The Office of Civil Rights of the U.S. Department of Health and Human Services (OCR) is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). On August 26th 2020, the OCR issued an advisory to assist providers in the avoidance of HIPAA violations. HIPAA contains two parts – the Privacy Rule and the Security Rule. Most of the focus of healthcare providers (“covered entities” in HIPAA parlance) is on the Privacy Rule. However, covered entities are responsible for assuring compliance with the Security Rule as well.
Many covered entities employ a variety of devices to access electronic protected health information (ePHI) of patients. Often these devices cache user names and passwords, and may also download files that have been stored for reading on the device when the device may be offline. A physician may use his or her tablet while making rounds, a desktop PC in the office and a smartphone while on the go. Files may also be stored on thumb drives. Each of these devices is a potential point of breach, through hacking, theft or loss.
Under HIPAA, covered entities are required to make periodic assessments of their risk of violating both the Privacy and the Security Rules. OCR’s advisory suggests conducting an inventory of devices and servers (owned by the covered entity or by its business associates such as billing services and EHR providers) that contain or have the ability to access ePHI as a way to reduce the risk of HIPAA violations.
For additional information about the issues discussed above, or if you have any other Health Care Law concerns, please contact the Underberg & Kessler attorney who regularly handles your legal matters or Helen Zamboni, the author of this piece, here or at (585) 258-2844.