If you lose a 16GB portable flash drive, you can purchase a replacement through Amazon for $10. However, if that flash drive happened to contain the electronic protected health information (“ePHI”) of patients of your practice, that missing flash drive could cost you $150,000.
On October 7, 2011, Adult & Pediatric Dermatology, P.C. (the “Practice”), located in New Hampshire, notified the Department of Health and Human Services (“HHS”) regarding a breach of its unsecured ePHI. Specifically, an unencrypted thumb drive containing ePHI relating to the performance of Mohs surgery (commonly used to treat skin cancer) on approximately 2,200 individuals was stolen from the vehicle of one of the Practice’s workforce members. The thumb drive was never recovered. The Practice notified its patients within 30 days of the theft and provided media notice, as required under the Health Insurance Portability and Accountability Act (“HIPAA”) rules.
On November 9, 2011 HHS Office for Civil Rights (“OCR”) notified the Practice that it was launching an investigation regarding the Practice’s compliance with the privacy, security, and breach notification rules under HIPAA. The investigation revealed that the Practice had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, OCR found that the Practice did not have written policies and procedures in place to train workforce members, particularly on Breach Notification.
Two years later, on December 27, 2013, the Practice agreed to settle potential violations of the HIPAA Rules for $150,000. In addition to suffering reputational harm associated with a breach, the Practice must now submit to a corrective action plan and provide periodic implementation reports to OCR.
This historical case marks the first settlement with a covered entity for not having HIPAA policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
When was the last time that your practice conducted and documented a risk assessment to determine the strengths and vulnerabilities of ePHI? When was the last time you reviewed your written HIPAA policies and procedures? Now may be the time to review them to see if they permit employees to store and carry ePHI on unencrypted flash drives…and perhaps revise accordingly. The HIPAA Rules can be difficult to analyze. Please feel free to contact The Bittinger Law Firm with your HIPAA questions and concerns. We can assist in the performance of the risk assessment and document it according to the Rules, at a cost of much less than the hefty fine in this case. Start 2014 out right by proactively reviewing your HIPAA policies and procedures; you might just save your practice $150,000.