Denton County Health Department has reported a USB drive HIPAA violation which occurred on 13th February this year. The privacy breach potentially exposed the PHI of 874 patients who had visited its tuberculosis clinic for medical services.
The data exposed in the incident did not involve any financial information or Social Security numbers, although some personal information including names, addresses and dates of birth were in the files, along with healthcare data such as TB test results. The definition of PHI under HIPAA includes this data.
USB Drive HIPAA Violation Led to the Temporary Exposure of PHI
The HIPAA violation was caused when a USB drive containing unencrypted data was given to a third party for a period of an hour. During that time the third party had access to computer equipment and printers, and could potentially have copied or printed that information.
The mistake was a simple error made by an employee of the Denton County Health Department who had given the USB drive to a local printing company in order to print a personal document that was stored on the drive. The employee realized the mistake and that patient data had potentially been exposed and self reported the incident.
When the employee notified superiors at the Denton County Health Department an investigation was launched. Under HIPAA regulations, covered entities (CE) must have policies in place to deal with a breach and need to rapidly take action to mitigate any damage caused. They must also implement measures to ensure further breaches do not occur.
Denton County Health Department’s investigation determined that the risk of PHI exposure was low. The USB drive has been recovered and no files are understood to have been accessed.
Dr. Matt Richardson, Director of Public Health for Denton County, said in a statement “We take patient confidentiality very seriously, and we deeply regret this breach of security and the inconvenience for patients. We have spent the past few weeks conducting a thorough investigation to determine the facts and are encouraged there is no evidence that any confidential information was accessed.”
Slow Issuing of Breach Notification Letters Carries Risk of HIPAA Violation
The data stored on the drive falls under the definition of PHI under HIPAA and since the incident involved more than 500 individuals it must be reported to the Department of Health and Human Services’ Office for Civil Rights. CEs are obliged to do this “without unnecessary delay” and no later than 60 days following the discovery of the breach.
Denton County Health Department left it until a few days before the deadline to send breach notification letters to the affected individuals. A spokeswoman for the Denton County Health Department, Sarah McKinney, explained: “A full internal investigation is being conducted and officials wanted to make sure they had all of the facts and were acting under the guidelines of the law to notify patients who may have been potentially affected, a process that is currently ongoing.”
Any organization unnecessarily delaying the issuing of notification letters to patients is risking a HIPAA violation. This could potentially result in a fine up to a $1,500,000 if the Office for Civil Rights deems the delay to constitute willful neglect of the HIPAA Breach Notification Rule. Prompt action, especially in the first few days after a breach, is essential if breach notification letters are to be issued well within the allocated time frame.