Potential HIPAA Security Violations
When an unencrypted device containing ePHI is stolen or missing, this could result in a HIPAA security violation.
For example: A thumb drive containing the Electronic Protected Health Information (ePHI) of approximately 2,200 individuals was stolen from a vehicle. The entity needed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of the security management process.
- Make sure all mobile devices containing PII and PHI (laptops, smartphones, portable USB drives, thumb drives, etc.) are encrypted.
- Ensure documented policies and procedures are in place, are being followed and reflect actual practices.
- IT will regularly conduct a sample audit of devices to ensure encryption is installed and operational.
- Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities, and controls have been considered.