Monday, January 06, 2014 Theft of Unencrypted Health Records Results in $150K HHS Fine A stolen flashdrive containing patient records has resulted in a $150,000 federal fine for violation of the Health Insurance Accountability and Portability Act (HIPAA). According to the US Department of Health and Human Services (HHS), this case marks the first settlement over noncompliance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The fine is part of a resolution agreement (.pdf) with Adult & Pediatric Dermatology PC, of Concord, Massachusetts (APDerm), owners of the stolen drive. According to the HHS announcement of the agreement, the unencrypted drive was in a computer bag taken from an employee's locked car and contained records on approximately 2, 200 patients. The drive has not been recovered. In addition to the financial penalty, APDerm has agreed to participate in a corrective action plan involving the creation of multiple risk analyses and regular progress reports to HHS. The HHS Office for Civil Rights investigation revealed that APDerm had not conducted sufficient risk analyses and did not implement required policies, procedures, and workforce training around electronic protected health information. Although physical therapists (PTs) are not yet required to adopt electronic health records (EHR) under the Medicare and Medicaid Meaningful Use programs, most clinicians involved in electronic submission of patient information are subject to HIPAA rules. APTA provides resources on complying with the complex HIPAA Omnibus Rule on APTA's HIPAA webpage. More information on the HIPAA Omnibus rule requirements—and more examples of data breaches like the one described in this story—are featured in an APTA Learning Center webinar.