This post is updated with an official company statement below
Adult & Pediatric Dermatology of Concord, MA has agreed to pay a $150,000 HIPAA fine as a result of a HHS Office of Civil Rights (OCR) investigation. The 12 physician practice was investigated by OCR after they reported a loss of an unencrypted thumb drive which contained electronic protected health information (ePHI) of 2,200 individuals.
According to the OCR Resolution Agreement, the investigation revealed:
(1) The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.
(2) The Covered Entity did not fully comply with the administrative requirements of the Breach Notification Rule to have written policies and procedures and train members of its workforce regarding the Breach Notification requirements.
(3) On September 14, 2011, the Covered Entity impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members.
OCR Director Leon Rodriguez made an interesting comment about Adult & Pediatric Dermatology but all organizations should heed his advice (emphasis added):
“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
In the OCR press release they point out that the organization received the HIPAA fine for not have breach notification policies and procedures
This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act
There are a few very important takeaways from this story.
- Make sure your organization performs a thorough HIPAA risk assessment. Make sure the risk assessment looks at all sources/systems/devices that contain patient information and ePHI. Document the results of the risk assessment and put together a plan to implement additional safeguards to protect ePHI.
- Make sure you have an incident response plan in place on what your organization will do in the event of a security breach. The plan should include who will be involved in the event of a breach, what are the steps the incident response team will take to address the breach and actions the team will take to prevent another similar breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.
- Encrypt all portable devices that contain ePHI! An organization should look at encrypting laptops, USB drives, thumb drives, tablets, smartphones, etc. Portable devices are easily lost or stolen. Encrypting the data is the best way to protect these devices and minimize the risk of a security breach.
We have received the below from an Adult & Pediatric Dermatology spokesperson. The spokesperson said this represents an official company statement:
This statement was released on Friday by APDerm in regards to their settlement with HHS.
Statement from Adult and Pediatric Dermatology
December 27, 2013 – Along with protecting our patients’ health and safety, protecting their privacy is our highest priority. In 2011, we were victims of a crime and a computer flash drive was stolen. The stolen information did not include any financial information or sensitive health information. We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information.
Today’s settlement announcement was as a result of the 2011 incident. We are disappointed with the amount of the settlement given that the flash drive was never used to anyone’s knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.
Understand a HIPAA Risk Assessment
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information.
to better understand the HIPAA Risk Assessment process