HIPAA Compliant? Not Without Documentation, DHHS Says By Kenneth N. Rashbaum, Esq.

It only takes one one patient complaint, one number coming up in a random audit, or one small device with unencrypted patient information that disappears from a car or apartment or tumbles from a backpack or purse tossed onto a restaurant chair. The cost of compliance with HIPAA protocols and documentation sure seems small when your one comes up. The One most recently reported was an unencrypted USB (thumb) drive on which a medical practice, Adult and Pediatric Dermatology, P.C. of Massachusetts, had placed the Protected Health Information (PHI) of approximately 2,200 patients. As is the fate of many portable electronic information devices, this one was stolen from an automobile. The Office of Civil Rights, which is the agency within the U.S. Department of Health and Human Services that enforces HIPAA, investigated and on December 24, 2013, entered into a Resolution Agreement with regard to violations of the HIPAA Rules. The precipitating event may have been the unauthorized disclosures of PHI, allowing the PHI to be stored on an unencrypted (and, thereby, unprotected device), but the focus of the Resolution Agreement to settle the proceeding was the failure to have documented policies and procedures for PHI safeguards in place, to train the workforce on those policies and, and to have a current HIPAA Security Risk Analysis. What was the result of the decision to save time money and time by not complying with the requirements for documented protocols, investment in an encrypted USB drive and a policy requiring its use? A settlement of $150,000, plus the costs of compliance with the Office of Civil Rights oversight for implementation of policies procedures and the required HIPAA Security Risk Analysis. The medical practice here learned an expensive lesson: electronic health information is fundamentally different that paper, in that there is more of it and its easier to lose. Its volume and slipperiness explains the raison detre for the federal regulations on safeguards for electronic PHI. Factor in loss of time in Resolution Agreement compliance that could be spent caring for patients; legal and consulting fees in compliance with the Resolution Agreement, and loss of business reputation and the total cost of whistling past the graveyard by noncompliance considerably exceeds the $150,000 fine. Its far less costly to comply because you never know when your one will come up.