Willful Negligence of HIPAA Costs a Dermatology Company $150,000
On December 28, 2013, Concord, Massachusetts-based Adult & Pediatric Dermatology (APDerm) agreed to pay $150,000 to settle potential violations of HIPAA rules and agreed to implement corrective actions.
This organization lost ePHI for about 2,200 individuals that was located on an unencrypted thumb drive. We have talked before about the dangers of thumb drives in the context of HIPAA. We have also noted other cases where companies where charged due to the loss of ePHI. The notable difference here is that investigation showed that APDerm: (ref)
…had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
This settlement is the first ever for charges against a covered entity or business associate for failing to adopt required policies and procedures for breach notification. APDerm was willfully negligent in not bothering to develop and follow the required HIPAA policies and procedures and that negligence resulted in a breach.
What to expect going forward?
It has been projected by InformationWeek and Experian, that 2014 will be notable for more and bigger breaches in patient privacy. The health care industry is so large and the HIPAA Omnibus rules are so new, that a significant fraction of the industry is out of compliance. In fact, a significant fraction has no real idea of what they are supposed to be doing for compliance…. they just have their head down trying to do business as usual. Their head pokes out when something bad happens or when they finally get scared about their compliance exposure and the financial risk of non-compliance.
If just losing 1 thumb drive can cost your business $150,000 or more, the burdensome cost of compliance looks small compared to the devastating cost of failure.
Organizations are not used to the strongly tightened rules that went into effect in September 2013. Many of those that are aware are still scrambling to get things in order.
A majority of the breaches that have been reported to date result from negligence, rather than hacking. E.g. failure to activate protective software, failure to change default passwords, carelessly sharing passwords, not encrypting data that is being transported, and not using proper physical access controls. The doors to ePHI are often unlocked….
What is your Risk and Exposure
One of the first things that every organizations that deals with PHI must do is to preform a Risk Analysis. This is required by HIPAA and must be updated yearly.
- Where is your PHI kept
- How does it come into your organization
- Where does it leave your organization
- How is it secured?
- Who has access?
- How is that access granted, revoked, and logged?
- How is it transported?
- What are all of the ways that it could be compromised in each situation (e.g. at rest and while being transported)?
- What are all of the things that can be done to mitigate risk of compromise in each case?
- How serious is each risk and how expensive is each mitigation method?
- What risks are you required to mitigate ASAP due to the HIPAA Security Rule (e.g. transport encryption for ePHI moving electronically … as in email or text messages)
- What high severity risks must you mitigate?
- Which lower-severity risks should you mitigate due to the cost being reasonable? E.g. not mitigating them would be neglectful.
Start with your Risk Analysis. Next, move on to Risk Mitigation and to all of the other required items under HIPAA, such as security training for all employees, etc. If you are unsure what to do or where to start, there are also tools out there to assist with managing and tracking your compliance.