HIPAA Compliant? Not Without Documentation, DHHS Says

              It only takes one – one patient complaint, one number coming up in a random audit, or one small device with unencrypted patient information that disappears from a car or apartment or tumbles from a backpack or purse tossed onto a restaurant chair. The cost of compliance with HIPAA protocols and documentation sure seems small when your “one” comes up.

              The “One” most recently reported was an unencrypted USB (“thumb”) drive on which a medical practice, Adult and Pediatric Dermatology, P.C. of Massachusetts, had placed the Protected Health Information (PHI) of approximately 2,200 patients.  As is the fate of many portable electronic information devices, this one was stolen from an automobile. The Office of Civil Rights, which is the agency within the U.S. Department of Health and Human Services that enforces HIPAA, investigated and on December 24, 2013, entered into a Resolution Agreement with regard to violations of the HIPAA Rules.

              The precipitating event may have been the unauthorized disclosures of PHI, allowing the PHI to be stored on an unencrypted (and, thereby, unprotected device), but the focus of the Resolution Agreement to settle the proceeding was the failure to have documented policies and procedures for PHI safeguards in place, to train the workforce on those policies and, and to have a current HIPAA Security Risk Analysis.

              What was the result of the decision to save time money and time by not complying with the requirements for documented protocols, investment in an encrypted USB drive and a policy requiring its use? A settlement of $150,000, plus the costs of compliance with the Office of Civil Rights oversight for implementation of policies procedures and the required HIPAA Security Risk Analysis.

              The medical practice here learned an expensive lesson:  electronic health information is fundamentally different that paper, in that there is more of it and it’s easier to lose.  It’s volume and “slipperiness” explains the raison d’etre for the federal regulations on safeguards for electronic PHI.  Factor in loss of time in Resolution Agreement compliance that could be spent caring for patients, legal and consulting fees in compliance with the Resolution Agreement, and loss of business reputation — the total cost of “whistling past the graveyard” by noncompliance considerably exceeds the  $150,000 fine.

              This situation has broad implications for lawyers.  Law firms that represent medical providers need to advise their clients of this and other risks associated with HIPAA violations and of the steps to take to eliminate or minimize these risks.    In addition, law firms holding information subject to HIPAA must follow appropriate policies and procedures.  Moreover, reasonable precautions to protect the confidentiality of client data are an ethical obligation of lawyers, regardless of whether the data is subject to HIPAA.

              It’s far less costly to comply because you never know when your “one” will come up.