On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.
In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process. Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
The Final Omnibus Rule has been discussed at length on this blog and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.
The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”
The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis?Originating Source