HIPAA Security Rule Implications for the use of Smart Devices when Accessing ePHI Information

by ih-coc admin

Accessing ePHI on smart devices, no matter how dire the circumstances, must be considered a potential risk, and should only be undertaken after safeguards in line with the HIPAA security rule are put into place, so as to minimize running the risk of patient privacy violations, or worse, an actual security breach. 

Adverse usage of smart devices to access ePHI is not a new phenomenon. In June this year, the University of Texas MD Anderson Cancer Center (MD Anderson) was ordered by an HHS Administrative Law Judge (ALJ) to pay $4.3 million in civil penalties (Donovan, 2018) for HIPAA violations arising from failing to appropriately encrypt all smart devices in the Center’s inventory that were ever used to access ePHI. MD Anderson’s failure to comply with the HIPAA security rule resulting in 2012’s 7th largest data breach in the US (Blume, 2012), where, according to Fred Donovan writing for Health IT Security, over “33,500 individuals were made vulnerable to identity when a laptop was stolen and two thumb drives were misplaced” (June 2018). 

Currently, leadership at state agencies in Oklahoma are responding to controversies regarding HIPAA violations that allegedly took place at the Oklahoma Department of Veterans Affairs this past July. Oklahoma VA is being accused of committing HIPAA security rule violations when VA medical aides were given official permission to access patient medical records using their smartphones during a scheduled internet outage. 

Department officials are pushing back, accusing opposition lawmakers behind the allegations of partisan politics, and stating that sufficient safeguards are in place that would prevent any potential HIPAA security rule or HIPAA privacy rule violation. According to these same VA officials, no local (cached) copy of data was ever stored on these individual smart devices, which is a security feature of the data systems used by Oklahoma VA. Additionally, VA officials stated that access was limited to authorized personnel at two VA centers, who had “temporary, password-protected access to medical records” (Donovan, 2018). 

Partisan issue or not, these two cases indicate the importance of both proper lifecycle management of smart devices used to access ePHI, as well as the need for protocols to be implemented that carefully limit and guide the use of smart devices to access ePHI, especially during planned as well as unplanned system outages. 

According to OCR’s July 2018 Cybersecurity Newsletter, to reduce the risk of breaches of data stored on devices or media scheduled for final disposition, organizations are advised to consider the following:

  •  What data is maintained by the organization and where is it stored?
  •  Is the organization’s data disposal plan up to date?
  •  Are all asset tags and corporate identifying marks removed?
  •  Have all asset recovery-controlled equipment and devices been identified and isolated?
  •  Is data destruction of the organization’s assets handled by a certified provider?
  •  Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
  •  Is onsite hard drive destruction required?
  •  What is the chain of custody?
  •  How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
  •  What are the logistics and security controls in moving the equipment? 

Regarding smart devices that were previously in use by an organization for accessing ePHI, and are now being considered for removal/decommissioning, OCR has the following recommendations:

  •  Ensure devices and media are securely erased and then either securely destroyed or recycled;
  •  Ensure that inventories are accurately updated to reflect the current status of decommissioned devices and media or devices and media slated to be decommissioned; and
  •  Ensure that data privacy is protected via proper migration to another system or total destruction of the data.
  •  Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
  •  Ensure that ePHI is properly destroyed and cannot be recreated.
  •  Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
  •  Identify removable media and their use (tapes, CDs/DVDs, USB thumb drives).
  •  Ensure that ePHI is removed from reusable media before they are used to record new information. 

Following these recommendations from OCR will allow an organization to retain use of smart devices to access ePHI, while ensuring that this same ePHI is not compromised.

 Sources: 

Ashley Blume (2012). Top 10 largest healthcare data breaches in 2012. https://healthitsecurity.com/news/top-10-largest-healthcare-data-breaches-in-2012 

Fred Donovan (2018). Judge Upholds $4.3M Fines against MD Anderson for HIPAA Violations https://healthitsecurity.com/news/judge-upholds-4.3m-fines-against-md-anderson-for-hipaa-violations 

Fred Donovan (2018). Oklahoma Government in Row Over Alleged HIPAA Violation https://healthitsecurity.com/news/oklahoma-government-in-row-over-alleged-hipaa-violation