How a stolen USB memory stick led to $150k HIPAA settlement for a small practice

As we start 2014, HIPAA compliance remains an important and ongoing concern for dental practices large and small. Last year was an active one for publicized security breaches and, despite frequent admonitions from the gurus, all signs point to more HIPAA news for the coming year.

RELATED ARTICLE: 4 Essential Steps to HIPAA success

Many security breaches happened as a result of relatively mundane situations made worse by a lack of properly implemented security controls. One common culprit is encryption (or more precisely, lack thereof), which remains an under-implemented safeguard no matter an organization’s size or sophistication. This is especially true for portable devices such as USB memory sticks, external hard drives, smartphones, tablets, and others.

Case in point: In late 2011, a small dermatology practice based in Massachusetts notified the Department of Health and Human Services (HHS) following the theft of an unencrypted USB memory drive containing electronic protected health information (ePHI) of about 2,200 individuals.

Though there is no evidence that the ePHI contained on the USB device was accessed or disclosed by an unauthorized person, HHS announced at the end of 2013 a $150,000 dollar settlement with the practice for alleged HIPAA violations discovered during an investigation following the reported breach. The proposed settlement also included an aggressive corrective action plan (CAP) to bring the practice into compliance.

Unfortunately for the practice, the investigation following the breach uncovered additional alleged HIPAA violations, and these findings ultimately led to the costly settlement.

Did you notice how things escalated when this incident came to the regulators’ attention? HIPAA breaches are like that. It reminds us to make the investment in time and resources. Whether it’s portable storage devices, copier machines, or laptops, nothing is immaterial when it comes to safeguarding sensitive patient data.

Are patient names on dental lab labels a HIPAA violation?
Email and HIPAA, when is the line crossed?

What can your organization do to avoid a similar outcome?
• Conduct a review of the types of portable devices (USB drives, external hard drives, laptops, tablets, smartphones) you use to store PHI. Are these devices properly encrypted? If not, are the files encrypted?
• Ensure documented policies and procedures are in place, being followed, and reflect actual practices.
• Make sure to regularly train your workforce on all relevant HIPAA compliance topics.
• Regularly review your organization’s portable devices to ensure encryption is installed and operational.
• Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities, and controls have been considered.

Adam Stone, CIPP/US, CISSP, ISSMP, is a HIPAA data privacy and security consultant with Clearwater Compliance, LLC. Clearwater Compliance is about helping health care organizations and their service providers become and remain HIPAA-HITECH Compliant. Visit the Clearwater Compliance website at clearwatercompliance.com.

Did You Like this Article? Get All the Dental Industry News Delivered to Your Inbox

Subscribe to an email newsletter today at no cost and receive the latest news and information.

Related Articles

Groups seek creation of dental practitioner status

DentistryIQ Editors 07/15/2014

Several Kansas groups are pushing for a new level of dental provider they believe could help remedy a severe shortage of dentists across the state.

A special thanks


As we celebrate the Fourth of July this year, FOCUS Editorial Director Maria Perno Goldie, RDH, MS, offers a special thanks to the men and women who, today and in the past, have helped to preserve this country’s freedom. She also discusses the oral-systemic connection, a pill identifier that helps in distinguishing between generic and brand name prescription drugs, as well as a new report on adults with disabilities.

ADHA supports expanding access to care; midlevel providers to deliver dental services


How dental therapists can increase access to care in public settings

Lauren Burns 06/30/2014

A Pew report found that, through midlevel providers, the underserved populations had increased access to care. It also found that nonprofit practices were able to use their money to reach more underserved people, rather than paying extra to cover a dentist’s salary.

Stay Connected

Subscribe to Dentistty IQ's Newsletters

1421 S. Sheridan Road
Tulsa, Oklahoma 74112
PH: 800.331.4633