How a stolen USB memory stick led to $150k HIPAA settlement for a small practice

As we start 2014, HIPAA compliance remains an important and ongoing concern for dental practices large and small. Last year was an active one for publicized security breaches and, despite frequent admonitions from the gurus, all signs point to more HIPAA news for the coming year.

RELATED ARTICLE: 4 Essential Steps to HIPAA success

Many security breaches happened as a result of relatively mundane situations made worse by a lack of properly implemented security controls. One common culprit is encryption (or more precisely, lack thereof), which remains an under-implemented safeguard no matter an organization’s size or sophistication. This is especially true for portable devices such as USB memory sticks, external hard drives, smartphones, tablets, and others.

Case in point: In late 2011, a small dermatology practice based in Massachusetts notified the Department of Health and Human Services (HHS) following the theft of an unencrypted USB memory drive containing electronic protected health information (ePHI) of about 2,200 individuals.

Though there is no evidence that the ePHI contained on the USB device was accessed or disclosed by an unauthorized person, HHS announced at the end of 2013 a $150,000 dollar settlement with the practice for alleged HIPAA violations discovered during an investigation following the reported breach. The proposed settlement also included an aggressive corrective action plan (CAP) to bring the practice into compliance.

Unfortunately for the practice, the investigation following the breach uncovered additional alleged HIPAA violations, and these findings ultimately led to the costly settlement.

Did you notice how things escalated when this incident came to the regulators’ attention? HIPAA breaches are like that. It reminds us to make the investment in time and resources. Whether it’s portable storage devices, copier machines, or laptops, nothing is immaterial when it comes to safeguarding sensitive patient data.

--------------------------------------------------
CONSIDER READING:
Are patient names on dental lab labels a HIPAA violation?
Email and HIPAA, when is the line crossed?
--------------------------------------------------

What can your organization do to avoid a similar outcome?
• Conduct a review of the types of portable devices (USB drives, external hard drives, laptops, tablets, smartphones) you use to store PHI. Are these devices properly encrypted? If not, are the files encrypted?
• Ensure documented policies and procedures are in place, being followed, and reflect actual practices.
• Make sure to regularly train your workforce on all relevant HIPAA compliance topics.
• Regularly review your organization’s portable devices to ensure encryption is installed and operational.
• Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities, and controls have been considered.

Adam Stone, CIPP/US, CISSP, ISSMP, is a HIPAA data privacy and security consultant with Clearwater Compliance, LLC. Clearwater Compliance is about helping health care organizations and their service providers become and remain HIPAA-HITECH Compliant. Visit the Clearwater Compliance website at clearwatercompliance.com.

DIQ Article Archives

2009 - 2010 - 2011 - 2012