In part 1 of this series, we learned that a laptop containing sensitive, protected health information (PHI) was stolen from the car of a West Virginia Health System employee. To make matters worse, the hard drive containing PHI was unencrypted, leaving the data open to access by unauthorized users.
While unfortunate, the occurrence does serve to highlight key issues concerning HIPAA security. As we saw in Part 1, regulations pertaining to data encryption and facility access security must be reviewed thoroughly, and robust security policies (lincluding locks on doors, cameras, restricted area signs, etc.) applied. Closely related to this is the question, “What really constitutes a secure “workstation” in HIPAA terms? And why does it matter?’
It matters, first of all, because those who have been entrusted with personal health information must do all they can to protect it from those who would abuse it. This is why HIPAA-covered entities are required to implement physical safeguards on all workstations that have access to PHI – even if their data is in the cloud – in order to limit access only to authorized users.
It matters too because mobile devices and laptops are increasingly relied on to facilitate remote work – and these devices are often overlooked when it comes to applying the appropriate protections. This is why the HIPAA Security Rule defines a workstation as:
(See HIPAA Standard § 164.310(b) and (c) – Workstation use and security).
“Media,” according to HIPAA Standard § 164.310(d)(1) on Device and Media Controls, is defined as: “electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.”
In summary then, here are the basic specifications:
2. Media Re-Use (Required) – ePHI must be permanently removed from all media, including laptops or USB sticks, before re-use.
Regarding the transport of these devices, HIPAA security also provides for Implementation of:
“…policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information, into and out of a facility, and the movement of these items within the facility.” Essentially, this means there must be:
3. Accountability (Addressable) – Providers must audit all data movement and provide documentation of each location the data is stored.
4. Data Backup and Storage (Addressable) – Whether an onsite, backup hard drive or a cloud-based backup is utilized, providers must have a plan to store the data elsewhere in the event of an attack.
HIPAA covered entities should know that the U.S. Department of Health and Human Services has levied significant fines for violations of Device and Media controls, in some cases amounting to millions of dollars. It is incumbent upon these covered entities to review and implement these regulations, before sensitive data breaches occur.