Health Care Client Alert - July 2016

Encryption: A Critical Safeguard Against HIPAA Liability

As we all know, physicians bear the responsibility of protecting patients from threats that can stem from the storage and use of patients’ protected health information.

Far too frequently a laptop is stolen from a car or a phone is misplaced. These unfortunate events can have grave consequences for everyone involved if the devices contain protected health information. Not only is a patient’s private, personal information at risk of disclosure, but the covered entity or business associate whose property was stolen or misplaced can face liability and monetary fines under the Health Insurance Portability and Accountability Act (HIPAA).

In order to avoid these serious threats, it is critical that covered entities and business associates encrypt all mobile devices that contain or may contain protected health information. This includes laptops, cellphones, thumb drives, tablets, and any other mobile device that may contain protected health information.

Significant potential liability and monetary fines can be avoided by simply encrypting all mobile devices. Under HIPAA, if a device that is properly encrypted is lost or stolen, such an incident is not considered a breach of protected health information. Therefore, if an encrypted laptop or thumb drive is stolen, you would not be required to notify your patients, the government, and the media of such incident. Since you would not be required to report this incident to the government, you would also avoid the potential of being fined for such incident.

In recent years the U.S. Department of Health and Human Services (HHS) has reached settlements with multiple healthcare providers as a result of HIPAA violations arising from lost or stolen mobile devices and laptops. HHS has imposed fines and penalties ranging from $250,000 to $1,725,220 on healthcare providers who have reported the loss or theft of an unencrypted device that contained protected health information. If these devices had been encrypted, the incidents would not have been considered HIPAA breaches and the practices would not have been required to report the incident to the affected patients, the government or the media.

In recent public appearances, HHS officials have indicated that, although encryption is not required under HIPAA, they expect all covered entities and business associates to be encrypting their laptops, tablets, thumb drives, phones, and other mobile devices containing protected health information.

Kaufman & Canoles remains available, even on short notice, to assist with your HIPAA compliance matters. In the event of a potential breach of protected health information, or if you have any questions about encrypting your devices or any other HIPAA compliance matters, contact our Health Care Practice Group or Cybersecurity Response Team.

* A special thanks to MaryKatelyn Lukish for assisting with the research for and preparation of this alert.


The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2017.

Search News