Covered Entity Fined $150,000 For Stolen Unencrypted Thumb Drive

Dentons
Contact

HHS recently announced that it fined a dermatology practice $150,000 for failing to reasonably safeguard an unencrypted thumb drive and failing to conduct an accurate and thorough risk analysis of electronic PHI. Additionally, the resolution agreement stated the dermatology practice failed to fully comply with HITECH’s requirement to have written policies and procedures for breach notification. The fine stems from an unencrypted thumb drive which contained electronic PHI of approximately 2200 patients. It was stolen from an employee’s unattended vehicle and never recovered. This is another reminder to covered entities and business associates that you must conduct a risk assessment of electronic PHI and document your findings and resolutions.

Additionally, while encryption is not required by the HIPAA Security Rule, recent HHS enforcement activity suggests an expectation by HHS that electronic PHI be encrypted. Covered entities and business associates that are not using encryption should be prepared to demonstrate other safeguards they have implemented as an alternative to encryption and document these alternatives in their risk assessments and written policies and procedures. Had the thumb drive in this case been encrypted no breach would have occurred and the dermatology practice would have avoided the HHS investigation. A copy of the resolution agreement is available here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:

Dentons
Contact
more
less

Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide