A New England based dermatology practice recently reached a $150,000 settlement agreement with the Department of Health and Human Services relating to a HIPAA security violation. This is the first instance of an organization being fined for not having policies and procedures in place to address the breach notification requirements of the HITECH Act of HIPAA.
The Department of Health and Human Services was advised that an unencrypted thumb drive containing protected health information of over 2,000 patients was stolen from the care of a staff member of the dermatology practice. The government investigated and found that the practice did not have written policies and procedures in place and did not train its workforce members. It also did not conduct a risk analysis of its security posture.
The thumb drive was never recovered. The dermatology practice must develop a risk management plan to address potential risks and vulnerabilities.
BAS has policies and procedures in place to prevent the sort of breach encountered by the dermatology practice. The BAS systems prevent any information being downloaded onto a portable device, or thumb drive. BAS also has detailed policies and procedures in place regarding mobile device access.