Alleged HIPAA Policy and Procedure Failures Result in $150,000 Settlement With HHS

  • Feb 3, 2014
  • HIPAA
  • Dennis J. Merley

On December 26, 2013, the Department of Health and Human Services (HHS) announced that a covered entity agreed to settle HHS’s investigation of HIPAA violations for $150,000 and implementation of corrective action.  This settlement underscores that HIPAA financial penalties may be significant and may be the result of HIPAA policy and procedure failures, as well as improper disclosures.  In its press release, HHS noted, “This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provision of [HITECH} . . .”

Adult & Pediatric Dermatology, P.C. (APDerm), of Concord, Massachusetts, notified HHS in October 2011 that an unencrypted thumb drive containing 2,200 patient records was stolen from an employee’s vehicle.  The thumb drive did not contain credit card numbers, phone numbers, addresses or health insurance information, but it did contain operation reports and photographs of surgical procedures.  The HHS Office for Civil Rights (OCR) opened an investigation of APDerm as a result of its breach notification to HHS.

OCR determined that APDerm failed to conduct a thorough security analysis relating to confidentiality of ePHI and failed to fully comply with the administrative requirements of the Breach Notification Rule.  APDerm did not have written policies and procedures on breach notification.  It did not train its personnel.  It did not engage in any security risk analysis.  It allowed unencrypted thumb drives with protected health information to leave its premises.

As part of the settlement, in addition to paying $150,000, APDerm  agreed to a corrective action plan which includes conducting a comprehensive, organizational-wide risk analysis of ePHI confidentiality.

It is anticipated that OCR’s enforcement activity will increase in 2014 following a report from the Office of Inspector General in late 2013 that OCR had failed to meet the requirements in its oversight and enforcement of the Security Rule.  Based on this latest resolution and the expected heightened enforcement activity, covered entities should be certain that their policies and procedures are up-to-date, in particular those necessary to meet the HITECH standards.

As always, should you have any questions, please contact our Benefits team.