Enter to open, tab to navigate, enter to select
Stolen Laptop Bag Leads to $750, 000 HIPAA Settlement
Practical Law Legal Update 5-618-6971 (Approx. 4 pages)
Stolen Laptop Bag Leads to $750,000 HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 10 Sep 2015 • USA (National/Federal) |
The Department of Health and Human Services has announced a settlement with a private physician practice for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The practice will pay $750,000 and take actions to strengthen its HIPAA compliance program.
On September 2, 2015, the Department of Health and Human Services (HHS) announced a settlement with a private physician practice (a HIPAA covered entity) for potential violations of HIPAA's privacy and security rules (see resolution agreement and related press release). HHS began its investigation after the practice submitted a breach notification involving the theft of a laptop bag containing unsecured electronic protected health information (ePHI) from an employee's car (see Practice Note, HIPAA Breach Notification Rules).
In August 2012, the practice notified HHS that a laptop bag containing an employee's computer and unencrypted backup media with the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 of the practice's current and former patients was stolen from the employee's car. The backup media had been left unattended in the passenger area of the employee's car and was stolen when a third party broke the car's window.
HHS's subsequent investigation revealed that the practice had failed to:
- Perform an "enterprise-wide" risk assessment regarding threats to the confidentiality of ePHI.
- Adopt policies and procedures addressing the receipt and removal of hardware and electronic media containing ePHI into and out of the practice's facility, and within the facility.
Resolution Agreement and Corrective Action Plan
Under the resulting resolution agreement, the practice must pay $750,000 and adopt a corrective action plan (CAP), which HHS characterized as "robust." The CAP requires the practice to:
- Conduct a HIPAA risk assessment that includes security risks involving electronic equipment and data systems that store, transmit or receive ePHI (see Practice Note, HIPAA Breach Notification Rules: Risk Assessment's First Factor: Nature and Extent of PHI Involved).
- Develop and implement an organization-wide risk management plan to address risks uncovered in its risk assessment.
- Review and revise its policies and procedures under the HIPAA Security Rule (see Practice Note, HIPAA Security Rule).
- Review and update its HIPAA Security Rule training program, which must be forwarded to HHS for its review and approval (and, if necessary, subsequently revised).
In announcing its settlement agreement with the practice, HHS noted that the practice's risk assessment and policies noncompliance contributed to the breach, in that:
- An enterprise-wide risk analysis would have identified removal of unencrypted backup media from the practice's facility as a significant risk to ePHI.
- A comprehensive device and media control policy would have offered employees guidance regarding removing devices with ePHI from the facility.
Practical Impact
Informally, HHS has indicated that it intends to provide additional HIPAA breach and security rule guidance, which may be particularly useful to HIPAA covered entities given that ePHI issues are a recurring source of breach notifications and appear to be an HHS enforcement priority (see Legal Update, Unencrypted Laptop Results in $1.7 Million HIPAA Settlement). The settlement also underscores the role of proper encryption of mobile devices and electronic media as a best practice in reducing the likelihood of a breach of ePHI.