Your Data Security Protocol Must Protect ePHI on Portable Devices Even in the Event of Theft

Violations to the Health Insurance Portability and Accountability Act (HIPAA) extend beyond the obvious. For example, theft of computers or electronic devices is not an exemption from this law. In fact, hefty fines can be levied by the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) over potential violations stemming from the theft of patient data through any means.

Recently, as reported by, a stolen laptop led to a $3.9 million settlement for HIPAA violations. The case involved theft of a laptop computer from the vehicle of an employee for Feinstein Institute, a biomedical research institute. In a press release about the settlement, OCR says its investigation began when Feinstein filed a breach report about the stolen laptop that contained protected information for 13,000 patients and research participants. Specifically, data put at risk by the theft included electronic patient health information (ePHI): everything from research participants’ names and social security numbers to clinical details, such as diagnoses, lab results and medications.

According to the OCR press release, “OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.”

As part of the $3.9 million settlement, Feinstein will implement a corrective plan that addresses vulnerabilities and makes its protocols compliant with HIPAA’s privacy and security rules.

MLMIC recommends a proactive approach to data security. All healthcare related entities should periodically complete a system-wide risk analysis, implement a risk management plan and strengthen internal policies and procedures to mitigate, if not eliminate, the possibility of such an event from occurring. As highlighted by this case, such risk analysis must take into account computers and devices used by employees both in and out of the office or facility.