Stolen Thumb Drive Leads to $150,000 HIPAA Penalty
Another federal investigation of a relatively smallÂ breachÂ has resulted in a financial penalty, this time for a physician group practice in Concord, Mass.
On Dec. 26, the Department of Health and Human Servicesâ€™ Office for Civil Rights announced a $150,000 penalty as part of a resolution agreement withÂ the practice.
The agreement also calls for a corrective action plan to address deficiencies in HIPAA compliance.Â This corrective action includes conducting a risk analysis and developing a risk management plan.
The clinic did not respond to a request for comment.
Details of Breach
In October 2011, the practice notified OCR that an unencrypted thumb drive containing the health information of about 2,200 individuals was stolen from the vehicle of one its staff members, OCR reports.Â The thumb drive was never recovered.
OCRâ€™s breach investigation revealed that the practice had not conducted an accurate and thoroughÂ risk analysis.Â According to OCR, this is the first HIPAA settlement that cites a covered entity for not complying fully with the requirements of the HIPAA breach notification rule that stipulates having policies and procedures in place and training workforce members.Â This rule, which was recently updated, went into effect in September 2009 because of theÂ HITECH Act.
This case illustrates OCRâ€™s â€ścontinued emphasis on having a risk analysis,â€ť saysÂ Adam Greene, a privacy attorney at the law firm Davis Wright Tremaine. Â â€śWhatâ€™s new is [the case also stresses] you need to have written policies, procedures and training in place with respect to breach notification.Â OCR does seem to be emphasizing the importance of having the systems in place, rather than just doing the breach reporting.â€ť
â€śThis settlement should serve as a wake-up call for other organizations,â€ť saysÂ Mac MCMillan, CEO of the consulting firm CynergisTek.
â€śOrganizations, regardless of size, that act irresponsibly and put patient information at risk may be held accountable.Â Failure to analyze the risks associated with patient information in your possession is, at best, negligence, and OCR has said when negligence is spotted enforcement will follow.â€ť
â€śThe incident highlights the need for organizations to take two important breach prevention steps,â€ť says McMillan. Â â€śUnderstand the risk in your computing environment â€" and that includes mobile devices or media.Â And if youâ€™re going to put patient information on a mobile device or media,Â encryptÂ it.â€ť
Two earlier cases last year also illustrate that federal investigations of relatively small breaches can lead to financial penalties.
In January 2013,Â Hospice of North IdahoÂ agreed to pay a $50,000 penalty following the investigation of the theft of an unencrypted laptop computer that affected 441 individuals.Â This case was the first time a federal investigation of a health information breach that affected fewer than 500 individuals resulted in a financial penalty for HIPAA violations.
In May,Â Idaho State UniversityÂ agreed to pay $400,000 as part of a resolution agreement stemming from a breach affecting 17,500 patients at the universityâ€™s Pocatello Family Medicine Clinic.Â In this May 2011 incident, a server firewall was disabled leaving patient information vulnerable for at least 10 months.
How are you protected from having a similar experience?
The SRA, as required under the HIPAA Security Rule, is a critical and foundational component of an effective risk management process. The consequence of not having a completed SRA is clearly illustrated in the â€śDetails of Breachâ€ť portion of this article above.
A complete HIPAA Security Risk Analysis can cost a practice hundreds if not thousands of dollars through consultant services. We, however, can assist our clients with their SRA and help them address areas of concern in their organization affordably. Remember that a completed SRA is also a requirement for achieving â€śMeaningful Useâ€ťunder the CMS EHR Incentive Program, so it is to your advantage to complete yours today. If you have any questions please reach out to our support team and weâ€™d be happy to help walk you through the process.