Skip to main content
A Better Partnership


Jan 2007
January 16, 2007

Security Breaches Result in New HIPAA Security Rules Guidance on Remote Access to Health Information

Security breaches are getting as much press as ever these days, especially if they involve personal information about employees. Stories making recent headlines include one about an employee at Boeing who had a laptop stolen containing unencrypted data on over 300,000 current and former employees. Another story discussed how benefits consultant Towers Perrin had five laptops stolen that contained personal information about its clients' current and retired employees. The Privacy Rights Clearinghouse estimates that 100 million data records were exposed during 2006.

In response to the increasing number of incidents involving lost or stolen data, the Department of Health & Human Services has issued guidance on how to secure and manage data on computers and other media that may be used off company premises. Although these are specifically targeted towards compliance with the HIPAA security regulations, which apply to a company's self-insured health plan records, this guidance offers excellent advice on how to protect any confidential data about your company, its employees or its clients that may be stored on laptops, PDAs, smart cell phones, USB flash drives and other portable storage devices, or that you permit your employees or others to access from an off-site location. Click here for a copy of the guidance.

The final pages of the guidance offer a number of suggestions for reducing the risk that valuable data will be lost or stolen, including the following:

  • Use data encryption on all laptops and other portable data storage devices.
  • Require passwords on sensitive data files, and for all devices that contain or access sensitive data;
  • Limit remote use or access of data to persons whose jobs require remote use.
  • Implement "two-factor" log-ins (so that the user needs to answer an additional question in addition to supplying a user id and password).
  • Establish automatic time-out protocols for inactive connections.
  • Install personal firewall protection on laptops that store or access patient data.
  • Run virus protection software regularly.
  • Properly train employees on procedures to safeguard portable data storage devices and to safely access information from remote locations.

Although the Department of Health & Human Services has styled this document as "guidance," in reality it is more of a warning, maybe even a shot across the bow. The Department states it will rely on this guidance for determining whether or not a covered entity has taken reasonable action to safeguard the confidentiality of electronic protected health information. In short, if your company is allowing remote access to or use of health plan information through portable devices or through external computer systems not owned or managed by your organization, the Department of Health & Human Services will want documentary proof that you've carefully considered the risks and done everything reasonable to mitigate those risks. If you have not implemented these suggestions and your company loses a laptop containing sensitive health plan records, you should anticipate that the Department will demand documentation showing good reasons why you declined to follow its suggestions, particularly those that involve relatively low financial cost.

If you have any questions about this security guidance or about your organization's HIPAA compliance efforts, please call Norbert Kugele (; 616.752.2186) or any other member of the Employee Benefits or Labor and Employment Practice Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -