HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures

By Inside Privacy on December 30, 2013

By Anna Kraus

On December 27, 2013, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced a HIPAA settlement with Adult & Pediatric Dermatology, P.C. (APDerm), a private dermatology practice with locations in Massachusetts and New Hampshire. According to HHS, this is the first settlement based on a covered entity not having policies and procedures in place to address the breach notification requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Like other HIPAA investigations, this one began after HHS received notification of a breach of unsecured protected health information (PHI). In October 2011, APDerm notified HHS that an unencrypted thumb drive, which contained electronic PHI relating to the surgeries of approximately 2,200 patients, was stolen from an employee’s vehicle and not recovered. HHS found through its investigation that APDerm:

Did not conduct a proper risk assessment under the HIPAA Security Rule until one year later (October 2012);
Did not fully comply with the HIPAA Breach Notification Rule requirements to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures, until February 2012; and
Committed an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule, when it gave an unauthorized individual access to the unencrypted thumb drive that was later stolen.

Under the terms of the settlement, APDerm agreed to pay $150,000 to HHS and implement a corrective action plan (CAP). The CAP requires APDerm to conduct an organizational-wide risk analysis of electronic PHI, develop a risk management plan, make any necessary revisions to policies and procedures, report any HIPAA violations by workforce members during the compliance period, and submit an implementation report to HHS, among other things.

Covered entities and business associates should take note of this settlement, which underscores the importance of having written policies and procedures to address HIPAA requirements and properly training workforce members on those policies and procedures. As we previously reported, OCR may be ramping up its HIPAA enforcement efforts in light of the HHS Office of Inspector General’s recent report on OCR oversight and enforcement of the HIPAA Security Rule.