Stolen Laptop Bag Leads to $750,000 HIPAA Settlement | Practical Law

Stolen Laptop Bag Leads to $750,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services has announced a settlement with a private physician practice for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The practice will pay $750,000 and take actions to strengthen its HIPAA compliance program.

Stolen Laptop Bag Leads to $750, 000 HIPAA Settlement

Practical Law Legal Update 5-618-6971 (Approx. 4 pages)

Stolen Laptop Bag Leads to $750,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
The Department of Health and Human Services has announced a settlement with a private physician practice for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The practice will pay $750,000 and take actions to strengthen its HIPAA compliance program.
On September 2, 2015, the Department of Health and Human Services (HHS) announced a settlement with a private physician practice (a HIPAA covered entity) for potential violations of HIPAA's privacy and security rules (see resolution agreement and related press release). HHS began its investigation after the practice submitted a breach notification involving the theft of a laptop bag containing unsecured electronic protected health information (ePHI) from an employee's car (see Practice Note, HIPAA Breach Notification Rules).
In August 2012, the practice notified HHS that a laptop bag containing an employee's computer and unencrypted backup media with the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 of the practice's current and former patients was stolen from the employee's car. The backup media had been left unattended in the passenger area of the employee's car and was stolen when a third party broke the car's window.
HHS's subsequent investigation revealed that the practice had failed to:
  • Perform an "enterprise-wide" risk assessment regarding threats to the confidentiality of ePHI.
  • Adopt policies and procedures addressing the receipt and removal of hardware and electronic media containing ePHI into and out of the practice's facility, and within the facility.

Resolution Agreement and Corrective Action Plan

Under the resulting resolution agreement, the practice must pay $750,000 and adopt a corrective action plan (CAP), which HHS characterized as "robust." The CAP requires the practice to:
In announcing its settlement agreement with the practice, HHS noted that the practice's risk assessment and policies noncompliance contributed to the breach, in that:
  • An enterprise-wide risk analysis would have identified removal of unencrypted backup media from the practice's facility as a significant risk to ePHI.
  • A comprehensive device and media control policy would have offered employees guidance regarding removing devices with ePHI from the facility.

Practical Impact

Informally, HHS has indicated that it intends to provide additional HIPAA breach and security rule guidance, which may be particularly useful to HIPAA covered entities given that ePHI issues are a recurring source of breach notifications and appear to be an HHS enforcement priority (see Legal Update, Unencrypted Laptop Results in $1.7 Million HIPAA Settlement). The settlement also underscores the role of proper encryption of mobile devices and electronic media as a best practice in reducing the likelihood of a breach of ePHI.