The Single Largest Source of HIPAA Breaches in 2013: Personal Electronic Devices

“The loss of PEDs (Personal Electronic Devices), whether maliciously, or unintentionally, created the single largest source of HIPAA breaches in 2013.”

We are fortunate to live in a world of portable convenience. Our personal schedule syncs with our work schedule which syncs with our phones. At the same time, we have access to our email from phones, tablets, and laptops. And how easy has texting made our work lives? Running late in surgery? Simply text your assistant that Mary’s surgery is running longer than expected and that you’ll be delayed getting back to the office.

HIPAA Breach Black Hole

Unfortunately, hardware and software technology, encryption and protection have not caught up with legislated rules protecting patient privacy (HIPAA at the federal level, and various state-level regulations). So, what we’ve created is a black hole of possible HIPAA breach. All this automated syncing of our lives is very convenient, and very dangerous. All it takes to put you at risk for significant fines is for you to lose your phone, tablet, or laptop.
You might say that you don’t keep patient information on any of these devices, so this is not an issue. I would challenge you to reconsider this thought. Can you really say that you never have identifiable patient information in the following areas on any of your PEDs?


Identifying information may include, but is not limited to, the patient’s name, a phone number, a comment on an appointment, the patient’s email address, or any information that would allow a third party to identify the patient. Please note that patient numbers assigned by you or your software system are considered identifiable. Communication via email, text, or IM could be from your staff, another care provider or from the patient themselves.

So what can you do?

On your Calendar, you may have an appointment that says, “Surgery at The Centrum Surgery Center.” You may not have something like this: “Mary Smith – Abdominoplasty – The Centrum.” Your staff may text or email you the following, “Please call re: abnormal lab results.” They may not send you, “Mary Smith – abnormal labs – 2 days PO.”

You have some valuable resources available to help you define what you may do when it comes to PEDs. Your malpractice carrier should have a risk management department which monitors legislation and regulation and provides training and resources. In addition, your specialty society has staff trained in risk management and offers written collateral and training.

Does this separation of technology and legislation mean that you cannot use the resources available to you? No. It just means that you must think about what information you are storing on your PED. One workaround is to view your system remotely (e.g. using Logmein or Remote Desktop Protocol). When you are viewing the data through a secure connection, nothing is stored on your PED. You just need to make sure that you disconnect from the remote connection each time you put down your device.

Used wisely, your PEDs will still provide convenience while protecting patient privacy.


[1]Michael Sacopulos, Medical Risk Institute, based on data from Pew Internet Research

Posted in EMR