On December 26, 2013, the Office of Civil Rights (“OCR”) of the federal Department of Health and Human Services announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, MA (“APDerm”) for failure to have appropriate breach notification policies and procedures in place. As part of the settlement, APDerm paid a resolution amount of $150,000 and was required to enter into a government monitored corrective action plan to implement the policies and procedures it should have had in place.
APDerm is a small dermatology practice with four offices in Massachusetts and two offices in New Hampshire. The issues at APDerm were discovered because it voluntarily reported the theft of an unencrypted thumb drive to OCR on October 7, 2011. According to the Resolution Agreement between APDerm and OCR, an investigation found that APDerm (i) did not implement appropriate breach notification policies and procedures until February 7, 2012, (ii) did not perform a risk analysis until October 1, 2012, and (iii) impermissibly disclosed electronic protected health on September 14, 2011 by giving an unauthorized individual access. APDerm’s actions demonstrated a system-wide lack of compliance and suggested a lack of awareness of its obligations under HIPAA. A quote from OCR Director Leon Rodriguez provides the perfect summary: “Covered entities of all sizes need to give priority to securing electronic protected health information.”
OCR’s action against APDerm demonstrates that providers of all sizes must be aware of HIPAA compliance obligations and take such obligations seriously. No entity will be given a free pass by OCR if a violation is found or reported. The settlement underscores a recent OCR trend targeting violations that can impact any entity. For example, one recent settlement resulted from a breach affecting less than 500 patients, another from a breach for failure to destroy the internal stored memory in a photocopier, and a third breach that focused on the scope of permissible disclosures. As such, the settlements are used to emphasize various requirements under HIPAA, with the goal of letting entities know that no violation will escape notice or consequences.
The lesson from the APDerm settlement is that all entities handling protected health information must assess their compliance obligations, review policies and procedures and put those requirements into practice. Entities must remember that everyone has the same compliance obligations regardless of whether the entity is a covered entity or a business associate. Accordingly, existing policies and procedures should be reviewed to ensure that they have been updated and/or to identify areas that need improvement. If policies and procedures are not in place, an entity is well advised to develop the required policies and procedures immediately.
If you have questions about HIPAA or how to comply with HIPAA, contact the Mirick O’Connell Health Law Group.