In 2012, CCG suffered a data breach. The facts of the breach would be considered almost as quaint, were they not so lethal. An employee who had been given permission to telecommute, lost their laptop and backup drive as a result of car theft. The laptop contained the PHI of over 50,000 patients.
OCR investigated this incident and determined that CCG failed to take a number of basic measures required under the HIPAA Security Rule. One such failure was the failure to conduct an enterprise-wide risk analysis when the breach first occurred. Such an analysis might have resulted in CCG having discovered stricter measures were needed to prevent the occurrence of threats caused by telecommuting. Put more simply, had CCG analyzed risk, it would have discovered it needed a policy for telecommuting employees that required these employees take physical and security measures to protect laptop devices.
OCR, indeed, discovered that Cancer Care Group had no written policy regarding the removal of hardware containing PHI into and out of its facilities.
This lack of a written policy constituted a clear violation of the HIPAA Security Rule.
One of the HIPAA Security Rule physical safeguards is the Device and Media Controls standard. Under this standard, covered entities are required to “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.”
CCG group was not the only employer whose allowing employees to telecommute resulted in HIPAA violations. The respiratory medical group Lincare paid $240,000 to settle a data breach matter.
The facts of the Lincare Breach sound like something out of a bad HIPAA soap opera. A manager from Lincare had left behind approximately 300 patient records in her car, after deciding to leave her husband. Believe it or not, the manager was actually complying with (an unwritten) company policy, which simply required that such records, as well as procedure manuals, be securely stowed away in cards as a form of data backup.
The manager left behind her car and her husband. However, the husband continued to have access to the vehicle. The husband later contacted Lincare and OCR to report he had discovered the private records.
When the matter got to a hearing before an Administrative Law Judge (ALJ), the judge ruled in favor of OCR, finding that, as an organization, Lincare had failed to implement effective HIPAA compliance guidelines.
Telecommuting and Safeguarding of PHI
Organizations can follow some basic procedures to minimize the risk of PHI that is in transit or stored in a worker’s home, from becoming disclosed without authorization. The first and most basic of these procedures is:
- Developing rules for remote employees in security policies and procedures. To do this, covered entities should make a list of all employees, and indicate, for each employee, the level of information to which that employee has access.