May 27, 2020

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Recent Enforcement Shows the Importance of Encrypting Mobile Devices Containing Protected Health Information

With headlines every day announcing another release of Protected Health Information (PHI), providers are asking themselves – is there a way to protect against these breaches?

data breach, cyber security, internet threats, cybersecurity, world wide webBeyond improving the security of large systems, attention is needed to protect PHI contained in laptops and other mobile devices, which account for a large percentage of PHI breaches.

In order to safeguard the confidentiality, integrity and availability of all electronic protected health information created, received, maintained, or transmitted, all covered entities and business associates must (1) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (2) protect against any reasonably anticipated unauthorized uses or disclosures of such information. 45 C.F.R. § 164.306(a).

One way to comply with this rule is to encrypt electronic PHI to allow access only to individuals who are authorized to view the PHI. 45 C.F.R. § 164.312(a)(2)(iv). Encryption is a standard solution and is an effective tool to prevent against unauthorized access to data.

Encryption under the HIPAA Regulations means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. 45 C.F.R. § 164.304.

The safeguard arising from encryption is particularly relevant now because of the widespread use of mobile devices, such as laptops, iPads, and portable disk drives by health care providers. Press reports indicate that several recent unauthorized releases of unencrypted PHI resulted from the loss or theft of these mobile devices.

The 2014 Bitglass Healthcare Breach Report analyzed data from the Department of Health and Human Services breach records and found the following:

  • 68% of healthcare data breaches since 2010 occurred when devices or files were lost or stolen, with only 23% due to hacking; and

  • 48% of breaches involved a laptop, desktop, or mobile device.

As these numbers show, health care providers need to focus on securing and protecting PHI on mobile devices. If possible, physicians and others who have access to PHI on mobile devices should avoid storing PHI on laptops, USB memory sticks, and other mobile devices. If storage of PHI on a mobile device is necessary, health care providers should require that these devices be encrypted, both in transit and in storage, and that they are able to remotely wipe data on lost or stolen devices.

© 2020 Foley & Lardner LLP


About this Author

Jeffrey Thrope, Foley Lardner, public finance practice, health care attorney, not-for-profit organizations counsel, healthcare compliance lawyer

Jeffrey C. Thrope is a partner and health care business lawyer with Foley & Lardner LLP. Mr. Thrope has a broad range of experience as a general counsel to the health care and related industries, as well as not-for-profit organizations and governments. He is a member of the Health Care Industry Team, as well as the Public Finance Practice.

In addition to his considerable experience in helping public and safety-net hospitals develop operational and financing plans necessary to their survival, Mr. Thrope has provided advice and counsel in...

Elizabeth Rosen, Health Care Attorney, Foley Lardner Law Firm

Elizabeth J. (Betsy) Rosen is an associate and health care lawyer with Foley & Lardner LLP. She focuses her practice in the health care field where she advises hospitals, hospital systems, physician organizations and other health care entities on regulatory, transactional and corporate matters. Ms. Rosen is a member of the firm's Health Care Industry Team. Ms. Rosen worked as a summer associate with Foley in 2012.