Medical Practice Fined $150k for HIPAA Violations
Kegler Brown Health Care News January 8, 2014
On December 24, 2013, the Department of Health and Human Services Office of Civil Rights (OCR) entered into a settlement with Adult and Pediatric Dermatology, p. c. (APC), a Massachusetts physician practice group. The settlement agreement resolved claims of HIPAA violations arising from an OCR investigation of APC. Under the terms of the settlement, APC agreed to pay the Department of Health and Human Services (HHS) $150,000 and entered into a corrective action plan.
The investigation began on October 7, 2011, when HHS was notified by APC that an unencrypted USB flash drive containing unsecured electronic protected health information (PHI) had been stolen from one of its employees’ vehicles. The flash drive was never recovered, and APC notified its patients of the breach within 30 days and also provided media notice.
Through its investigation, OCR determined that APC did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities as part of its security management process until October 1, 2012. OCR also determined that APC did not fully comply with administrative requirements of the breach notification rule to have written policies and procedures and to train members of its workforce regarding breach notification until February 7, 2012.
Under the terms of the corrective action plan, APC must conduct a comprehensive, organization-wide risk analysis of electronic PHI security risk and vulnerabilities. In addition, APC must develop a risk management plan to mitigate any such security risks and vulnerabilities. The proposed risk management plan must be submitted to OCR for review and APC is required to incorporate into the risk management plan any revisions suggested by OCR. APC is also required to report to OCR any employee’s failure to comply with any provisions of its privacy, security, and breach notification policies and procedures.
The settlement agreement demonstrates the need to conduct a risk assessment, to implement appropriate written policies and procedures based on the risk assessment, and to make sure that all employees are fully trained on the policies and procedures. APC’s unfortunate situation also highlights the particular challenges posed when PHI is stored on remote electronic devices.
As this event illustrates, a HIPAA breach may result in the OCR opening an investigation into the cause of the breach and expose a covered entity if it does not have an adequate HIPAA compliance program. It is also worth noting that in addition to the OCR, each state’s attorney general has authority to enforce HIPAA requirements.
The lawyers at Kegler Brown can assist health care providers in implementing appropriate HIPAA policies in order to minimize risk. Our lawyers also provide advice and guidance when a breach occurs. A HIPAA compliance program is a minimal investment as compared to the fines that may be imposed without such a program.