The Breach, Investigation, and Resolution Agreement
The Group is a 12-physician medical practice with six offices. OCR’s investigation and the settlement arose out of the theft of an unencrypted thumb drive containing electronic PHI (ePHI) of approximately 2,200 people from the vehicle of one of the Group’s staff members.
—Steven M. Harris, Esq.
After the Group notified the media, the people whose ePHI was on the thumb drive, and OCR, OCR investigated the Group’s compliance with the HIPAA Security, Privacy and Breach Notification Rules (HIPAA Rules). Although the mere occurrence of a breach did not trigger sanctions, the settlement resulted from OCR’s findings that:
- The Group violated the Security Rule by failing to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI;
- The Group violated the administrative requirements of the Breach Notification Rule by failing to maintain written policies and procedures, and to train members of its workforce regarding breach notification; and
- The Group impermissibly disclosed ePHI by failing to reasonably safeguard the unencrypted thumb drive, which allowed the thief to gain unauthorized access to ePHI.
Subsequent to OCR’s investigation, OCR entered into a resolution agreement with the Group, under which the Group agreed to: