OCR Reminds Protected Units Not to Overlook Physical Safety Limits

June 2, 2018

The Division of Health and Human Services’ Office for Civil Rights (OCR) has reminded protected units that HIPAA not only needs technical controls to be applied to make certain the secrecy, honesty, and availability of PHI but also proper physical safety controls.
Physical controls are often the simplest and cheapest types of safeguard to keep PHI personal and secret, however, these safety controls are often ignored. Some physical safety controls cost nothing – such as making sure moveable electronic appliances (portable storage devices, laptop computers, and pen drives) are locked away when they are not used.
Although this is a very basic type of safety, it’s one of the most effective methods of avoiding theft and one that can prove extremely expensive if ignored. OCR draws attention to a 2015 HIPAA break resolution with Lahey Hospital and Medical Center. An unencrypted laptop computer was thieved from the Tufts Medical School linked teaching hospital leading to the disclosure 599 patients’ ePHI.
The laptop computer was used with regard to a computerized tomography (CT) scanner. The laptop was in an open treatment room off an inner passageway of the radiology division. Lahey Hospital resolved the case for $850,000. A high price to pay for failing to apply a free physical safety control.
In 2014, QCA Health Plan agreed to resolve possible HIPAA breaches with OCR for $250,000. QCA Health plan failed to apply physical protections for all workplaces to limit access to ePHI to lawful users only. In that instance, the workplace was an unencrypted laptop computer that was thieved from the automobile of a worker.
In 2012, Massachusetts Eye and Ear Infirmary (MEEI) resolved a HIPAA breach case with OCR for $1.5 million. This was another instance of an unencrypted laptop computer being thieved that led to the impermissible exposure of ePHI.
In 2016, OCR resolved possible HIPAA breaches with Feinstein Institute for Medical Research for $3.9 million. Feinstein Institute had failed to physically safeguard a laptop computer having the ePHI of 13,000 patients. The appliance was also thieved from the automobile of a worker.
In July 2016, University of Mississippi Medical Center resolved a case with OCR for $2,750,000. An unencrypted laptop computer having the ePHI of an approximated 10,000 patients was thieved from its Medical Intensive Care Unit.
HIPAA needs protected units and their business associates to apply “physical protections for all workplaces that access ePHI to limit access to legal users.” Workplaces include desktop computers, laptops, and other computing appliances including moveable storage appliances, smartphones, and tablets.
It’s up to HIPAA-covered units and their business associates to make a decision on the most suitable physical safety controls to apply, which must be based on their risk evaluations and risk management procedure.