HHS recently included on its website some helpful information regarding security of mobile devices in video format. While primarily directed at health care providers, the videos are still useful for health plan sponsors/administrators (and their business associates). (The way the HIPAA rules are written suggest that the plan itself should view the videos, but we doubt the actual physical document would learn much.) Interestingly, the videos are emblazoned with disclaimers that following the videos does not guarantee compliance with HIPAA or any other law.
It is a particularly good idea for plan sponsors/administrators to review the videos given that HHS’s Office of Civil Rights (“OCR”) recently announced a “resolution agreement” with Hospice of North Idaho (“HONI”) in which HONI agreed to pay $50,000 and made certain future compliance commitments. The OCR investigation started due to HONI’s voluntary report of a theft of an unencrypted laptop in accordance, it appears, with the breach notification rules instituted by HITECH. Notably, the breach involved fewer than 500 participants (which is generally considered a small breach). Once OCR investigated, it determined that HONI (1) did not conduct the requisite security rule assessment on an on-going basis, as required by HIPAA and (2) did not implement adequate safeguards with regarding to electronic PHI.
The bottom line is that plan sponsors and administrators should conduct the requisite risk assessments, particularly where employees may have access to protected health information on their laptops, iPhones, iPads, Android phones and tablets, etc. Plan sponsors/administrators may want to consider additional security training to ensure their employees understand the risks of using mobile devices to access PHI, perhaps even incorporating some of the videos made available by HHS.