HIPAA brings big penalties to the smallest of devices. A dermatology practice agreed to pay $150,000 to the government after an unencrypted USB drive containing PHI for 2,200 people was stolen from an employee’s vehicle.
The Department of Health and Human Services Office of Civil Rights (OCR) found that the dermatology company violated HIPAA by:
- failing to conduct a sufficient security analysis of potential threats to ePHI; and
- failing to have policies, procedures or training in place to comply with the Breach Notification Rule (and failing to report the lost thumb drive as a breach)
About the incident, OCR Director Leon Rodriguez said: “As we say in health care, an ounce of prevention is worth a pound of cure…That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
Lesson learned: While the dermatology practice paid heavily for this mistake, you don’t have to. Take Rodriguez’s advice, plan ahead, and follow MPA’s tips to keep this from happening to you:
- Address portable devices—including flash drives—in your HIPAA Security risk assessment, and update the assessment whenever you introduce new forms of electronic media.
- Implement policies and procedures for permissible uses of portable devices. If they contain ePHI, they should be encrypted.
- Create policies for if/when employees can take work home—especially when that work involves PHI.
- Make sure you have Breach Notification Rule policies and procedures are in place, and that employees are trained to identify and notify management of potential breaches.
- Train employees on your new policies and make sure everyone understands that flash drives containing ePHI should be treated just like their computer.
Stay HIPAA compliant with MPA’s HIPAA Guidance.