Lessons Learned from a $150,000 HIPAA Penalty

Small Thumb Drive Brings Large HIPAA Penalty

By Mike Semel
Blog: 4Medapproved.com/HITSecurity
Twitter: @SemelConsulting

My late uncle would not understand the latest HIPAA penalty for the loss of 2,200 patient records, which in his office were paper and would have weighed over 1,000 lbs. He was a doctor, who died 20 years ago, when stealing 2,200 patient records would have taken two men and a truck.  Fast forward to 2013, when it took just seconds for a medical practice to break the law by losing 2,200 records on a thumb drive that weighed just a few ounces.

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to a  $150,000 HIPAA penalty after an unencrypted thumb drive was stolen from a vehicle owned by one of its employees. The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) said the HIPAA penalty was not just for losing the thumb drive (accidents happen) but because the practice had not identified the thumb drive in a HIPAA risk analysis and had not managed the risk to protect its patient’s data.

“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez, a former federal prosecutor. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

Some questions that should be asked about this HIPAA penalty:

  1. Was it necessary for the data to be on that thumb drive?
  2. Who authorized the copying of patient data to the thumb drive and who knew it was there?
  3. Why wasn’t the data encrypted to protect the data, the patients, and the practice?
  4. Why wasn’t the thumb drive identified in APDerm’s HIPAA and Meaningful Use risk analysis?

Many practices think that all of their protected information is in their EHR system, and are surprised to learn that any file that is identifiable and contains diagnostic or treatment is protected. This includes letters, spreadsheets and reports, faxes and scanned images, voice files, medical images and photographs, on any device, including on hard disk drives hidden within their copiers. Practices risk a large HIPAA penalty simply because they do not recognize their risks and do nothing to protect data outside of their EHR system.

It is far too easy to transfer large amounts of patient data onto unencrypted portable devices. We recently conducted Security Risk Analyses for practices attesting for Meaningful Use money, and found protected patient data all over the place—on unencrypted portable devices like laptops, thumb drives, smart phones, and voice recorders; in the Cloud in unsecure and non-compliant (and sometimes free) e-mail, texting, and file sharing services; and with vendors, many of which had not signed Business Associate Agreements.

Encrypting data allows you to avoid a HIPAA penalty because the HIPAA Breach Notification Rule says you do not have to report the loss of encrypted data. Encryption costs a lot less than notifying patients, facing government investigations and lawsuits, and paying for things like credit monitoring for all of your patients.

Lessons to prevent a large HIPAA penalty

  1. Don’t export protected data from your secure EHR system. If you need the information outside of the office, use secure remote access tools that let you see the data without transferring the information (and a ton of risk) to a remote or portable device.
  2. Your EHR system was built from the ground up with security and compliance in mind. Even in a small practice you should have a strict policy requiring prior authorization to export data from your EHR system. Your network and portable devices must be professionally managed to ensure that all protected data is secure and that access is tracked according to HIPAA. Rules should apply to everyone. Doctors and executives should not be exempt.
  3. ENCRYPTION should be used to protect data on ALL devices – portable and stationary. Everyone knows that a thumb drive is easily lost or stolen. You would be surprised at how many reportable breaches occur from desktop PC’s and servers stolen from offices. Encrypt everything and avoid a HIPAA penalty.
  4. Many of the Meaningful Use Risk Analyses we have seen completely miss critical risks. Have a risk analysis conducted by a professional rather than doing one yourself and risking a HIPAA penalty. Just like referring a patient to a health care specialist, using a certified compliance expert will identify problems and solutions that you may miss, perhaps with disastrous results.

The Office of the National Coordinator (ONC) that manages the Meaningful Use incentive program says that you should use an experienced outsourced professional if you want a risk analysis that will stand up to a compliance review.

It is a lot less expensive to prevent a breach than reacting to a breach. Learn from someone else’s expensive and embarrassing HIPAA penalty so you don’t have to deal with your own. Contact 4MedApproved for more information.

This article was originally published on 4Medapproved and is republished here with permission.