In what may be a sign of things to come, a recent HHS OCR resolution agreement with a dermatology practice cites not only the loss of some 2,200 records on a thumb drive, but the lack of an “accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI” and “[t]he Covered Entity did not … have written policies and procedures and train members of its workforce”; specifically:
(1) The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012.
(2) The Covered Entity did not fully comply with the administrative requirements of the Breach Notification Rule to have written policies and procedures and train members of its workforce regarding the Breach Notification requirements until February 7, 2012.
(3) On September 14, 2011, the Covered Entity impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members.
In addition to the $150,000 resolution amount, the HHS OCR settlement includes a corrective action plan requiring Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to HHS OCR. This approach from HHS OCR suggests that merelyaddressing and mitigating a breach so it has no patient impact may not be sufficient for covered entities may not get off without a HHS OCR penalty.