An unencrypted thumb drive cost a dermatology practice $150,000. On December 26, 2013, the U.S. Department of Health & Human Services (HHS) announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts (APD) of alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). APD, a “covered entity” for HIPAA purposes, has offices in Concord, Westford, Marlborough, and Ayer, Massachusetts, and Wolfeboro, New Hampshire.
The thumb drive contained unsecured electronic protected health information (ePHI) relating to the performance of Mohs surgery for about 2,200 patients. The thumb drive was stolen from the vehicle of one of APD’s employees. APD informed its patients of the theft of the thumb drive and provided a media notice.
HHS investigated and determined that APD did not timely conduct an accurate and thorough analysis of the risks associated with potential exposure of the ePHI. HHS also determined that APD did not fully comply with the administrative requirements of HIPAA’s breach notification requirements to have written policies and procedures and train employees regarding breach notification requirements. HHS also determined that APD disclosed ePHI in violation of HIPAA by the access gained to it when APD did not reasonable safeguard an unencrypted thumb drive.
HHS fined APD $150,000 and required APD’s execution of a Corrective Action Plan. The Corrective Action Plan requires APD to develop a comprehensive risk analysis and risk management plan to ensure future compliance with HIPAA and to periodically report to HHS the status of APD’s implementation of the plan. HHS released its right to take further action against APD, conditioned upon full compliance by APD with the Corrective Action Plan. See HHS Resolution Agreement.
“As we say in health care, an ounce of prevention is worth a pound of cure,” said HHS’s Office of Civil Rights Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.” See HHS Press Release.
Stolen electronic devices can be very costly. Lost or stolen smartphones, flash drives and back up media, lap tops and tablets are commons cause of ePHI HIPAA security breaches. Every medical practice should take HIPAA very seriously. HHS clearly does. It is a very prudent business step for every healthcare business to engage a qualified consultant to audit and review HIPAA compliance procedures and ensure all proper steps are in place to safeguard ePHI. Best practices include:
1. Design and implement a comprehensive mobile/electronic device management policy
2. Identify and document every electronic device that may contain an ePHI
3. Determine and document what ePHI is on each device
4. Assess all current measures in safeguard the ePHI and potential threat/level of risk associated with such electronic devices
5. Determine what steps are reasonably necessary to reduce or eliminate such risks
6. Document, document, document: Meticulously document all steps taken to ensure HIPAA compliance. Be able to show HHS your efforts to follow the law.
7. Where HIPAA compliance is concerned, it is much less expensive and easier to avoid a problem than to react to one. No medical practice should discount the business and economic risks associated with HIPAA noncompliance.
Atlanta/Augusta HIPAA compliance Law Firm
Our business and healthcare law firm represents health care providers with regard to HIPAA compliance issues and other business and healthcare law issues. Contact us at (404) 685-1662 (Atlanta) or (706) 722-7886.
*Disclaimer: Thoughts shared here do not constitute legal advice.