January 7, 2014

Its happened.  The Office for Civil Rights has settled its first case with a medical practice for "not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA)."  Press Release Available Here.

The Facts:  A dermatology practice with 6 locations in New Hampshire and Massachusetts has agreed to pay the Office for Civil Rights $150,000 for potential violations of HIPAA.  The practice came under investigation after being reported to OCR for an unencrypted thumb drive containing data on 2,200 patients being stolen from a staff member's vehicle.  The thumb drive was not recovered.  

In the press release OCR clearly indicates it was not the theft of the thumb drive creating most of the exposure for the practice, but the practice's failure to adequately conduct the required "accurate and thorough analysis of the potential risks and vulnerabilities"; "the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members." 

OCR Director Leon Rodriguez added - “As we say in health care, an ounce of prevention is worth a pound of cure...That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

Looking to start 2014 compliantly?  I recommend you get started with a proper Breach Notification Policy, among other compliance documents you may be missing...  Click here to check out available policies.