In yet another example of the importance of encrypting mobile devices and laptops, a small Rhode Island healthcare system called Lifespan ACE has agreed to pay $1.04 million to the Office for Civil Rights (“OCR”) to settle an investigation resulting from an unencrypted MacBook laptop computer that was stolen in 2017. The OCR is a subdivision of the federal Department of Health and Human Services. Among other tasks, the OCR monitors and enforces medical patient privacy rights protected by the Health Insurance Portability and Accountability Act (“HIPAA”). See 45 CFR §§160, 162 and 164.

The MacBook was owned by Lifespan and was provided to an employee for work use. The laptop was stolen when an unknown person broke into the employee’s car. The laptop was never recovered. Lifespan opened an internal investigation and determined that the employee’s work emails MIGHT have been cached on the laptop’s hard drive. Such emails would have given the thief access to HIPAA-protected information including:

• Patient names
• Medical record numbers
• Demographic information including addresses
• Names of prescribed and/or administered medications
• And more

Data for about 20,500 patients was potentially cached on the laptop. However, the investigation failed to uncover any evidence that the patient information was actually accessed and/or disclosed in some manner by the thief.

The potential data breach was reported to the OCR in April 2017 and the OCR opened an investigation. After a three-year investigation, the OCC made the following findings:

• Lifespan did not implement policies and procedures to encrypt all devices used for work purposes
• Lifespan did not implement policies and procedures to track or inventory all devices with access to Lifespan’s computer network or which contain patient information
• Lifespan did not have the proper agreements in place between the various Lifespan corporations and affiliates
• Because of the foregoing, Lifespan impermissibly disclosed HIPAA-protected patient information

Note the high standard that the OCR imposes on health companies with respect to protecting patient data. The OCR punished the data breach even though the breach was the result of criminal behavior by a third party and even though there was no proof that the data was actually accessed or disclosed. From this it can be seen that, legally, a data breach is akin to strict liability.

In addition to paying the $1.04 million fine, Lifespan agreed to a long list of remediations and changes to its cybersecurity protocols. See consent decree here. Some of the more important agreed-upon remediations related to equipment include the following:

• Providing an inventory of all Lifespan devices and equipment that have (i) access to, (ii) can store, (iii) or download (iv) or transmit information contained on the Lifespan computer network including desktop and laptop computers, tablets, mobile telephones, USB drives and medical equipment/devices with computer components
• Proof that all devices and equipment have been encrypted
• Proof of tracking capabilities have been installed in the event of loss or theft
• Evidence of new policies and procedures concerning limitations of what data is and can be accessed by high-risk devices
• Proof of the ability to remotely wipe and/or permanently destroy data in the event of loss or theft
• Evidence of sufficiently updated measures and protocols for controlling access to various devices
• Demonstration of new policies concerning and implementation of employee training with respect to physical security and access protocols

Although the Lifespan case involved patient medical records under HIPAA, the legal and practical lessons are more widely applicable. Companies must protect their customer, patient and employee data and failure to have proper cybersecurity protocols will result in liability even from the theft of one single device. Among the necessary protocols are the encryption of mobile devices and laptops.

The focus on cybersecurity for mobile devices has been heightened by the COVID-19 pandemic. As many employees have been working and will continue to work from remote locations, mobile devices have become a weak link in protecting business, consumer and employee confidential information.

For more information or if you have legal questions about data security, how to respond to data breaches, or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.

HIPAA’s Encryption Standard: Addressable Does Not Mean Optional

The HIPAA Security Rule, codified at 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii), lists encryption as an addressable rather than required implementation specification. This designation creates a common misunderstanding. Addressable does not mean optional. It means that a covered entity must assess whether encryption is a reasonable and appropriate safeguard given its risk analysis and, if so, implement it—or document a specific reason why an equivalent alternative measure achieves the same objective. In nearly every investigation involving a stolen unencrypted device, the OCR finds that encryption was, in fact, a reasonable and appropriate measure given readily available technology and low cost.

The OCR published guidance on encryption in 2009 stating explicitly that the use of NIST-approved encryption for data at rest would generally constitute a safe harbor against breach notification obligations and regulatory penalties for lost or stolen devices. That guidance has not changed. Any covered entity or business associate that maintains electronic protected health information on laptops, tablets, smartphones, or portable storage devices without NIST-compliant encryption is operating with significant, and largely unnecessary, regulatory risk.

The Scale of Liability: $1.04 Million for 20,500 Patient Records

The Lifespan settlement—$1.04 million for approximately 20,500 potentially compromised patient records—works out to roughly $51 per record. That figure sits within the OCR’s published civil money penalty tiers, which range from $100 per violation for unknowing violations to $50,000 per violation for willful neglect not corrected, with annual caps for each violation category. The OCR has imposed penalties exceeding $5 million in cases involving large-scale failures affecting hundreds of thousands of patients.

Beyond the OCR penalty, covered entities in breach situations face state-law obligations. Rhode Island’s Identity Theft Protection Act required Lifespan to notify affected individuals, the state attorney general, and major consumer reporting agencies. Notification costs—postage, call center staffing, credit monitoring services, and legal fees—typically add several hundred thousand dollars on top of the regulatory fine.

Business Associate Agreements and Organizational Structure

One of the OCR’s specific findings against Lifespan was the absence of proper Business Associate Agreements among Lifespan’s affiliated corporations. This is a recurring compliance deficiency in multi-entity health systems. HIPAA requires that covered entities execute Business Associate Agreements with all business associates—entities that perform services on the covered entity’s behalf involving access to protected health information. When a parent health system and its subsidiaries share an IT infrastructure or exchange patient data, each entity in the structure must have a valid agreement with every other entity that handles its patient data.

Health systems that have grown through acquisitions frequently inherit gaps in their Business Associate Agreement portfolios. Conducting a comprehensive audit—identifying all third-party vendors, contractors, and affiliated entities that handle protected health information and confirming that current, compliant agreements are in place—is a foundational compliance obligation that the OCR evaluates in every investigation.

Practical Steps for HIPAA Device Security Compliance

• Implement full-disk encryption on all laptops, tablets, and portable devices using NIST SP 800-111-compliant software before any protected health information is stored on the device.
• Maintain a complete inventory of all devices capable of accessing protected health information, including personal devices under a bring-your-own-device policy.
• Conduct an annual risk assessment under 45 C.F.R. § 164.308(a)(1) that specifically evaluates the risk of device loss or theft.
• Implement a mobile device management platform enabling remote wipe capabilities for all devices that access protected health information.
• Ensure all Business Associate Agreements are current, executed, and maintained in a central compliance repository.
• Train all workforce members on device security obligations, including the prohibition on caching or storing protected health information on personal devices.

If your organization is navigating a HIPAA investigation, needs to strengthen its data-security compliance program, or has questions about breach response, contact the health law and data security lawyers at Revision Legal at 231-714-0100.