We were recently emailed an article written by one of Etna’s industry partners, KarenZupko & Associates, Inc., that we think is worth sharing.
Shockwaves were felt in the dermatology community last week following the announcement that the HHS Office for Civil Rights had fined Concord, Mass.-based Adult and Pediatric Dermatology $150,000 to resolve allegations of violations of the HIPAA privacy and security rules following the September 2011 theft of an unencrypted thumb drive from an employee’s vehicle. The investigation uncovered, among other things, that AP Dermatology had not performed an acceptable security risk assessment. Additionally, they had not implemented sufficient risk management measures, had not completed security training for staff, and had not implemented device and media controls.
If your practice has been putting off performing a security risk assessment, stop waiting — a surprise visit from the OCR could have you shelling out massive fines. Expect to see an increasing number of investigations in 2014, and protect your practice by doing the following now:
Develop a risk analysis and risk management plan to address your practice vulnerabilities.
What does that mean exactly? You can learn a lot in just half an hour by listening to an excellent webinar recently conducted and recorded by the Medical Risk Institute. As attorney Mike Sacopulos says, “Documenting known risks and articulating a plan to manage those risks should be every practice’s No. 1 priority.”
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR director Leon Rodriguez said in a statement addressing a similar breach but much higher fine imposed in Alaska in 2013.
After all is said and done, AP Dermatology’s 150K fine will likely serve as a wake-up call for every dermatology practice putting off its security risk assessment or thinking it can get by with a less comprehensive assessment because it doesn’t think it will ever get audited.
Glenn Morley is a consultant and speaker at KarenZupko & Associates, Inc., a practice management consulting and training firm working for and with physicians since 1985.