Small physician practices should have received a wake-up call with the most recent fine announced by the Office of Civil Rights HIPAA enforcement division which shows that the feds are going to go after small practices for technical violations, even if no patient data was misused.
The official press release states:
Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
The important points that can be inferred from the press release?
1. The practice did not have a written risk analysis in place and regularly updated.
2. The practice did not have a formal risk and security plan.
3. The practice did not have an adequate breach response plan in place meeting the HITECH requirements.
4. The practice did not train its employees on the HIPAA requirements and the practice policies and plans.
HealthITSecurity.com reported that the firm of 12 physicians reported that 2200 records were on the stolen USB stick, and that the information in the files contained information about procedures and photos of patient cancers and procedures, there was not any financial data or social security numbers at risk. They also indicated that no known fraudulent use or disclosure of the data resulted.
In addition, anyone familiar with HIPAA would have to ask:
- Why were they transporting more than 2000 patient records outside of the office on a USB stick?
- Why wasn’t the USB stick encrypted?
- Why didn’t the practice immediately involve legal assistance to assure compliance with the notification requirements?
- And…they had cyber-insurance, right?
The practice statement reportedly indicated that the case was settled to avoid protracted litigation, according to the HealthITSecurity website article.
UPDATE 12/30 AT THE REQUEST OF THE PRACTICE:
Statement from Adult and Pediatric Dermatology
December 27, 2013 – Along with protecting our patients’ health and safety, protecting their privacy is our highest priority. In 2011, we were victims of a crime and a computer flash drive was stolen. The stolen information did not include any financial information or sensitive health information. We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information.
Today’s settlement announcement was as a result of the 2011 incident. We are disappointed with the amount of the settlement given that the flash drive was never used to anyone’s knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.
Physician practices need to start taking HIPAA seriously, because the bad guys will go after the soft targets, and right now, small to medium-sized pratices, clinics, and hospitals (and a few very large ones) are totally vulnerable. Worse yet, a majority of violations of HIPAA are internal and directly attributable to lack of policies, procedures, and training — mostly a result of never having conducted a risk assessment.
Stephen- do you have a program created for purchase that can guide us through?
I do not have program for small offices, but I am working on one due to the obvious need.