Lack of HIPAA Breach Notification Policy Leads to Fine

On December 26, 2013, the Office of Civil Rights (“OCR”) of the federal Department of Health and Human Services announced a settlement with Adult & Pediatric Dermatology, P.C. of Concord, MA (“APDerm”) for failure to have appropriate breach notification policies and procedures in place.  As part of the settlement, APDerm paid a resolution amount of $150,000 and was required to enter into a government monitored corrective action plan to implement the policies and procedures it should have had in place.

APDerm is a small dermatology practice with four offices in Massachusetts and two offices in New Hampshire.  The issues at APDerm were discovered because it voluntarily reported the theft of an unencrypted thumb drive to OCR on October 7, 2011.  According to the Resolution Agreement between APDerm and OCR, an investigation found that APDerm (i) did not implement appropriate breach notification policies and procedures until February 7, 2012, (ii) did not perform a risk analysis until October 1, 2012, and (iii) impermissibly disclosed electronic protected health on September 14, 2011 by giving an unauthorized individual access.  APDerm’s actions demonstrated a system-wide lack of compliance and suggested a lack of awareness of its obligations under HIPAA.  A quote from OCR Director Leon Rodriguez provides the perfect summary: “Covered entities of all sizes need to give priority to securing electronic protected health information.”

OCR’s action against APDerm demonstrates that providers of all sizes must be aware of HIPAA compliance obligations and take such obligations seriously.  No entity will be given a free pass by OCR if a violation is found or reported.  The settlement underscores a recent OCR trend targeting violations that can impact any entity.  For example, one recent settlement resulted from a breach affecting less than 500 patients, another from a breach for failure to destroy the internal stored memory in a photocopier, and a third breach that focused on the scope of permissible disclosures.  As such, the settlements are used to emphasize various requirements under HIPAA, with the goal of letting entities know that no violation will escape notice or consequences. 

The lesson from the APDerm settlement is that all entities handling protected health information must assess their compliance obligations, review policies and procedures and put those requirements into practice.  Entities must remember that everyone has the same compliance obligations regardless of whether the entity is a covered entity or a business associate.  Accordingly, existing policies and procedures should be reviewed to ensure that they have been updated and/or to identify areas that need improvement.  If policies and procedures are not in place, an entity is well advised to develop the required policies and procedures immediately. 

If you have questions about HIPAA or how to comply with HIPAA, contact the Mirick O’Connell Health Law Group.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, Regulations and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s