Both breaches highlight the need to encrypt mobile devices such as laptops, thumb drives, disks and smartphones. The theft or loss of such devices accounts for more than two in five of all publicly reported breaches on a list kept by the Office for Civil Rights at HHS.
“We love encryption, and those who use encryption love it, too,” Office for Civil Rights Director Leon Rodriguez said. “In the event of a breach, using encryption assures that that information is unreadable, unusable or undecipherable, which, basically, would qualify that entity for the safe harbors under our breach notification rule.”
With some fanfare, Rodriguez's office announced Jan. 2 it had reached a $50,000 settlement with Hospice of North Idaho, noting it was the first settlement involving a breach of fewer than 500 individuals' records. There have been more than 60,500 of these lesser breach reports filed with the agency between September 2009, when the reporting mandate began, and Dec. 31, 2011, according to the Office for Civil Rights, and may exceed 80,000 when the 2012 breaches are annually reported this year, said Michael McMillan, an Austin, Texas-based healthcare security specialist.
On its website, the Office for Civil Rights has listed 525 larger breaches that exposed the records of more than 21.4 million people.
The Idaho hospice in Hayden, a suburb of Coeur D'Alene, reported the unencrypted laptop carrying patient information had been stolen from one of its fieldworkers in 2010. The civil rights office also cited the provider for not conducting an adequate risk analysis as required under HIPAA.
Meanwhile, Omnicell, a Mountain View, Calif., provider of prescription drug cabinets and related data services, notified more than 68,000 patients of the 919-bed University of Michigan Health System, Ann Arbor; 10-hospital Sentara Healthcare, Norfolk, Va., and two-hospital South Jersey Healthcare, Vineland, N.J., that their demographic, prescription drug and other clinical information were potentially exposed when a password-protected but unencrypted laptop was stolen from an employee's car. Spokespersons for two of the hospital systems said the lack of encryption specifically violated contract arrangements.
An Omnicell statement said the company knows of no other breaches in its 20-year history and that it had “initiated immediate and definitive measures to prevent a similar incident from re-occurring.”
Rodriguez cautioned against reading too much into the Office for Civil Rights announcement about the Idaho settlement.
“I don't think that anybody should take either that this particular case was the result of a focus particularly on small breaches or that it heralds an upcoming focus on our part on small breaches,” Rodriguez said. For all monetary-enforcement cases, the Office for Civil Rights focuses on those “that reveal longstanding and systemic failures to comply with the privacy and security rules,” he said.
The Office for Civil Rights has shifted over the past couple of years to an increased use of monetary settlements and penalties to achieve HIPAA compliance. But “even as our pace of monetary enforcement picks up, we're still in the relatively early days of that program,” Rodriguez said. Thus far, the civil rights office has achieved HIPAA-related monetary settlements or court decisions totaling nearly $14.9 million with 11 entities, including five in 2012.
“What I would really underscore is, we investigate the compliance of the entity with a set of very common-sense processes that the privacy and security rule require,” he said. “The one that you'll hear us talking about all the time is risk analysis.” The Office for Civil Rights recently completed 115 random audits of covered entities and “a good number of them” had not performed required risk analyses, Rodriguez said, and those that had done so typically used encryption.