On December 24, 2013, the Department of Health and Human Services (HHS) entered into its first settlement with a HIPAA covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The covered entity, a regional dermatology practice with offices in only two states, was required to make a substantial payment to HHS. This settlement underscores the necessity for providers of all sizes to have policies and procedures in place to address breaches and other improper uses and disclosures of protected health information (PHI) and to train workforce members on these policies and procedures.
Following the theft of an unencrypted thumb drive containing electronic protected health information (ePHI) of approximately 2,200 patients, Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with six locations in Massachusetts and New Hampshire, timely reported the breach to HHS, timely notified its patients and provided media notice as required by HIPAA. However, during its investigation, HHS determined that APDerm did not have written policies and procedures addressing breach notification at the time of the theft – nor did APDerm train its workforce members as required by the Breach Notification Rule until nearly four months later. HHS also determined that APDerm did not timely conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI.
As a result, HHS mandated that APDerm implement a corrective action plan to address deficiencies in its HIPAA compliance program. In addition, the settlement agreement required APDerm to make a $150,000 payment to HHS.
The HIPAA Breach Notification Rule requires covered entities and business associates to have written policies and procedures in place to address improper uses and disclosures of PHI and to train workforce members on these policies and procedures. Failure to comply with these administrative requirements can prove costly. As illustrated in the APDerm case, HHS’s enforcement efforts are not limited to large healthcare providers.
Covered entities and business associates should review their internal policies and procedures regarding breaches of PHI and should document that all workforce members who encounter PHI have received training on these policies and procedures. For assistance with these types of matters or questions involving any type of HIPAA compliance, please contact a member of Hirschler Fleischer’s health care practice group.
Luis F. Ruiz