A dermatology practice called Adult & Pediatric Dermatology, P.C. (“Covered Entity”) reported a security breach as required by the Health Insurance Portability and Accountability Act (“HIPAA”) to the Department of Health and Human Services (“HHS”) on October 7, 2011. The Covered Entity reported that an unencrypted thumb drive was stolen from the vehicle of a member of its workforce, and that the drive contained the protected health information (“PHI”) of approximately 2,200 individuals. The thumb drive was never recovered. The Covered Entity notified the impacted patients of the theft as required by applicable law, and provided notice to HHS in accordance with the breach notification rules under HIPAA / HITECH.
As is often the cast, HHS decided to investigate the Covered Entity following notice of the security breach. The HHS investigation revealed:
- The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security process until October 2012.
- The Covered Entity did not fully comply with the requirements of the HIPAA breach notification rules because it did not have written policies and procedures regarding its breach notification process, nor did it train members of its workforce regarding the breach notice requirements until February 2012.
- On September 14, 2011, the Covered Entity impermissibly disclosed the PHI of 2,200 individuals by permitting an unauthorized individual access to the PHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one of its workforce members.
The Covered Entity agreed to pay HHS $150,000 to resolve the investigation, and agreed to enter into and comply with a Corrective Action Plan.
Sometimes, the fine is not as significant as the ongoing cost of the corrective actions required by the regulators. Here, the agreed upon Corrective Action Plan gives the Covered Entity one year to conduct a comprehensive risk analysis of its security risks and vulnerabilities that incorporates all of the Covered Entity’s electronic media and systems, and to develop a risk management plan to address and mitigate the risks and vulnerabilities identified. The risk analysis, risk management plan, and any revised policies and procedures must be forwarded to the HHS Office of Civil Rights (“OCR”) for review and approval within 60 days of the date completed by the Covered Entity. OCR will review the submission and may require revisions. Upon approval by OCR, the Covered Entity must train its workforce on the revised policies and procedures within 30 calendar days. During the time period covered by the Corrective Action Plan, if any workforce member fails to comply with the policies and procedures, the Covered Entity must investigate and report such noncompliance to OCR, including any actions taken by the Covered Entity to mitigate the resulting harm and to prevent recurrence.
Ultimately, the Covered Entity must provide OCR with an Implementation Report describing how the Covered Entity implemented its security management process, and an attestation from an officer of the Covered Entity that any revisions required by OCR were fully implemented and its workforce members were completely trained. An uncured breach of the Corrective Action Plan can lead to the imposition of Civil Monetary Penalties.