HHS recently announced that it fined a dermatology practice $150,000 for failing to reasonably safeguard an unencrypted thumb drive and failing to conduct an accurate and thorough risk analysis of electronic PHI. Additionally, the resolution agreement stated the dermatology practice failed to fully comply with HITECH’s requirement to have written policies and procedures for breach notification. The fine stems from an unencrypted thumb drive which contained electronic PHI of approximately 2200 patients. It was stolen from an employee’s unattended vehicle and never recovered. This is another reminder to covered entities and business associates that you must conduct a risk assessment of electronic PHI and document your findings and resolutions.
Additionally, while encryption is not required by the HIPAA Security Rule, recent HHS enforcement activity suggests an expectation by HHS that electronic PHI be encrypted. Covered entities and business associates that are not using encryption should be prepared to demonstrate other safeguards they have implemented as an alternative to encryption and document these alternatives in their risk assessments and written policies and procedures. Had the thumb drive in this case been encrypted no breach would have occurred and the dermatology practice would have avoided the HHS investigation. A copy of the resolution agreement is available here.