At Texas Children’s, we strive to be leaders in patient care, education and research. One of our obligations as leaders is to stay mindful of the sensitivity of the information at our fingertips. We have a duty to our patients and our Health Plan members to access, use and maintain their Protected Health Information (PHI) in a responsible manner.
Mobile devices, such as laptops, smartphones, tablets, and thumb drives, are important tools for today’s busy workforce. However, technology that delivers these advantages also represents a significant risk to protecting PHI. In fact, most breaches of PHI reported to the Office of Civil Rights (the federal agency that enforces privacy regulations) are related to the theft or loss of mobile devices.
Federal enforcement
Following a breach of unsecured PHI, federal law requires organizations to notify the impacted patients, the Office of Civil Rights, and in cases involving more than 500 patients, the media. In some cases, OCR has levied substantial fines against institutions.
MD Anderson Cancer Center was ordered to pay $4.35 million civil penalties for HIPAA violations related breaches involving three unencrypted devices (a laptop and two flash drives) that affected more than 33,500 patients.
The University of Mississippi Medical Center agreed to pay $2.75 million after it reported a stolen laptop that led to a breach of unsecured PHI affecting approximately 10,000 patients.
Massachusetts Eye and Ear Infirmary settled a case for $1.5 million after reporting the theft of an unencrypted personal laptop.
Texas Children’s is not immune from these risks. Recently, a BCM/TCH physician’s personal laptop was stolen from his car. The physician had stored information on approximately 100 patients on the device. While the laptop was not encrypted with TCH- or BCM-approved software, it happened to have other encryption software installed that prevented us from having to notify the patients and OCR. We were fortunate in that circumstance and can’t rely on continued good luck when it comes to the protection of our patients’ and Health Plan members’ information.
Privacy safeguards
Protecting PHI takes a multi-pronged approach. The following privacy safeguards should be baked into your daily routine.
Mobile device safeguards
- Mobile devices must be installed with TCH or BCM-approved encryption software
- Do not put PHI on flash drives, memory cards, other unencrypted devices, or open access devices
- Maintain your personal mobile devices by installing anti-virus software and security updates
- Do not transmit PHI using unsecured, public Wi-Fi networks
- Use strong passwords and screen locks
- Download applications only from trusted sources
- Do not store PHI on your personal device
Tip: The safest way to access PHI is by utilizing the Texas Children’s remote capability: https://remote.texaschildrens.org. This feature allows registered users to remotely access the Texas Children’s secure network (e.g., from your home computer or mobile device).
Physical safeguards
Do not leave mobile devices unattended (e.g. in your car), even if only for a few minutes
Never share your password or allow others to access your sign-on
Lock your mobile device when not in use
Other privacy safeguards
Do not leave documents containing PHI unattended (e.g. in your car)
Be mindful of where you have sensitive conversations with colleagues and patients
Remember! The best practice for remotely accessing patient or Health Plan member PHI is via the Texas Children’s remote portal.
Contact us
If you have questions about mobile device security, please contact the Texas Children’s Compliance and Privacy Office at 832-824-2085 or via email at compliance@texaschildrens.org.