If you think your risk of incurring fines for violations of the Health Insurance Portability and Accountability Act (HIPAA) is small, think again. The United States Department of Health and Human Services, Office for Civil Rights (HHS) is pursuing physician practice groups for HIPAA violations even when privacy and security measures are promptly enacted after a breach of unsecured electronic protected health information (ePHI).
Scenario:
In October 2011, Adult & Pediatric Dermatology, P.C. (APDerm) notified HHS that an unencrypted flash drive containing ePHI relating to Mohs surgery for approximately 2,200 individuals was stolen from a vehicle of one of its workforce members. The thumb drive was never recovered. APDerm notified the patients within 30 days of its theft and provided media notice.
HHS Investigation & Results:
- APDerm did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities of its ePHI as part of its security management process until October 1, 2012.
- APDerm did not have fully written policies and procedures and training regarding the breach notification rules and requirements under HIPAA until February 7, 2012.
- APDerm impermissibly disclosed ePHI of up to 2,200 individuals by providing an unauthorized individual access to the ePHI for a purpose not permitted by the privacy rules under HIPAA when it did not reasonably safeguard an unencrypted thumb drive that was stolen.
Settlement:
On December 24, 2013, APDerm and HHS entered into a resolution agreement in which APDerm agreed to pay $150,000 to settle claims that it violated HIPAA, but APDerm did not admit liability. APDerm also agreed to a corrective action plan to address deficiencies in its HIPAA compliance program. The corrective action plan requires APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. It also requires an implementation report to HHS. See the resolution agreement.
What You Should Do:
Now might be a good time to review your practice’s current encryption procedures, internal controls on electronic devices, or your entire compliance program. SKO can help ensure your compliance and the privacy of your clients. Contact Sarah Mills, David Lester, Harry Dadds or Wade Hendricks.
