Chat with us, powered by LiveChat

Adult & Pediatric Dermatology Fined $150,000 For Lost Thumb Drive

thumb driveRecently a dermatology practice learned that something so small could be very costly.

Adult & Pediatric Dermatology, P.C., of Concord, Mass., lost a thumb drive, which doesn’t seem like a huge deal except that specific thumb drive was unencrypted and contained the electronic protected health information of about 2,200 individuals.

The US Department of Health and Human Services Office for Civil Rights received a report that the thumb drive was stolen from an APDerm employee’s vehicle and never recovered. After conducting its investigation, OCR and APDerm agreed to a $150,000 penalty. APDerm received this HIPAA penalty because it not only lost the thumb drive but also because the dermatology practice didn’t identify it in a HIPAA risk analysis nor had it managed the risk so its patients’ data was protected.

Besides paying the $150,000, APDerm was given a corrective action plan that requires it develops a risk analysis and management plan that addresses and alleviates any security risks and vulnerabilities, and it must give OCR an implementation report once the plan is completed.

There are three ways this practice could have prevented this from happening:

  1. Don’t put your protected data onto a remote or portable device since those can be easily lost or stolen. Use a secure remote access tool if you need the information outside of your office.
  2. Encrypt all of your data to protect your patients and your practice. Use encryption for all devices, portable and stationary.
  3. Have a risk analysis done by a professional. It’s cheaper to hire a professional to do the analysis for you than to do it yourself and risk receiving a HIPAA penalty.

If you’re a healthcare provider, be sure to follow these steps. If not, you risk following in the footsteps of APDerm and costing your practice lots of money and time, as well as your reputation, from something as small as a thumb drive.


WellPoint Agrees To Pay HHS $1.7 Million For Leaving Information Accessible Over Internet

According to the U.S. Department of Health and Human Services (HHS), WellPoint Inc. has agreed to pay them $1.7 million to settle potential violations to HIPAA Security and Privacy rules. You can read more about it here.

The HHS is hoping that this case and other recent cases send an important message to all HIPAA covered entities to take extreme measure to ensure data privacy and security when implementing changes to their information systems, especially when those changes involve updates to web based application or portals that house consumers’ electronic medical records.

If you are going to be implementing changes to your information systems and want to make sure that you stay compliant and minimize the risk associated with with such changes, we recommend you reach out to our HIPAA experts today!


Idaho State University Settles HIPAA Security Case For $400,000

According to the Department of Health and Human Services (HHS), Idaho State University has agreed to pay them $400,000 for violations of the HIPAA Security rule. The settlement was reached after 17,500 patients of an ISU clinic’s health records were compromised. You can read more about it here.

The Office for Civil Rights (OCR) opened investigations after ISU notified the HHS that their server firewall was disabled. Through their investigation, the OCR found that ISU did not apply proper security measures and policies all of which could have been avoided by consulting with a HIPAA security consultant and by executing routine HIPAA security audits.

This isn’t the first time a well known University has been penalized for a health data breach, we wrote about Indiana University and their breach in another post that you can find here.

Ready or Not, Here Come HIPAA Audits!

After running a successful pilot program in 2012 The Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch a national HIPAA compliance audit program by the end of this year to ensure that all health care providers and business associates are compliant with HIPAA privacy and HIPAA security rules and regulations.

This announcement is causing panic in many of the health I.T. leaders as data security and privacy has become such a complex undertaking and many know that holes still exist but can’t pinpoint where they are. What’s really troublesome is the fact that the feds have proven through their Recovery Audit Contractors (RAC) program, that they are not hesitating to use a take-no-prisoners approach, especially when there’s a lot of money on the line.

To read more about this program, check out this press release.

OCR Issues First Fine for Non-Major Breach – Hospice of North Idaho

The Department of Health and Human Services’ Office for Civil Rights for the first time is financially punishing an organization for a breach of protected health information that affected less than 500 individuals. This is a new policy as OCR has previously limited issuance of hefty fines–and publicity of the fines–against several organizations following a “major” breach that affected 500 or more individuals.  By Joseph Goedert

The entire article may be viewed here.

HIPAA Privacy Audits begin – 20 “initial” audits to 150 audits by end of 2012

Is attestation means to hold providers accountable for expenditure of public funds and protect against fraud and abuse?

The Office for Civil Rights has engaged KPMG using $9M of their $52M budget for this year enforcing HIPAA compliance and investigating breaches for the CMS.  The covered entities in scope for KPMG audits are those that have received CMS Incentives under Meaningful Use and can expect a minimum of 30 business day process with 3-10 days of on site visit.

As you register and attest for Meaningful Use funds, be aware the risks associated with protecting ePHI are elevated in terms of IMPACT to your hospital.

For press release, click here.  For the HHS press release, click here.

I have worked for Deloitte & Touche ERS and understand the big accounting firm audit strategies with legal implications.  If you would like to discuss how to mitigate your clinic’s risks with attestation and be fully prepared for an OCR Audit, please do not hesitate to contact me anytime.

Changes to HIPAA Rules: OCR Increasing Financial Penalties

Just a quick update that the OCR is looking at the possibility of increasing civil money penalties for violations of requirements to ensure that protected health information stays private and is secure. Those who are found in violation may face fines of up to $1.5 million in a single calendar year.

You can read more about this here.