One day after Christmas, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced that a Massachusetts-based dermatology practice (Practice) agreed to a $150,000 payment and entered into a Resolution Agreement (Agreement) and Corrective Action Plan (CAP) with HHS related to an information security breach. The Agreement underscores the importance for all covered entities, no matter what size, to develop and maintain robust policies and procedures that comply with the HIPAA privacy, security and breach notification requirements.
In October 2011, the Practice self-reported to HHS that an unencrypted thumb drive that contained electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one of its workforce members. The Practice notified its patients of the theft within 30 days and provided notice to the media. The thumb drive was never recovered.
In November 2011, HHS notified the Practice that it was investigating its compliance with the HIPAA privacy, security and breach notification rules. As part of the HHS OCR investigation and highlighted in the Agreement, HHS noted that the Practice:
did not conduct an accurate and thorough analysis of potential risks and vulnerabilities with respect to its ePHI until October 2012 (one year after the breach); and
did not fully comply with administrative requirements of the breach notification rules to have written policies and procedures and train its workforce members of these requirements until February 2012 (four months after the breach).
In the press release announcing this settlement, HHS noted, “this case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions” as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The press release, Agreement and CAP can be retrieved here.
The CAP entered into by and between the Practice and HHS includes a detailed security management process that requires the medical practice to “conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities that incorporates all of the Covered Entity’s electronic media and systems” and “develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis…” The CAP also includes a section requiring the Practice to disclose certain reportable events and to submit an implementation report to the OCR.
The HHS announcement underscores the importance for all covered entities no matter what size – private medical practice, academic medical center, community hospital, a university that includes a covered entity – to develop and maintain robust policies and procedures that comply with the HIPAA privacy, security and breach notification requirements. Covered entities must train their workforces with respect to these policies and ensure that HIPAA compliance is part of an ongoing compliance program and effort. The loss of an unencrypted thumb drive resulted in serious consequences and a significant financial payment for this Practice that its shareholders had to pay.