The Office for Civil Rights has released a statement confirming that a settlement has been agreed with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts after the accidental disclosure of almost 2,200 patients after a memory stick was taken from the car of one of the center’s staff members. The stolen thumb drive stored patient data and was not encrypted, so anyone in possession of the device has complete access to the data it contained. The missing thumb drive has so far not been found.
Although the HIPAA violation involved a comparatively small number of patients, the OCR has fined the dermatology clinic $150,000 for breaching HIPAA regulations and failing to guarantee that the PHI of its patients was properly safe. The OCR has also mandated the clinic to carry out a full risk analysis to identify any remaining privacy and security weaknesses and to develop a risk management plan to deal with any future security violations.
The investigation carried out by the OCR emphasized a number of HIPAA privacy and security issues which should have been identified and addressed had a thorough risk analysis been completed. The OCR also found that the clinic had failed to implement the changes required under the HITCH Act (2009). While breach notification rules were adhered to, the legislation also requires a HIPAA covered body to document data security procedures and policies as well as provide employee training on data security and privacy. This is the first time that the OCR has issued financial penalties for policy and procedural failures regarding HIPAA breach notification regulations.
This case has shown that it is not only data breaches that can lead to fines being issued, but also a failure to document policies and procedures. It is not enough for a healthcare organization to follow only a selection of HIPAA security rules such as issuing a breach notification and all HIPAA policies must be strictly followed. The OCR is of the belief that a failure to adhere to all parts of HIPAA is negligence, and when there is negligence financial penalties are bound to follow.
The OCR examines all HIPAA breaches and if it is discovered that the security breach arose from a failure to adhere to HIPAA guidelines, penalties of up to $50,000 can be applied for each violation up to a total of $1.5 million.
This settlement should alert other healthcare organizations alerting them to the importance of completing a full risk analysis of all IT systems, which should include every device or piece of equipment that comes into contact with electronic protected health information. Mobile devices such as laptop computers, tablets, Smartphones must be secured, and any data recorded on a hard drive, thumb drive or other digital storage medium must have ePHI data encrypted to stop it being access if it device is lost or stolen.