HIPAA Breaches Involving Portable Devices


The largest percentage of HIPAA breach issues today involves the loss or theft of portable devices containing unencrypted PHI. What if there's a potential breach? How are you going to deal with these things? So you need to have a breach notification policy. Read this expert HIPAA compliance article for more.

The breach notification policy, you need to start with – the idea with a breach notification is that first thing is decide, well, is it a breach or not? You don’t have a breach until you decide that you have a breach, okay. So if you have an incident, if you lose a device or somebody potentially gets access to it. Is this something that might be a breach or not? And what level of incident is it? Do we have some way to classify these things? And who do we report it to and how do we prioritize and respond to it?

Our expert mentioned this in a security health system conference that you must prepare for public response and make sure that you're looking at what the problems are and make sure that you understand what's really going on so ou know what is a breach. And is this stuff potentially a breach? How do uy decide? Where do you go from here? And how do you document this incident? And if it may be a breach, how do you go forward from there?

If it may be a breach, first of all, let's say “Here's the information that we're covering under the HIPAA and state breach notification rules just so it's clear. It also include in the policy and by the way…” – say something to the effect of, “by the way, we will be doing an information flow analysis and we will do a risk analysis before this happens, before the breach and after so that we'll know if that thing gets lost, we'll know what data is on it and what data is likely to be on it” rather than going, “Oh, that was lost. What's on it?” “I'm not sure” that's not a very good answer. Do your research beforehand.

Define what are the approved encryption and disposal methods

What are the ways that we can use these to communicate so that they're going to be kept secure as per the HIPAA security standards? And how are we going to report problems? And how are we going to – how quickly? And how do we train the staff? And also – then we have to get in the question of, “Okay, now we have to decide is this a reportable breach or not?” And so, we have the question, is it secured or destroyed? Or is it one of these unintentional things where you look at the wrong? Or is there a low probability of compromise?

How do you report a breach?

Lots of stuff that has to go into that, things like HIPAA regulations for what the content is and how you handle substitute notices and whatever the additional notices you may have to have and how you handle law enforcement. And how do you handle your business associates? And what do you do for documentation? This all should be going into your breach notification policies so you know – so you can grab this when you have a problem.

You want to have a policy that you can grab and say, “Listen, we have an incident here. It may be a breach. Let's follow the steps and go through the process so we can figure out what we're doing and make sure we don’t make any mistakes.”

Ensure you have a good administrative and physical safeguards

With the lessons learned, encrypt data at rest especially with that of portable device. Make sure people are properly trained; make sure you check your fax numbers regularly so you don’t fax it to wrong addresses and make sure you have good physical safeguards for all kinds of systems. And as much as possible, keep data off the device to avoid HIPAA breaches. And so, if you lose them, you're not losing any data.

Say no to a healthcare audit with HIPAA security compliance audio conferences at