Stolen Thumb Drive Sets HIPAA Precedent

more+
less-

A Massachusetts dermatology practice, Adult & Pediatric Dermatology, P.C. ("APDerm") recently agreed to pay $150,000 to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules. The settlement was reached after a thumb drive containing unencrypted, electronic protected health information (ePHI) of approximately 2,200 patients was stolen from an APDerm employee's car.

While APDerm properly reported the incident to the Department of Health and Human Services Office for Civil Rights (OCR) in October 2011, OCR's subsequent investigation revealed APDerm: (1) did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the confidentiality of ePHI as part of its security management process until October 2012; (2) had no written policies and procedures regarding breach notification in place and did not train employees on breach notification requirements until February 2012; and (3) impermissibly disclosed ePHI of up to 2,200 individuals when it failed to reasonably safeguard the thumb drive.

In addition to the $150,000 payment, the settlement agreement requires APDerm to enter into and comply with a Corrective Action Plan (CAP). The CAP requires APDerm to conduct a comprehensive risk analysis of ePHI security risks among all of the practice's electronic systems within one year. Following the risk analysis, APDerm must develop a risk management plan to address and mitigate any security risks and, if necessary, revise its policies and procedures. APDerm's settlement with OCR for not having proper policies and procedures regarding breach notification requirements is the first of its kind.

What Providers Should Know

  • Covered entities should identify and document all information systems that contain ePHI. Covered entities should be sure to include in their risk analysis any hardware or software that is used to collect, store, process, or transmit ePHI.
  • Covered entities must document the risks and security controls that are in place to protect ePHI.
  • Covered entities should ensure that their breach policies and procedures are updated in accordance with the Omnibus Final Rule, particularly with regard to the four factor risk assessment.
  • Covered entities must train workforce members on breach notification and should retain all training documents for their records.