It’s happened to most of us, we’ve walked out to our car after a night out on the town to find that someone has broken into our vehicle. For the average Joe, it turns into an annoying few days of filing a police report, replacing missing personal items, and making an undesired trip to the dealership for a new window. Unfortunately for a small dermatology organization, the break in of an employee’s personal vehicle resulted in stolen USB drive and a $150,000 settlement in HIPAA Violations.
On December 26, 2013, the US Department of Health and Human Services released a report outlining the dermatology clinic’s agreement to settle the potential HIPAA violations as the result of a stolen USB drive that contained the protected health information of 2,200 individuals. While the USB stick did not contain sensitive financial or personal information, it contained operation reports, pictures of cancer procedures, and consultation letters that are protected under the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.
This occurrence prompted an investigation by the US Department of Human Health and Services’ (HHS) Office for Civil rights on the dermatology clinic’s efforts to be HIPAA compliant. They found, that while the dermatology clinic did follow the corrective steps necessary upon the breach of information, they did not properly assess the potential risks to information confidentiality and did not have written policies and procedures in place in the event of a breach. The OCR found that the dermatology clinic was not in compliance with HIPAA under the Breach Notification Rule.
According to the OCR Director, Leon Rodriguez,
œThat is what a good risk management process is all about “ identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.
Although this was not the largest settlement for HIPAA violations recently, it is the first settlement for not having specific policies and procedures in place to address what would happen in the event of an information breach. It settlement provides another harsh lesson for health care providers, and insight at the direction that the OCR may be trending for future audits and investigations. As 2013 came to a close and as we’ve move into 2014, consumer information privacy has been at the forefront of public concern. The settlement sends a message to other healthcare providers that the OCR is focusing on the measures taken to prevent breaches of information security – not just the breaches themselves. On a more macro level, the OCR is zeroing in on what it means to have a proactive approach to policies and procedures management in response to trending consumer information concerns.
What does this mean for healthcare practitioners? First, compliance is moving away from what hardware is used, towards a proactive approach on how protected data touches hardware and is stored. We saw a major example of this in August 2013 when a non-profit Health Plan settled with the OCR for $1.2 Million from a photocopier that was storing protected data. Healthcare providers will have to perform a risk analysis of their current data situation by assessing their current standards. From that risk analysis, they must create clear written policies and procedures to be followed in the event of a breach. This information must be actively distributed, employees must acknowledge and be trained the information, and the procedures must be executed in the event of a breach.
Secondly, healthcare providers must keep in mind that there is a delicate balance between patient privacy and innovation. By over-applying HIPAA policies in practice, providers can actually hurt patients through reduced innovation. Effective and up to date compliance teams are going to be absolutely key to HIPAA compliance. Those teams must be outfitted with the necessary tools to create policies and procedures that are exactly in line with HIPAA standards without being too overbearing that they stifle the innovations that differentiate one provider from another.
In conclusion, the settlement provided a brief insight into the direction the OCR is taking towards HIPAA compliance in 2014. For one small dermatology organization, it was a harsh lesson in policies and procedures compliance.
Also Relevant: Download our Free Case Study Below – Protecting Your Medicaid Revenue with Policy Software
Image courtesy of artur84 and Toa55/ FreeDigitalPhotos.net