A familiar story – small health care provider suffers a data breach affecting patient data, reports incident to the federal Office for Civil Rights (OCR) and winds up becoming subject to an OCR investigation that goes well beyond the breach itself, resulting in a significant settlement payment and corrective action plan.
In this case, a relatively small adult and pediatric dermatology practice in Concord, Massachusetts has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, agreeing to a $150,000 payment and a comprehensive corrective action plan that is subject to OCR review.
So what did OCR allege the provider did wrong that led to this settlement and corrective action plan?
By way of background, on October 7, 2011, the provider reported to HHS a breach of its unsecured electronic protected health information (ePHI) that resulted when an unencrypted thumb drive that stored ePHI concerning surgeries of approximately 2,200 individuals was stolen from an employee’s car. The provider notified its patients within 30 days of the theft and provided media notice. On November 9, 2011, HHS notified the provider that OCR intended to investigate the provider’s compliance with the Privacy, Security, and Breach Notification Rules.
Providers and other covered entities need to realize that if they experience an unexpected theft or other event that results in a reportable breach, it may very well open them up to a compliance review by the OCR.
What potential violations of HIPAA did the OCR allege based on its investigation?
- The provider did not conduct an accurate risk assessment until October 1, 2012.
- The provider did not fully comply with the Breach Notification Rule, which includes having written policies and procedures and training workforce members regarding those policies and procedures until February 7, 2012.
- The provider failed to reasonably safeguard the thumb drive that wound up being stolen.
Thus, the issue seems to be not so much whether the covered entities appropriately responded to the breach at hand, but whether they were compliant with the Privacy, Security, and Breach Notification Rules prior to the incident and could have avoided the breach. As suggested here, taking compliance steps after the incident will not shield the covered entity from OCR enforcement, although it may have softened the blow.
Lesson for providers and other covered entities: Don’t wait until you lose a thumb drive before getting compliant.