: “The settlements reinforce the OCR’s continued focus on enforcing failures to adequately protect ePHI on mobile devices,” Freed-man and Sylvia observed.

Like most breach cases, the simple solution is to encrypt the data to avoid an actual breach — but these settlements reveal just how extensive your compliance obligations are and how severe the monetary penalties could be when you fail to protect PHI, Zana warned. “The message from HHS is not just the importance of data encryption, but rather its performance and follow-through with security risk analysis and implementation of security policies and procedures.”

Concentra and QCA, like other healthcare organizations who have settled with HHS, will have years of compliance reporting obligations and security management requirements that will likely create significant cost burdens in addition to the monetary settlement,” Zana concluded.