HHS Gives A Thumbs Down For Stolen Thumb Drive


On December 26, 2013, the U.S. Department of Health and Human Services Office for Civil Rights (HHS) announced that it had reached an agreement with a Northeastern dermatology practice to settle potential HIPAA violations arising from a 2011 theft of an unencrypted thumb drive containing patient information. This is HHS' first settlement with a covered entity arising from the failure to have policies in place to address the breach notification requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009.

On October 7, 2011, Adult & Pediatric Dermatology, P.C. (APD) notified HHS that an unencrypted thumb drive containing electronic protected health information (ePHI) of approximately 2,200 patients had been stolen from the car of one of APD’s workforce members. The thumb drive was never recovered. Even though APD notified its patients within 30 days of the theft and provided notice to the media as required by HITECH, HHS’ investigation found that APD did not conduct an accurate and thorough analysis of potential risks to the confidentiality of the ePHI until October 1, 2012. HHS further indicated that APD did not have written policies and train its workforce members on breach notification requirements until February 7, 2012.

Although the settlement was not an admission of liability, APD agreed to pay HHS $150,000. The settlement also obligates APD to implement a corrective action plan, which requires APD to conduct a risk analysis of the ePHI security risks for all of APD’s electronic media and systems, develop a risk management plan to mitigate security risks, revise its policies and procedures as necessary, and submit an implementation report to HHS for review and approval. The cost of complying with the corrective action plan is in addition to the settlement payment, and can be significant.

In light of HHS' increased focus on HIPAA compliance, covered entities and business associates should take the following steps to minimize the chances of impermissible disclosures of ePHI and any resulting enforcement action by HHS: 

1. Ensure that their privacy and security policies and procedures reflect the requirements of the HITECH Act and the HIPAA Omnibus Rule that was effective September 23, 2013.

2. At least annually conduct a thorough analysis to identify and mitigate security risks and vulnerabilities associated with ePHI and adopt or revise policies accordingly. For example, phones, laptops, tablets and similar devices may also contain ePHI, and a covered entity or business associate should include this consideration as part of its risk analysis.

3. Encrypt all portable storage devices, e.g., thumb drives or tablets, that contain ePHI.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:


Akerman LLP - Health Law Rx on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.