Recent Enforcement Shows the Importance of Encrypting Mobile Devices Containing Protected Health Information

18 September 2015 Health Care Law Today Blog
Author(s): Jeffrey C. Thrope

With headlines every day announcing another release of Protected Health Information (PHI), providers are asking themselves – is there a way to protect against these breaches?

Beyond improving the security of large systems, attention is needed to protect PHI contained in laptops and other mobile devices, which account for a large percentage of PHI breaches.

In order to safeguard the confidentiality, integrity and availability of all electronic protected health information created, received, maintained, or transmitted, all covered entities and business associates must (1) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (2) protect against any reasonably anticipated unauthorized uses or disclosures of such information. 45 C.F.R. § 164.306(a).

One way to comply with this rule is to encrypt electronic PHI to allow access only to individuals who are authorized to view the PHI. 45 C.F.R. § 164.312(a)(2)(iv). Encryption is a standard solution and is an effective tool to prevent against unauthorized access to data.

Encryption under the HIPAA Regulations means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 45 C.F.R. § 164.304.

The safeguard arising from encryption is particularly relevant now because of the widespread use of mobile devices, such as laptops, iPads, and portable disk drives by health care providers. Press reports indicate that several recent unauthorized releases of unencrypted PHI resulted from the loss or theft of these mobile devices.

The 2014 Bitglass Healthcare Breach Report analyzed data from the Department of Health and Human Services breach records and found the following:

  • 68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking; and
  • 48% of breaches involved a laptop, desktop, or mobile device.

As these numbers show, health care providers need to focus on securing and protecting PHI on mobile devices. If possible, physicians and others who have access to PHI on mobile devices should avoid storing PHI on laptops, USB memory sticks, and other mobile devices. If storage of PHI on a mobile device is necessary, health care providers should require that these devices be encrypted, both in transit and in storage, and that they are able to remotely wipe data on lost or stolen devices.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.