2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance. On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach. See Resolution Agreement.
In October 2011, Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts notified OCR that an unencrypted thumb drive containing the PHI of approximately 2,200 patients was stolen from the vehicle of a staff member. The thumb drive was never recovered.
OCR’s investigation revealed multiple HIPAA violations by the practice including (1) failure to perform an accurate and thorough risk analysis related to the potential risks and vulnerabilities of its ePHI, (2) failure to implement written HIPAA policies and procedures, and (3) failure to train workforce members on breach notification.
OCR Director Leon Rodriguez remarked: “As we say in health care, an ounce of prevention is worth a pound of cure. That is what good risk management process is all about – identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
This most recent OCR enforcement action should serve as a reminder to all covered entities to take the following breach prevention precautions:
- Conduct a thorough and accurate risk analysis that includes all mobile devices and media.
- Encrypt all mobile devices and media which contain PHI.
- Implement written HIPAA policies and procedures.
- Train staff members on HIPAA compliance.