Is It a Breach of Protected Health Information If I Lose My Thumb Drive?
  • Compliance

Is It a Breach of Protected Health Information If I Lose My Thumb Drive?

Thumb drives, laptops, and other portable electronic devices pose a significant risk of breach when used without safeguards required by HIPAA. 

Jeanne Varner Powell, JD

01/05/2024

Breaches of protected health information soared in the first 10 months of 2023, surpassing 2022 and 2021 totals. According to a recent analysis by Politico, 88.7 million individuals were impacted by breaches reported between January and October 2023, compared to 2022 and 2021 totals of 55.4 million and 59.4 million, respectively. Most of these breaches reportedly stemmed from ransomware attacks and other hacking incidents.

Ransomware Isn’t the Only Threat That Could Result in a Breach

Although the staggering rise in ransomware attacks partially explains the recent explosion of data breaches, hacking is not the only risk medical practices and other HIPAA covered entities need to guard against. Thumb drives, laptops, and other portable electronic devices pose a significant risk of breach when used without safeguards required by HIPAA. 

If a portable device containing unencrypted or unsecured protected health information (PHI) is lost or stolen, it is presumptively a breach. While you can’t eliminate the risk of a lost or stolen mobile device, you can implement HIPAA-required safeguards before loss or theft occurs to:

  • Protect patient electronic protected health information (ePHI) stored on the device;

  • Avoid costly breach notifications; and

  • Avoid possible regulatory penalties for HIPAA non-compliance.

The MICA Risk Team can help. In this article, we discuss:

  • HIPAA’s Breach Notification Rule;

  • A MICA member’s experience with a lost thumb drive;

  • Examples of breaches stemming from lost or stolen mobile devices that resulted in regulatory investigations and penalties; and

  • Actions to take now to comply with HIPAA, protect patient data, and avoid a breach and possible investigation by the U.S. Health & Human Services Office for Civil Rights (OCR), the agency that enforces HIPAA.

Avoid Breach Notifications with Encryption

Investigating, reporting, remediating, and minimizing the damage from a breach is a lengthy, expensive process for physician practices and other HIPAA covered entities. A breach is any acquisition, use, or disclosure of PHI or ePHI in a manner not permitted by the HIPAA Privacy Rule, that compromises the security or privacy of the data.1 With any impermissible use or disclosure, breach is presumed unless the medical practice or other covered entity can demonstrate a low probability that the data was compromised.2 This is oftentimes an impossible hurdle to clear.

When a breach occurs, the HIPAA Breach Notification Rule (BNR) applies. In a nutshell, this Rule requires covered entities to do the following after discovery of the breach:

  • Notify individuals affected by the breach, in writing, via first class mail, within 60 days of breach discovery.

  • If the breach affects 500 or more individuals, report the breach to the media and OCR as soon as possible but in no case later than 60 days after breach discovery.

  • If the breach affects fewer than 500 people, report the breach to OCR within 60 days of the end of the calendar year when the breach was discovered.3

The good news is, if you lose a laptop or thumb drive containing ePHI, encryption allows you to avoid breach notification requirements entirely. This can save significant costs, minimize damage to the practice’s reputation, and reduce the risk of regulatory investigations often triggered by breach reports. The BNR notification requirements apply only when “unsecured” PHI or ePHI is involved.4 They do not apply when the lost, stolen, or otherwise impermissibly used or disclosed data was encrypted in a manner approved by HHS. Encryption technology makes data unusable, unreadable, or indecipherable to someone who steals or finds your thumb drive or other portable device. For more information on HHS standards for encryption, consult HHS guidance and/or your IT vendor.

A MICA Member Finds Her Thumb Drive and Avoids the Consequences of a Breach

A worried MICA member recently contacted the MICA Risk Team for guidance when she lost a thumb drive containing patient data. After a busy day of patient care, she would save patient files on the thumb drive to finish her documentation at home in the evenings. The files were unencrypted. She didn’t keep track of files saved to the drive, so she couldn’t identify the patients whose data was at risk. If she didn’t locate the drive, she potentially would have to notify all her patients, OCR, and the media of a breach.

The MICA Risk Team provided guidance on steps to take if she couldn’t locate the drive, including reporting a Claim. We also discussed encryption and suggested other changes and improvements she could implement going forward to protect patient PHI and comply with HIPAA. Thankfully for the physician and her patients, she found her thumb drive under her car seat the next day. She plans to implement encryption going forward.

OCR Settlements

Other health care professionals and entities have not been as lucky as this MICA physician. Over the past 10 years, many have made breach reports to OCR following loss or theft of a laptop or mobile storage device containing unencrypted ePHI.

Breach reports sometimes trigger an investigation by OCR to determine whether the covered entity complied with HIPAA. OCR has settled numerous investigations of this type. A few are summarized below.

Dermatology Practice Settlement

A dermatology practice reported a breach after a thumb drive was stolen from an employee’s vehicle. The drive contained unencrypted ePHI related to Mohs surgeries of 2,200 patients.

After the practice reported the breach, OCR investigated and found the following HIPAA violations:

  • Failure to conduct and document a security risk analysis (SRA);

  • Failure to maintain written policies and procedures and provide training for workforce members regarding HIPAA breach notification requirements; and

  • Failure to comply with Privacy Rule requirements by allowing an unauthorized person to access ePHI left in an unattended vehicle and unprotected by encryption.

To settle the matter, the practice agreed to pay $150,000, follow a corrective action plan, and submit to two years of OCR oversight. Read the Resolution Agreement and Corrective Action Plan here.

Academic Medical Center Settlement #1

An academic medical center reported a breach following the theft of a laptop containing unencrypted ePHI. OCR investigated and determined the medical center:

  • Failed to implement policies and procedures to address security incidents; and

  • Failed to use encryption to safeguard all ePHI it maintained (or document why encryption was not reasonable and implement equivalent alternative measures).

To settle these findings plus others related to a separate incident, the medical center agreed to pay $2.7 million, follow a corrective action plan, and submit to two years of OCR oversight. Read the Resolution Agreement and Corrective Action Plan here.

Academic Medical Center Settlement #2

An academic medical center reported two breaches. The first affected an unknown number of patients and stemmed from a lost flash drive. The second arose out of the theft of a resident’s laptop containing 43 patients’ ePHI. OCR investigated and found that the medical center failed to:

  • Conduct and document a SRA;

  • Implement security measures to mitigate risks to ePHI;

  • Implement policies and procedures governing receipt and removal of hardware and electronic media containing ePHI that comes in or out of the facility or moves within the facility; and

  • Protect ePHI with encryption (or document why encryption was not reasonable and implement equivalent alternative measures to protect ePHI).

To settle these findings, the medical center agreed to pay $3 million, follow a corrective action plan, and submit to two years of OCR oversight. Read the Resolution Agreement and Corrective Action Plan here.

The high settlement amount resulted, in part, from the medical center’s apparent failure to learn its lesson. Several years prior, the medical center reported a similar breach involving a lost unencrypted flash drive. OCR investigated, found deficiencies, and offered guidance on achieving compliance. Despite OCR’s assistance, and the medical center’s own risk analysis concluding lack of encryption posed a high risk to ePHI, the medical center continued to use unencrypted mobile devices. OCR’s director emphasized, “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

Action Item List for Physicians, Advanced Health Care Professionals, and Medical Practices 

The scenarios summarized above provide valuable lessons learned for all HIPAA covered entities. To help you avoid a similar situation, the MICA Risk Team has created this list of essential action items so you can protect ePHI, foster patient goodwill and trust, remain HIPAA-compliant, and avoid breach costs and regulatory penalties.

1. Require Encryption of all ePHI on Portable Devices

According to OCR, “Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk.” To avoid a breach situation and potential regulatory penalties, all medical practices should:

  • Develop and implement a Mobile Device Management (MDM) policy governing the use of mobile devices and requiring and implementing encryption for all mobile devices owned by the practice or used by employees to access or store ePHI.

  • Develop procedures to monitor and ensure employee compliance with the MDM.

  • Consider implementing technical solutions that prevent transfer of ePHI data from practice systems and devices to unencrypted removable storage devices.

2. Perform and Document a Security Risk Assessment

The HIPPA Security Rule requires ALL physicians, advanced health care professionals, medical practices, and other HIPAA covered entities to perform a Security Risk Assessment (SRA). OCR says that SRAs help to ensure compliance with HIPAA Security Rule requirements for administrative, physical, and technical safeguards. SRAs also reveal risks to ePHI maintained on your devices and systems.

If you and your practice are behind on completing an initial SRA or performing regular updates you’re not alone, but you are at risk for a breach situation and/or regulatory penalties. Consider:

  • In the cases above, both the dermatology practice and medical center #2 paid money for not performing SRAs.

  • In 2016 and 2017, OCR performed routine compliance audits of 166 covered entities and found only 14% substantially complied with SRA requirements. Over half of those audited were physicians and health care practitioners.

  • In 2020, a Utah GI physician paid $100,000 to settle an OCR investigation. OCR found he failed to complete an accurate and thorough SRA even after OCR previously warned of non-compliance and provided technical assistance to encourage him to perform the SRA.

HIPAA rules require that you do more than simply complete a cursory SRA. An effective SRA is a comprehensive risk analysis of ALL the practice’s electronic devices, media, and systems that create, receive, maintain, or transmit ePHI. The purpose is to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HIPAA requires that you maintain all documentation associated with SRAs for 6 years. In determining compliance with SRA requirements, OCR expects covered entities to produce written documents including:

  • Current and prior SRAs and results;

  • Policies and procedures governing the SRA process and its implementation;

  • Policies and procedures governing employee training on SRA requirements and implementation; and

  • Employee training materials and attendance records.

To understand more about your obligation to perform SRAs, read this handy CMS tip sheet.

To encourage compliance, OCR offers the SRA Tool, a downloadable tool and user guide to help you complete a SRA.

3. Develop and Implement a Security Risk Management Plan

Based on your SRA results, document and implement a comprehensive risk management plan. The plan should:

  • Identify strategies to reduce risks and vulnerabilities identified in the SRA to a reasonable and appropriate level.

  • Explain how you will implement those strategies. For example, what new or updated policies and procedures are needed?

  • Specify how you will train employees and ensure their compliance with the practice’s privacy and security policies and procedures.

4. Review and Update Your HIPAA Policies and Procedures

A key takeaway from OCR investigations like those discussed above is that most covered entities lack all the written policies and procedures required by the HIPAA Privacy and Security Rules. MICA members can avoid the same compliance failures by:

  • Reviewing current policies and procedures to ensure compliance with the Privacy and Security Rules;

  • Revising or adding policies as necessary to achieve HIPAA compliance;

  • Revising or adding policies as needed based on SRA findings and the practice’s resulting risk management plan;

  • Providing initial and refresher employee education on HIPAA and your policies and procedures; and

  • Conducting periodic audits to ensure effective implementation of policies and procedures.

Practice policies and procedures should, at a minimum, address the following Privacy and Security Rule provisions:

  • Uses and Disclosures of PHI

  • Security Risk Analysis

  • Security Risk Management

  • Device and Media Controls

  • Encryption and Decryption

Implementing these action items will protect your practice and your patients alike. As they say, an ounce of prevention is worth a pound of cure.

[1] 45 CFR § 164.402

[2] Id.

[3] 45 CFR §§ 164.400-414

[4] Id. at §§ 164.404(a)(1), 164.406(a) & 164.408(a).