Share this article on:
The Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the center’s employees. The stolen thumb drive contained patient data and was not encrypted, meaning anyone in possession of the storage device has full access to the data it contained. The missing thumb drive has so far not been located.
Although the HIPAA breach involved a relatively small number of patients, the OCR has fined the dermatology clinic $150,000 for violating HIPAA regulations and failing to ensure the PHI of its patients was properly secured. The OCR has also ordered the clinic to conduct a full risk analysis to identify any remaining privacy and security issues and to develop a risk management plan to deal with any future security breaches.
The investigation conducted by the OCR highlighted a number of HIPAA privacy and security problems which should have been identified and addressed had a thorough risk analysis been conducted. The OCR also determined that the clinic had failed to implement the changes required under the HITCH Act (2009). While breach notification rules were followed, the legislation also requires a HIPAA covered entity to document data security procedures and policies as well as provide staff training on data security and privacy. This is the first time that the OCR has issued fines for policy and procedural failures regarding HIPAA breach notification rules.
This case has demonstrated that it is not only data breaches that can result in fines being issued, but also a failure to document policies and procedures. It is not sufficient for a healthcare organization to follow only some HIPAA security rules such as issuing a breach notification and all HIPAA policies must be followed to the letter. The OCR is of the opinion that a failure to adhere to all aspects of HIPAA is negligence, and when there is negligence financial penalties are certain to follow.
The OCR investigates all HIPAA breaches and if it is discovered that the security breach resulted from a failure to adhere to HIPAA guidelines, fines of up to $50,000 can be applied for each violation up to a total of $1.5 million.
This settlement should send a message to other healthcare organizations alerting them to the importance of conducting a full risk analysis of all IT systems, which should include any device or equipment that comes into contact with electronic protected health information. Mobile devices such as laptop computers, tablets, Smartphones must be secured, and any data stored on a hard drive, thumb drive or other digital storage medium must have ePHI data encrypted to prevent accidental exposure if the device is lost, stolen or improperly accessed.