On December 26, 2013, the U.S. Department of Health and Human Services Office for Civil Rights (HHS) announced that it had reached an agreement with a Northeastern dermatology practice to settle potential HIPAA violations arising from a 2011 theft of an unencrypted thumb drive containing patient information. This is HHS’ first settlement with a covered entity arising from the failure to have policies in place to address the breach notification requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009.

On October 7, 2011, Adult & Pediatric Dermatology, P.C. (APD) notified HHS that an unencrypted thumb drive containing electronic protected health information (ePHI) of approximately 2,200 patients had been stolen from the car of one of APD’s workforce members. The thumb drive was never recovered. Even though APD notified its patients within 30 days of the theft and provided notice to the media as required by HITECH, HHS’ investigation found that APD did not conduct an accurate and thorough analysis of potential risks to the confidentiality of the ePHI until October 1, 2012. HHS further indicated that APD did not have written policies and train its workforce members on breach notification requirements until February 7, 2012.

Although the settlement was not an admission of liability, APD agreed to pay HHS $150,000. The settlement also obligates APD to implement a corrective action plan, which requires APD to conduct a risk analysis of the ePHI security risks for all of APD’s electronic media and systems, develop a risk management plan to mitigate security risks, revise its policies and procedures as necessary, and submit an implementation report to HHS for review and approval. The cost of complying with the corrective action plan is in addition to the settlement payment, and can be significant.

In light of HHS’ increased focus on HIPAA compliance, covered entities and business associates should take the following steps to minimize the chances of impermissible disclosures of ePHI and any resulting enforcement action by HHS:

1. Ensure that their privacy and security policies and procedures reflect the requirements of the HITECH Act and the HIPAA Omnibus Rule that was effective September 23, 2013.2. At least annually conduct a thorough analysis to identify and mitigate security risks and vulnerabilities associated with ePHI and adopt or revise policies accordingly. For example, phones, laptops, tablets and similar devices may also contain ePHI, and a covered entity or business associate should include this consideration as part of its risk analysis.3. Encrypt all portable storage devices, e.g., thumb drives or tablets, that contain ePHI.