Perhaps the good news is that the Office for Civil Rights accepts payment plans. But the bad news is that one physician momentarily forgetting his backpack cost his employer $1.5 million.

OCR has made it clear, once again, that it will not tolerate covered entities’ lack of policies and procedures to comply with the security rule. Last month it settled allegations of noncompliance against Massachusetts Eye and Ear Infirmary, and its affiliated physician group, by accepting a $1.5 million payment in three installments. OCR also imposed a three-year corrective action plan on the organization, which was founded in 1864.

The sanctions came despite Mass. Eye and Ear’s contention that it has “no indication that any patients were harmed by this isolated incident,” which occurred on Feb. 19, 2010.

But in an exclusive interview, Sue McAndrew, OCR deputy director for health information privacy, says that is beside the point. McAndrew also discussed the dangers of allowing physicians and others to use their own devices.

The situation that led to the settlement concerns a Mass. Eye and Ear neurologist and researcher who was visiting South Korea to deliver a lecture and forgot his backpack somewhere, which contained his personal laptop. On April 20, 2010, just shy of 60 days after the loss, Mass. Eye and Ear issued a news release describing what happened and the actions it took after learning of the incident.

Spokeswoman Mary Leach tells RPP her organization declines to comment beyond the statement it issued when OCR announced the settlement on Sept. 17.

According to McAndrew, the physician put the backpack down “in some public place to do something else. I don’t recall what else he was doing but he managed to walk off without it, and came back and, oh, my goodness, the backpack wasn’t where he left it in the public place. So it was total inattention to the importance of what he was carrying around,” she says, but adds, “we understand that these things happen.” She says the computer was eventually found.

After he learned the backpack was missing, the physician reported the theft to the South Korean police. Mass. Eye and Ear determined the laptop “contained demographic and health information of approximately 3,526 patients” the doctor had treated or studied in research.

The organization said the data “may” have included everything from names and email addresses to diagnoses and dates of service, but “to the best of Mass. Eye and Ear’s knowledge, Social Security numbers, financial account numbers and credit card or debit card numbers of individuals associated with Mass. Eye and Ear were not present on the laptop,” the group said.

While lacking in encryption, the computer was password protected and equipped with “LoJack” tracking software, which detected that on March 9, three weeks after it disappeared, someone connected it to the Internet.

OCR Found ‘Significant Noncompliance’

LoJack determined that “a new operating system was installed” and that “software needed to access most of the information about most affected Mass Eye and Ear individuals had not been reinstalled,” the organization said in its April 20, 2010, news release.

Mass. Eye and Ear apparently allowed the new user or users to work with the computer for another month. “On April 9, it was determined that it was unlikely that continued monitoring of the computer would lead to its retrieval, and a command was sent by LoJack to the computer permanently disabling the hard drive and rendering any information, including information about affected Mass. Eye and Ear individuals contained on the hard drive, permanently unreadable,” the organization said.

Two weeks later, Mass. Eye and Ear issued its release and a day later, on April 21, 2010, notified OCR. The breach notification regulation had been in effect for about seven months by this point.

While the organization took these actions after the theft, they were not part of a formal incident response plan, McAndrew tells RPP. It was “this incident that caused them to actually formalize their response procedures,” McAndrew says.

In this case, as with others, OCR’s “investigation started with a particular breach but the investigation itself really attempts to identify within the entity whether or not the proper compliance tools and obligations are being met and whether the failure to meet any of them contributed to the breach that we are investigating,” McAndrew says.

When OCR officials “went in and sat down with the entity, we did find that there was significant noncompliance with multiple aspects of the security rule that came to light,” she says.

Five of the six deficiencies in the settlement mention the words “portable devices.” OCR “tended to focus on that because of the nature of the breach,” McAndrew says. Among the deficiencies was a failure to “fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an ongoing basis reasonable and appropriate security measures.”

OCR: Information Flow Was Not Monitored

Among the factors that caused OCR concern was that the lost computer was owned by the physician, but also that he had “official records from the entity” on it, she says.

This presented a problem, McAndrew says, because Mass. Eye and Ear had “very little knowledge of and had very little control over when their staff would be allowed to access the entity’s files using their personal devices.”

Members “were allowed apparently free and unfettered access with their personal devices to the entity’s information. They could download and take offsite this information whenever they pleased,” she says. “The entity had no idea of when this was happening, if this was happening and how much information was going out their doors on these personal devices.”

McAndrew contends Mass. Eye and Ear “had a similar lax control even over the portable devices that the entity itself was supplying.”

Referring to the physician who forgot his backpack, McAndrew says OCR “understand[s] that these things happen. Nonetheless, that is why we look to the organization to be reasonable and prudent in protecting the information when it is allowed to go offsite. And that not only protects the information but protects the doctor, too.”

After the theft, Mass. Eye & Ear instituted changes, it said, including “deploying encryption to laptop computers that connect to Mass. Eye and Ear’s computer network, and providing education to Mass. Eye and Ear staff regarding limiting the amount of data stored on laptop computers.”

The organization’s statement after the settlement was announced said “Given the lack of patient harm discovered in this investigation, Mass. Eye and Ear was disappointed with the size of the fine, especially since the independent specialty hospital’s annual revenue is very small compared to other much larger institutions that have received smaller fines.” For 2011, Mass. Eye and Ear, a nonprofit, reported total operating revenue of $279.7 million and $20.6 million in excess revenue over expenses.

McAndrew took issue with Mass. Eye and Ear’s statement on the $1.5 million payment.

“The laptop was missing for quite some time,” she says. “It was in a foreign country. They have no idea, they haven’t a clue, what happened to the data that were on that machine. They are really in no position to assert there was no harm because they are in no position to know whether there was harm or not. They can say they know of no harm, no one has reported harm to them. That’s a fine statement. But no one is required to report harm to them.”

Even if Mass. Eye and Ear had received reports from the credit monitoring and restoration services firm it used, “there is very little way to actually trace back where the information that was being misused came from. I think you can make an assumption in many cases, either by the timing or the nature of the information being misused as to its source,” McAndrew says.

She adds that the computer was probably left operating for “too long a time,” and because all its data were wiped “there was no way to get any forensics from the machine, prior to it being wiped and prior to it being recovered.”

Instead, to determine penalties and other sanctions, “the most we can do is to look at the circumstances and to assess not whether there was actual harm but what was the risk,” McAndrew says, “what was the degree of risk that these data were exposed to and was that reasonable. And whether there are reasonable steps and safeguards that could have and should have been in place to reduce or to manage the risk that these data were being exposed to.”

These safeguards come “in many forms, including controls at the entity to know when and what data are being removed from the entity’s files, making sure that that removal is approved and is necessary. Making sure it goes on a device that is secure, so that if the device is lost or stolen the information remains protected,” McAndrew says.

Many organizations do permit physicians and others to “bring your own device,” also known as BYOD (RPP 3/12, p. 8). Asked whether this practice should be discontinued, McAndrew says “that ship has sailed.”

Keeping ‘the Horse in the Corral’

“I don’t think it is anything that we would be in a position to prohibit. I think there are cautionary tales to tell, but I am getting the sense that as of now, the ship may have sailed on any kind of prohibition. The horse is out of the barn, as they say. Now it’s just making sure the horse stays within the corral as opposed to wandering off down the street.”

But when this is allowed, there are added concerns, including the fact that “not all individuals are willing to [follow the CE’s security policies],” McAndrew points out. Workers do have to make tradeoffs if they use their own equipment, she adds.

“Unfortunately, if you’re using your personal device and mixing office information on that device, you give your employer the right to wipe that device if you lose it,” McAndrew says. “And what happens is you lose your personal information on that device, because you can’t just wipe the office stuff. And so there are issues for the individual. It can be quite threatening to them or causing them anguish, in some cases when they lose that information. You could have cherished photos and other personal contacts on those devices and you lose it and the information is gone.”

What OCR has to do is engage in “managing [and] working with entities to learn how to manage these personal devices,” McAndrew says.

Hospitals and others are struggling to keep up with cutting edge technologies that physicians and other staffers can purchase on their own that might be more sophisticated than what the CEs are able to provide, McAndrew acknowledges.

“We are also finding when you try to control and manage these devices that you really need to understand how the physician is going to be using the device, and what is in the entity’s best interest to have the physician use that device for,” McAndrew says.

Expect Guidance on Mobile Devices

CEs must “make the controls adaptable to [their uses], because if you don’t, you’re likely to have these devices and beautiful controls and the physicians will be there doing their work-around,” she adds.

The process, she says, is a “continual exchange and evolution of the controls and making them meaningful without destroying [their utility].” CEs also must be “encouraging the individuals to be aware of the information that’s on them and to take all reasonable efforts to make sure that nothing, neither the machine nor the information, is placed in jeopardy.”

OCR and the National Coordinator for Health Information Technology (known as ONC) are working on joint guidance about securing mobile devices. In March, they held a roundtable in preparation for the guidance, which is to include case studies and best practices (RPP 3/12, p. 1).

She adds that OCR “has been in dialogue at many conferences and a one-to-one basis with stakeholders in terms of this, trying to balance the benefits of connectivity through these mobile devices,” as well as considering “the risks that are associated both with putting any PHI on these devices as well as the knotty issue of what kind of balance to strike between the use of personal devices versus business devices.”

The guidance might be geared to smaller providers, who McAndrew describes as “just kind of throwing up their hands at this point and...not really thinking about what it means to have their docs texting and sending emails and messages with PHI.”

© 2012 by Atlantic Information Services, Inc. All Rights Reserved.