Health Care Entity Pays $150,000 to HHS as a Result of Stolen Thumb Drive Containing PHI
Encrypting USB drives, analyzing security risks, and implementing breach notification policies and procedures could mean the difference between compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and significant HIPAA penalties. Adult & Pediatric Dermatology, P.C. (“APDerm”), a Massachusetts dermatology practice, learned this lesson the hard way. APDerm reported that an unencrypted thumb drive containing the protected health information (“PHI”) of approximately 2,200 individuals was stolen from an APDerm staff member’s car.
APDerm has agreed to pay $150,000 to the Department of Health & Human Services (“HHS”) to settle alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), and APDerm must also implement a corrective action plan to remedy deficiencies in its compliance plan as part of the settlement. This settlement comes on the heels of other HHS settlements involving compromised PHI stored on data drives (late last year, HHS settled with a New York managed care plan for its failure to wipe leased copiers’ hard drives of PHI before returning them).
In announcing the settlement, HHS stated, “[t]his case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act.”
HHS found that APDerm failed to adequately assess the risks associated with its storage of PHI. Moreover, APDerm did not have in place a breach notification protocol nor did it train its employees on the proper response when faced with a breach of PHI.
The list below contains policies and procedures that health care entities should consider implementing to avoid or mitigate breaches under HIPAA. It is only intended as a summary and does not constitute legal advice. Health care entities should consult with an experienced attorney for advice on specific circumstances.
- Encrypt Data: Encrypting data makes it unreadable. Where PHI is unreadable, there is no breach of HIPAA.
- Assess Risks: Health care entities should assess risks to PHI. Evaluating whether PHI is stored on unencrypted devices, such as thumb drives or phones, is essential to properly managing the risk of breaches.
- Institute Policies and Procedures to Safeguard PHI: Physicians and non-medical staff should know what kinds of activities are acceptable—i.e., encrypting patient information—versus those that are not acceptable—i.e., leaving a computer with PHI stored on it in a public area.
- Understand Reporting Obligations: HITECH requires breach notification to individuals, the Secretary of HHS, and possibly the media under certain circumstances within mandated time periods.
- Provide Policies and Procedures and Training for Employees: Employees should be aware of the health care entity’s obligation under the law so they can adequately address any breaches or required notifications as they arise.
Leon Rodriguez, Director of the HHS Office for Civil Rights, stated that a good risk management program is about “identifying and mitigating the risk before a bad thing happens.” He went on to say that, “[c]overed entities of all sizes need to give priority to securing electronic protected health information.”
To access the Resolution Agreement, click here.
To access the HHS announcement, click here.
The Health Law Gurus™ will continue to follow HHS enforcement of the HIPAA rules. We encourage you to share your experiences and thoughts about HIPAA and HITECH with us and our readers in the comments section below.