The Office of Civil Rights, Department of Health and Human Services recently announced fines against two health care providers for failure to properly implement and follow breach policies for electronic protected health information (ePHI). In September 2015, an Indiana radiation oncology group agreed to pay a $750,000 fine and implement a corrective action plan after it was investigated and found it the 13-physician group failed to conduct an enterprise-wide risk analysis and did not adopt written policies as required under HIPAA regulations on the removal of ePHI from hardware and removable storage devices. The group self-reported a breach after an employee’s laptop was stolen from a personal vehicle. The laptop did not contain ePHI, but backup media in the laptop bag contained unencrypted ePHI including social security numbers, names, and addresses for 55,000 former patients.
In the second investigation, St. Elizabeth’s Medical Center in Brighton, MA, reached a settlement to pay a $218,500 fine after an investigation revealed the Medical Center used an internet-based document sharing application to store documents that contained ePHI of some 498 patients. The Medical Center also failed to respond to the known security incident, mitigate harmful effects, and document the incident and outcome of its internal review. In addition, the Medical Center was fined for a second breach involving ePHI for 595 patients that was improperly stored on a former employee’s laptop and USB flash drive.
OCR continues to increase its enforcement efforts across the nation. As evidenced by these two recent cases, human error continues to be a significant source of HIPAA violations. The theft of laptops and external storage devices such as flash drives can and do result in significant exposure. If your health care facility or practice has not adopted written policies and procedures on the proper management and handling of these devices, you are at risk.
Goosmann Cyber Law Counsel helps companies protect their property, resources, and name. If you are a business owner and need assistance on how to stop visual hacking or for more information on cyber law, contact the Goosmann Law Firm at info@goosmannlaw.com or call (712) 226-4000.