Health and Human Services (HHS) announced on December 27th that Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, with a $150,000 payment.
What was the incident?
APDerm was investigated by the HHS Office of Civil Rights after reporting an unencrypted thumb drive was stolen from a vehicle.
The thumb drive contained the protected health information (PHI) of approximately 2,000 individuals. The data stolen included digital photographs of surgical skin cancer procedures, operation reports and copies of consultation letters to referring doctors.
Key weaknesses cited included not having written policies and procedures in place, not having proper training for employees, and not performing an adequate risk assessment.
Taking work home on a thumb drive may seem like a good idea for productivity, but taking unsecured (un-encrypted) patient information on the road with you can have significant consequences. That includes paper copies of patient information.
What actions should we take?
1) Perform a risk assessment and keep it in writing. Your risk matrix should consider threats, likelihood, frequency, impacts, and current mitigations.
2) Get your policies and procedures in place. Make certain these address not only the HIPAA requirements but practical instructions for your employees in their daily communication and work processes.
3) Train employees on your privacy and security policies. Social Engineering awareness is important. Train employees to alert the privacy officer or security officer immediately if a computer, smartphone, or thumbdrive is lost or stolen.
4) Don’t take patient information on the road or bring it home with you unless your laptop or flash drive is encrypted. Better to keep it at the office or access it remotely through a VPN or secure cloud service.
5) Make certain your disclosure tracking, breach risk assessment, and breach notification processes are up-to-date. The latest HIPAA omnibus rule makes the assumption that a disclosure is a breach unless a risk assessment determines there is a “low-risk” of information access or onward disclosure.