How to avoid the HHS ‘Wall of Shame’

Back in 2013 Adult & Pediatric Dermatology of Concord, Massachusetts, was hit with a $150,000 HIPAA fine for an unencrypted thumb drive that stored more than 2,200 patient records and was stolen from a staff member’s car. Not only did the dermatology group owe the hefty sum, it joined the ranks of healthcare providers listed on the Wall of Shame where security breaches are reported by the Department of Health and Human Services Department’s (HHS) Office of Civil Rights (OCR). OCR even issued a news release calling out APDerm’s violation of the HIPAA Privacy, Security and Breach Notification Rules.

APDerm earned the dubious honor of paying the first fine levied against a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Even though APDerm confirmed that the stolen thumb drive did not contain sensitive health or financial information, the news release spurred negative publicity with Google searches still linking APDerm to unwelcomed coverage of the incident.

By law, a medical practice must report lost or stolen electronic protected health information (ePHI) to patients within 60 days of discovery. Breaches of more than 500 individuals must be reported to the OCR within 60 days as well.

Upon notification, the OCR will conduct an investigation of the breach. In the case of APDerm, the OCR investigation concluded that the 12-physician group had failed to perform “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI (electronic protected health information), as part of its security management process.”

According to the OCR’s news release, issued at the end of 2013, APDerm settled the HIPAA violation agreement but it didn’t end there. The release pointed out that APDerm had not mitigated the risks of ePHI exposure, such as encrypting mobile devices and thumb drives that stored ePHI. Further, APDerm did not have written policies and procedures in place, nor staff members trained on breach notification requirements of HITECH.

Next: Protect your practice

Protect your practice

All medical practices need to realize they are vulnerable. Mobile devices that house sensitive patient information can easily be lost or stolen, and practices should take steps to reduce risks by performing a risk assessment and identifying potential “leaks.” Here are a few very important takeaways from APDerm’s cautionary tale:

• Risk assessment - Make sure your organization performs a thorough HIPAA risk assessment. The risk assessment should look at all sources/systems/devices that contain patient information and ePHI. Document the results of the risk assessment and put together a plan to implement additional safeguards to protect ePHI.

• Response plan - Be sure to have an incident response plan in the event of a security breach. The plan should include who will be on the response team, what actions the team will take to address the breach, and what steps they’ll take to prevent another similar breach from occurring. Make sure the plan is documented and all employees are trained on what they need to do.

• Implement encryption - Medical practices need to understand that ePHI is extremely sensitive information. They need to safeguard this information. Any ePHI on laptops or portable media needs to be encrypted. Encryption is not expensive or difficult to implement and is the best way to ensure HIPAA security.

Breaches are happening every day and the reality is that a majority of HIPAA-related breaches are due to lost or stolen laptops, tablets and smartphones. Without these basic protections we are going to continue to hear about more HIPAA-related breaches - and medical practices ending up on the Wall of Shame.