Another federal investigation of a relatively smallbreachhas resulted in a financial penalty, this time for a physician group practice in Concord, Mass.
On Dec. 26, the Department of Health and Human Services' Office for Civil Rights announced a $150,000 penalty as part of a resolution agreement withthe practice.
The agreement also calls for a corrective action plan to address deficiencies in HIPAA compliance. This corrective action includes conducting a risk analysis and developing a risk management plan.
The clinic did not respond to a request for comment.
Details of Breach
In October 2011, the practice notified OCR that an unencrypted thumb drive containing the health information of about 2,200 individuals was stolen from the vehicle of one its staff members, OCR reports. The thumb drive was never recovered.
OCR's breach investigation revealed that the practice had not conducted an accurate and thoroughrisk analysis. According to OCR, this is the first HIPAA settlement that cites a covered entity for not complying fully with the requirements of the HIPAA breach notification rule that stipulates having policies and procedures in place and training workforce members. This rule, which was recently updated, went into effect in September 2009 because of theHITECH Act.
This case illustrates OCR's "continued emphasis on having a risk analysis," saysAdam Greene, a privacy attorney at the law firm Davis Wright Tremaine. "What's new is [the case also stresses] you need to have written policies, procedures and training in place with respect to breach notification. OCR does seem to be emphasizing the importance of having the systems in place, rather than just doing the breach reporting."
"This settlement should serve as a wake-up call for other organizations," saysMac MCMillan, CEO of the consulting firm CynergisTek.
"Organizations, regardless of size, that act irresponsibly and put patient information at risk may be held accountable. Failure to analyze the risks associated with patient information in your possession is, at best, negligence, and OCR has said when negligence is spotted enforcement will follow."
"The incident highlights the need for organizations to take two important breach prevention steps," says McMillan. "Understand the risk in your computing environment and that includes mobile devices or media. And if you're going to put patient information on a mobile device or media,encryptit."
Two earlier cases last year also illustrate that federal investigations of relatively small breaches can lead to financial penalties.
In January 2013,Hospice of North Idahoagreed to pay a $50,000 penalty following the investigation of the theft of an unencrypted laptop computer that affected 441 individuals. This case was the first time a federal investigation of a health information breach that affected fewer than 500 individuals resulted in a financial penalty for HIPAA violations.
In May,Idaho State Universityagreed to pay $400,000 as part of a resolution agreement stemming from a breach affecting 17,500 patients at the university's Pocatello Family Medicine Clinic. In this May 2011 incident, a server firewall was disabled leaving patient information vulnerable for at least 10 months.
How are you protected from having a similar experience?
The SRA, as required under the HIPAA Security Rule, is a critical and foundational component of an effective risk management process. The consequence of not having a completed SRA is clearly illustrated in the "Details of Breach" portion of this article above.
A complete HIPAA Security Risk Analysis can cost a practice hundreds if not thousands of dollars through consultant services. We, however, can assist our clients with their SRA and help them address areas of concern in their organization affordably. Remember that a completed SRA is also a requirement for achieving "Meaningful Use"under the CMS EHR Incentive Program, so it is to your advantage to complete yours today. If you have any questions please reach out to our support team and we'd be happy to help walk you through the process.