One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify de-identified data stripped of identifiable demographic and health information. In the demonstration, an algorithm was utilized to identify individuals by pairing daily patterns in physical mobility data with corresponding demographic data. This study revealed that re-identification risks can arise when a de-identified dataset is paired with a complementary resource.

In light of this seeming erosion of anonymity, entities creating, using and sharing de-identified data should ensure that they (1) employ compliant and defensible de-identification techniques and data governance principles and (2) implement data sharing and use agreements to govern how recipients use and safeguard such de-identified data.

De-identification Techniques and Data Governance

The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications (45 C.F.R. §164.514(a)-(b)).

In 2012, the Office for Civil Rights (OCR) provided guidance  on the de-identification standards. Specifically, OCR provided granular and contextual technical assistance regarding (i) utilizing a formal determination by a qualified expert (the “Expert Determination” method); or (ii) removing specified individual identifiers in the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (the “Safe Harbor” method).

As publicly-available datasets expand and technology advances, ensuring the Safe Harbor method sufficiently mitigates re-identification risk becomes more difficult.  This is due to the fact that more data and computing power arguably increase the risk that de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the apparent practical defects in the “Safe Harbor” method, many organizations are applying a more risk-based approach to de-identification through the use of the “Expert Determination” method.  This method explicitly recognizes that risk of re-identification may never be completely removed. Under this method, data is deemed de-identified if after applying various deletion or obfuscation techniques the “risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information . . . .”

In light of the residual risks associated with de-identified data generally, it is important that organizations continue to apply good data governance principles when using and disclosing such data.  These best practices should include: data minimization, storage limitation, and data security.  Organizations should also proceed with caution when linking data sets together in a manner that could compromise the integrity of the techniques used to originally de-identify the data.

Data Sharing and Use Agreements

Regardless of the de-identification approach, the lingering risk of re-identification can be further managed through contracts with third parties who receive such data.  Though not required by the Privacy Rule, an entity providing de-identified data to another party should enter into a data sharing and use agreement with the recipient.  Such agreements may include obligations to secure the data, prohibit re-identification of the data, place limitations on linking data sets, and contractually bind the recipient to pass on similar requirements to any downstream other party with whom the data is subsequently shared. Further, such agreements may include provisions prohibiting recipients from attempting to contact individuals who provided data in the set and may also include audit rights to ensure compliance.

The risk of re-identification may be a tradeoff to realize the vast benefits that sharing anonymized health data provides; however, entities creating, using and sharing de-identified data should doing so responsibly and defensibly.


Alaap B. Shah


Elizabeth Scarola

On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.”  OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas:  (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues.  For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement.  Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.

On October 16, 2018 the Department of Health and Human Services Office for Civil Rights (“OCR”) and the Office of the National Coordinator for Health Information Technology (“ONC”) announced an update to their previously provided Security Risk Assessment Tool.  According to ONC and OCR, the “tool is designed to help healthcare providers conduct a security risk assessment” as required under the HIPAA Security Rule.  ONC states that the updated tool includes additional features such as:

  • Enhanced user interface
  • Modular workflow
  • Custom assessment logic
  • Progress tracker
  • Threats & vulnerabilities rating
  • Detailed reports
  • Business associate and asset tracking
  • Overall improvement of the user experience

As with prior tools, the ONC/OCR tool includes a broad disclaimer noting that use of the tool “does not guarantee compliance with federal, state or local laws”.  Indeed, ONC and OCR encourage providers to “seek expert advice when evaluating the use of the tool.”

Ultimately, while the tool may provide a useful resource for small physician groups, larger organizations are more likely to need what is rapidly becoming the industry standard of having a security risk assessment/risk analysis performed by an outside third party, and ensuring additional assessments (such as penetration testing of the systems) are a part of that full risk assessment for the organization.

***

If your organization has any questions or needs assistance with a privacy and security related issue, please reach out to members of our Privacy and Security Group: Patricia Wagner, Alaap Shah, Brian CesarattoAdam Forman, or Wenxi Li.

In the tech world, blockchain technology appears to be the panacea to all problems.  As blockchain technology becomes increasingly popular, many industries are trying to determine the best way to use the new phenomenon. Healthcare is no different in this quest. Health care is an optimal candidate to benefit from development of innovative ways to solve its impending issues using transformational technology. Blockchain could be the technology that helps to alleviate some of health care’s problems, such as the incredibly fragmented delivery of care and the painstakingly slow reaction to technological advances.

What is Blockchain Technology?

An over-simplified explanation of blockchain is an online database that stores information on a network of computers. Information also known as “a record” is stored in a block. For example, a record of you paying Mr. Smith 10 dollars is stored in a block. Traditionally, that information is saved in a database at a data center. However, blockchain technology stores that record on an individual computer with a time stamp (the “block”).  Any change to that information is then stored on another individual computer with a time stamp.  Each individual computer holds a block of information that is chronologically time stamped, which creates the blockchain. Thus, information cannot be edited or changed without the verification from all parties who have access to a block in the blockchain.  Blockchain technology distributes and decentralizes information.  There is no central company or one person that holds the information. This makes it extremely difficult for any one person to take down or corrupt the network. Traditionally, blockchain technology is used as a public transaction ledger for bitcoin. Bitcoin users utilized the technology to mitigate the issue of double spending, spending the same single digital coin more than once, without the need of one trusted authorizer or central server. 

Blockchain and Health Care

Blockchain technology could play a role in the industry’s goal to improve the quality of care through care coordination. Care coordination often involves the sharing of information between multiples providers. Blockchain technology could be used to facilitate this process in a more efficient manner by storing a variety of information, including provider and patient details, within electronic health records (EHR) on a network of computers. Blockchain would store the information on various computers, such that information entered into an EHR could be stored across a network of computers that includes providers and the patient. Providers and the patient would hold blocks of information, allowing each provider and each patient to validate the updates to that patient’s record with the consensus of all the providers and the patient. Using blockchain in this fashion would give patients control over their care while also encouraging care coordination because providers would have to interact with one another to update a patient’s file. In this sense, Blockchain could take the first step in facilitatating the improvement of patient care as a whole.

Blockchain could also reduce the health care industry’s susceptibility to privacy attacks or breaches because of its decentralized and distributed structure. Privacy attacks often involve a hacker entering a system or a database, but, with blocks held in multiple locations instead of one database, blockchain technology would help to minimize hacker infiltration.

However, as with any heavily regulated industry, implementing blockchain will not be easy. There are state and legal roadblocks that hinder blockchain’s viability. Health Insurance Portability and Accountability Act (“HIPAA”), for example, could hinder the ability of sharing health information technology between a network of computers due to restrictions on sharing of Personal Health Information (PHI). Furthermore, state and federal laws would have to be updated to facilitate this technological advance. Despite these hurdles, there may be a glimmer of hope. The Centers for Medicare & Medicaid Services is dedicated to improving interoperability and patients’ access to health information through its Promoting Interoperability program. The agency’s push for moving health towards EHR has the potential to be pivotal if the industry uses blockchain or a similar technology to improve patient access to health information.

Blockchain may not be a today solution—it will take time to change state and federal laws regarding health information to facilitate such technology. However the promotion of initiatives encouraging use of EHR, may be priming the industry’s palate to provide a place for blockchain in the future.

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Business Types Affected.

Generally, the California Privacy Act will affect business entities that are for-profit business entities that collect consumers’ personal information and that meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.  The law applies to businesses who collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).  California’s privacy law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy, security, and notification rules, but, it does apply to the other personal information held by an organization that meets the criteria above and doing business in California. 

Consumer Rights Expanded.

Additionally, the California Privacy Act will provide California residents more control over their personal information.  For example, consumers will have the right to know the type of personal information collected by the business, the purpose for which the information is being collected, and with whom the information is being shared with.  Also, consumers will have the “right to be forgotten” by requesting the deletion of their personal information from the businesses’ systems (with certain exceptions that may apply).  Under the new law, consumers will have the right to prohibit businesses from selling their personal information.  Furthermore, the California Privacy Act will also provide consumers protection from discriminatory action by businesses for exercising these privacy rights.  Overall, the expansion of consumers’ rights to their personal information are similar to the requirements set forth in the European Union’s General Data Protection Regulation (“GDPR”) policies.  Therefore, in this regard, the good news is that the work businesses have been doing to be GDPR compliant will most likely comport with the California Privacy Act.

Business Response Required.

Also, the California Privacy Act will mandate businesses, affected by the law, to comply with several requirements that will ensure consumers’ awareness of their privacy rights.  For example, the law will require businesses to make available at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).  Businesses will be required to disclose and deliver the requested information, free of charge to the consumer within 45 days of the request (although businesses will not have to provide such information more than twice a year to a single consumer).  Furthermore, businesses will be required to ensure that all individuals handling consumer inquiries about the business’s privacy practices or the business’s compliance with the law understand all the requirements under the California Privacy Law.  Therefore, businesses will need to make sure that its online privacy policies and/or California-specific consumers’ privacy rights are updated to include these new rights.

* * *

As mentioned above, the California Privacy Act reaches businesses beyond the borders of the state.  According to the International Association of Privacy Professionals (“IAPP”), more than 500,000 U.S. businesses (most being small- to medium-sized enterprises) will be affected by the privacy law.  Because the California Privacy Act follows in the footsteps of the GDPR, the work businesses have done to be in compliance with the GDPR will most likely comport with California’s privacy law.  But those businesses who have not, should begin making changes to their policies and procedures to ensure they are in compliance by the end of 2019.

The pace of health care transactions is robust, purchase price multiples are increasing, and many health care businesses are taking advantage of a sellers’ market.  Recently, our clients have increasingly turned to representation and warranty (“R&W”) insurance, finding a market more amenable to the nuances of health care deals than in the past. In the right deal, R&W insurance can limit risk to both seller and buyer and increase value to a seller by allowing for “walk-away” or “naked” deals.  R&W insurance may also be used as a tool by a buyer to increase the attractiveness of its offer in a competitive environment.

The acquisition of a company or its assets is typically governed by a purchase agreement and related transaction documents. The purchase agreement will contain various representations and warranties by the seller regarding a variety of matters, such as the seller’s assets and financial performance (including growth projections), and the accuracy of its billings for services, and its compliance with law (including healthcare laws and regulations). The buyer must do its own diligence before consummating a transaction, but in connection with such diligence it also relies on the seller’s representations and warranties. Following the closing of the transaction, if it is determined that one of the seller’s representations was incorrect (i.e., breached) and the buyer suffers damages as a result, the buyer usually has a right to compensation pursuant to the purchase agreement and related transaction documents.  Frequently, however, those agreements limit the amount that the buyer may recover, either in total, or by using various formulas, deductibles, and/or caps.   Even in the absence of these limits, if the cash purchase price has been distributed by a seller to its creditors and owners, a buyer seeking recovery may face a complex and difficult process.

The most common way to protect a buyer from potential losses that may be difficult to recover using simple indemnification is to escrow a portion of the purchase price from which claims may be paid. The amount of the escrow and how long it must be held are important negotiated terms in the purchase agreement. At the conclusion of the agreed-upon escrow period, the funds remaining in the escrow account will be released to the seller. Naturally, a buyer will want the most protection (and a large escrow amount), while a seller will want to retain the largest portion of the purchase price (and a small escrow amount). That’s where R&W insurance comes in.

R&W insurance shifts the risk of liability for breaches of representations and warranties from the seller to the insurance company in order to provide the parties to the transaction with greater protection post-closing. By utilizing R&W insurance, a buyer will be more comfortable placing a smaller portion (or even none) of the purchase price in escrow, resulting in a larger portion of the purchase price being paid to the seller at closing. In the event a breach of covered representations and warranties by the seller is discovered post-closing, the buyer may look to the insurance company rather than to the escrow (and therefore to the seller) to be made whole.

R&W insurance is an interesting way to shift the risk involved in a transaction and to provide a buyer with greater certainty of collection in the event of a breach. Further, making R&W insurance a component of a bid may provide a buyer a way to favorably distinguish itself from other bidders in a typical “sale process” run by investment bankers (or in auction-style sale). There are many other considerations, however, when deciding whether to use R&W insurance in lieu of the traditional escrow model. Such considerations include, among others:

  • The size of the policy needed for the transaction, and whether the resulting cost of the policy makes good business sense. The size of a policy can range significantly, in theory covering losses up to the full purchase price, which will impact the cost of the insurance.
  • Whether, and the extent to which, the buyer wants the seller to have “skin in the game” post-closing (i.e., in the form of an escrow), potentially making R&W insurance less desirable.
  • Which representations and warranties the policy excludes. If significant claims are excluded (e.g., Medicare claims, HIPAA violations, or specific matters already under government investigation or subject to litigation), there may be a weaker business case for buying R&W insurance.
  • Who will pay for the R&W insurance (buyer? seller? split?).
  • Some healthcare deals are harder to insure for representations and warranties relating to billing and coding compliance, such as providers with a higher percentage of government payor reimbursement and a greater number of “high-end” CPT codes.
  • The policy’s requirements for a buyer to make (and collect) a claim under the policy. For example, does the policy contain a materiality requirement?  Are the policy requirements consistent with the term of the purchase agreement?

Buyers and sellers should be aware of the existence of R&W insurance, as well as the above considerations, when analyzing and negotiating transactions. It may provide a valuable alternative to the traditional indemnification escrow model.

Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.

On the cooperative side, DHS and HHS have sought to work with the tech sector to employ cybersecurity best practices to address the ransomware threat, now the most common problem faced across the cyber universe but especially in health care. DHS has opined that “Individual users are often the first line of defense against this and other threats, and we encourage all Americans to update your operating systems and implement vigorous cybersecurity practices including installation of the latest patches and avoiding phishing efforts that can implant ransomware to lock down a system. Among the recommended best practices include employee training to avoid clicking on unfamiliar links and files in emails, and to backing up data to prevent possible loss. Beyond those somewhat simplistic suggestions, one detects a decided trend towards to adoption of the voluntary framework of cybersecurity standards issued by the National Institute of Standards and Technology (NIST), which was issued in 2014 and is in the process of being updated per public comments and meetings.  This also is consistent with the recently issued Executive Order that mandates federal department compliance to the same standards suggested for the private sector, particularly the NIST framework.

The OCR enforcement component is more problematic.  On May 17, 2017, Iliana Peters, a HIPAA compliance and enforcement official at OCR, announced at a Georgetown University Law Center cybersecurity conference that OCR will “presume a breach has occurred” when an HIPAA covered entity or associate has experienced a ransomware attack, due to the nature of how ransomware attacks work. This is somewhat at odds with the way that ransomware actually works. Ransomware generally is a form of blackmail where a Trojan will deprive a data owner of access to its own data unless a ransom is paid (often by Bitcoin or another block chain currency). OCR’s presumption can be overcome especially if health care data were encrypted prior to the incident (and presumably that would include data at rest). HHS’s ransomware guide provides that:

“Unless the covered entity or business associate can demonstrate that there is a ‘low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. … The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.”

Thus, if there is anything to take away from this, it is to encrypt PHI – period.

OCR offers to work with the private sector to provide technical assistance.  This might be useful to very small, unsophisticated  organizations.  Larger private sector entities arguably have resources and technical skills that surpass those of the government.  Indeed, the President’s Executive Order recognizes this.

We at Epstein Becker Green will have more to say about the ransomware threat and other cyber security vectors affecting the health care space. Expect a webinar and other publications like this one in the near future.

The Information Sharing and Analysis Organization-Standards Organization (ISAO-SO) was set up under the aegis of the Department of Homeland Security pursuant to a Presidential Executive Order intended to foster threat vector sharing among private entities and with the government. ISAOs are proliferating in many critical infrastructure fields, including health care, where cybersecurity and data privacy are particularly sensitive issues given HIPAA requirements and disproportionate industry human and systems vulnerabilities.  Therefore, in advising their companies’ management, general counsel and others  might benefit from reviewing the FAQ’s and answers contained in the draft document that can be accessed at the link below.

Announcing the April 20 – May 5, 2017 comment period, the Standards Organization has noted the following:

Broadening participation in voluntary information sharing is an important goal, the success of which will fuel the creation of an increasing number of Information Sharing and Analysis Organizations (ISAOs) across a wide range of corporate, institutional and governmental sectors. While information sharing had been occurring for many years, the Cybersecurity Act of 2015 (Pub. L. No. 114-113) (CISA) was intended to encourage participation by even more entities by adding certain express liability protections that apply in several certain circumstances. As such proliferation continues, it likely will be organizational general counsel who will be called upon to recommend to their superiors whether to participate in such an effort.

With the growth of the ISAO movement, it is possible that joint private-public information exchange as contemplated under CISA will result in expanded liability protection and government policy that favors cooperation over an enforcement mentality.

To aid in that decision making, we have set forth a compilation of frequently asked questions and related guidance that might shed light on evaluating the potential risks and rewards of information sharing and the development of policies and procedures to succeed in it. We do not pretend that the listing of either is exhaustive, and nothing contained therein should be considered to contain legal advice. That is the ultimate prerogative of the in-house and outside counsel of each organization. And while this memorandum is targeted at general counsels, we hope that it also might be useful to others who contribute to decisions about cyber-threat information sharing and participation in ISAOs.

The draft FAQ’s can be accessed at :  https://www.isao.org/drafts/isao-sp-8000-frequently-asked-questions-for-isao-general-counsels-v0-01/

The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), the agency tasked with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recently announced that it will redouble its efforts to investigate smaller breaches of Protected Health Information (“PHI”) that affect fewer than five-hundred (500) individuals.

It has been widely known that OCR opens an investigation for every breach affecting more than 500 individuals; this announcement describes OCR’s new initiative to investigate smaller breaches as well.  OCR stated that in determining when it will open an investigation, it will evaluate a number of factors, such as: (1) the size of the breach, (2) whether the PHI was stolen or improperly disposed of, (3) whether an entity reports multiple breaches, (4) whether numerous entities are reporting breaches of a particular type, and (5) whether the breach involved unauthorized access to an IT system.  The announcement also notes that OCR may consider lack of breach reports for a region, suggesting that OCR is interested in investigating the potential of under reporting.

The announcement emphasized that OCR can determine both large scale trends among HIPAA regulated entities, and entity-specific compliance issues that must be addressed by investigating breaches.  The announcement also serves as a warning to persons and/or entities subject to HIPAA to ensure that their breach reporting and other HIPAA compliance efforts are up-to-date and ready to withstand any potential scrutiny from OCR.

By Arthur J. Fried, Patricia M. Wagner, Adam C. Solander, Evan Nagler, and Jonathan Hoerner

On September 2, 2015, the U. S. Department of Health and Human Services (“HHS”) announced a $750,000 settlement with Cancer Care Group, P.C. (“CCG”), a radiation oncology practice in Indiana, for Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules violations. The alleged violations occurred in 2012, but a subsequent HHS Office for Civil Rights (OCR) investigation led to allegations from OCR that there was a lack of compliance with HIPAA Privacy and Security Rules requirements dating back to 2005.

CCG notified OCR on August 29, 2012 of a data breach of electronic protected health information (ePHI) resulting from the theft of a laptop bag that was left unattended in an employee’s car.  The bag contained a laptop computer and unencrypted backup storage media.  OCR estimated that the stolen data included the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former patients.

After receiving notification of the breach, OCR conducted an investigation that OCR alleged revealed CCG was in “widespread non-compliance with the HIPAA security rule.”  Specifically, OCR determined that CCG failed to conduct an enterprise-wide risk analysis at any time between April 21, 2005 (the compliance date of the Security Rule) and November 5, 2012, almost 5 months after the data breach.  OCR also determined that CCG also failed to have in place a written policy covering the removal of hardware and electronic media containing ePHI from CCG facilities.  OCR noted that an enterprise-wide risk analysis would have determined that removal of unencrypted media was a high risk to the group’s ePHI security.

In addition to the $750,000 payment, the settlement requires CCG to adopt a robust corrective action plan to correct HIPAA compliance program deficiencies. The entire Resolution Agreement can be viewed here.

This case highlights the need for all covered entities and business associates to conduct regular risk assessments and vulnerability testing.  A proper risk assessment will help organizations to identify vulnerabilities to the ePHI they store. While the Security Rule does not mandate encryption, as it is an addressable implementation specification, this settlement again reinforces OCR’s position that unencrypted computer hard drives, mobile devices, and electronic media will be under intense scrutiny should a breach occur. Thus, in most instances it is advisable for those types of devices to be encrypted.