If you think that your small medical practice is safe from a Health Insurance Portability and Accountability Act of 1996 (HIPAA) violation, a recent case may make you think otherwise. Not only should you take steps to protect your practice, you should also take steps to protect the information of your patients, as one small, private practice in Massachusetts recently discovered.
A Small Mistake With Huge Consequences
Adult & Pediatric Dermatology, P.C. in Concord, Mass. experienced a recent theft when an unencrypted thumb drive was stolen from the vehicle of an employee. The drive housed the electronic protected health information of roughly 2,200 patients. The thumb drive has yet to be recovered.
An investigation was launched by the HHS Office for Civil Rights. They discovered that the practice failed to complete an accurate and full risk vulnerability analysis as to the security and confidentiality of electronic protected health information. The investigation also revealed that the practice had failed to adhere to the requirements set by the Breach Notification
Rule stating that practices must have written procedures and policies in place, and that employees must be properly trained to adequately handle sensitive medical information.
Truth and Consequences
As a result of the security breach, Adult & Pediatric Dermatology has agreed to pay $150,000 as part of a settlement. Furthermore, the practice has also been required to include a corrective action plan in order to become compliant with HIPAA requirements.
What’s unique about this case is that it’s the very first settlement that involved a covered entity for failing to have proper procedures and policies that address the breach notification stipulations of the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.
Hope for the Best, Prepare for the Worst
The best way to respond to a worst-case scenario is to prepare well before it happens. No matter how small or young your practice is, always make sure that you are fully compliant with HIPAA regulations as well as any other related medical regulations. Just because you aren’t aware you’re in violation of a regulation, rule or law doesn’t mean that you’ll get a slap on the wrist. Instead, you might get slapped with a large fine and possibly even more devastating consequences that could mean disaster for your small practice.
Take some time out to see which regulations apply to your specific medical practice and which apply to practices everywhere. Make sure you and your employees know how to react in the event that sensitive patient information were to become stolen, hacked or otherwise tampered with. With the way that medical technology is changing, there may be dangers and threats to your practice and patient information that you aren’t yet aware of. Stay up-to-date on the changes taking place in medical technology and the potential dangers they bring with them. Remember that an ounce of prevention is worth a pound of cure.
Raintree Systems is here to provide you and your practice with quality electronic medical record and practice management software. We also encourage you to visit HHS.gov/OCR for more information on your civil and privacy rights for the human service and health care field as well as information related to health information privacy and nondiscrimination laws.
Raintree Systems wants to know your business and will customize it’s software to meet your needs. Contact us today at 951.252.9400.