Clinic Hit With $150,000 HIPAA PenaltyBreach Investigation Triggers Resolution Agreement
Another federal investigation of a relatively small breach has resulted in a financial penalty, this time for a physician group practice in Massachusetts.
The Department of Health and Human Services' Office for Civil Rights on Dec. 26 announced a resolution agreement with Adult & Pediatric Dermatology, P.C., of Concord, Mass.
In addition to a $150,000 penalty, the agreement calls for a corrective action plan to address deficiencies in HIPAA compliance. For example, it requires the clinic to conduct a risk analysis and develop a risk management plan.
The clinic did not respond to a request for comment.
Details of Breach
In October 2011, APDerm notified OCR that an unencrypted thumb drive containing health information on about 2,200 individuals was stolen from the vehicle of one its staff members, OCR reports. The thumb drive was never recovered.
OCR's breach investigation revealed that the practice had not conducted an accurate and thorough risk analysis, the agency reports. Plus, OCR says this is the first HIPAA settlement that cites a covered entity for not fully complying with requirements of the HIPAA breach notification rule to have policies and procedures in place and train workforce members. That rule, which was recently updated, went into effect in September 2009 as a result of the HITECH Act.
This case illustrates OCR's "continued emphasis on having a risk analysis," says Adam Greene, a privacy attorney at the law firm David Wright Tremaine. "What's new is [the case also stresses] you need to have written policies, procedures and training in place with respect to breach notification. OCR does seem to be emphasizing the importance of having the systems in place, rather than just doing the breach reporting."
This settlement should serve as a wake-up call for other organizations, says Mac McMillan, CEO of the consulting firm CynergisTek.
"Organizations, regardless of size, that act irresponsibly and put patient information at risk may be held accountable," he says. "Failure to analyze the risks associated with patient information in your possession is, at best, negligence, and OCR has said when negligence is spotted enforcement will follow."
The incident highlights the need for organizations to take two important breach prevention steps, the consultant says. "Understand the risk in your computing environment - and that includes mobile devices or media. And if you're going to put patient information on a mobile device or media, encrypt it."
Two earlier cases this year also illustrate that federal investigations of relatively small breaches can lead to financial penalties.
Back in January, Hospice of North Idaho agreed to pay a $50,000 penalty following the investigation of the theft of an unencrypted laptop computer that affected 441 individuals. This case was the first time a federal investigation of a health information breach that affected fewer than 500 individuals resulted in a financial penalty for HIPAA violations.
And in May, Idaho State University agreed to pay $400,000 as part of a resolution agreement stemming from a breach affecting 17,500 patients at the university's Pocatello Family Medicine Clinic. In this 2011 incident, patient information was vulnerable for at least 10 months because a firewall protecting a server was disabled.