It’s Not Enough to Notify: Don’t Forget the Policies, Risk Analyses, and Training
HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.
OCR initiated its investigation after receiving notification of a breach of the health information of approximately 2,200 individuals. In an all-too-common scenario, the information was located on an unencrypted thumb drive stolen from the vehicle of an AP Derm workforce member and never recovered.
Although AP Derm reported the breach to OCR, notified patients of the theft within 30 days, and provided media notice, OCR still required financial settlement and a corrective action plan due to AP Derm’s alleged failure to:
- Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of electronic protected health information (ePHI) as part of its security management process;
- Fully comply with the administrative requirements of the Breach Notification Rule by having written policies and procedures in place and training workforce members; and
- Reasonably safeguard the unencrypted thumb drive that was stolen from the workforce member’s vehicle.
The settlement highlights the importance of creating and implementing breach-related policies, procedures, and training. Even if an entity appropriately provides breach notification, a lack of written policies may lead to enforcement actions by OCR. Moreover, appropriate training of workforce on safeguarding ePHI, including an emphasis on not leaving health information unattended, particularly in a parked vehicle, may avoid the breach in the first place.
As with previous settlements, OCR continues to emphasize the importance of an adequate Security Rule risk analysis for all ePHI. Covered entities and business associates who fail to conduct a risk analysis before a breach occurs potentially face performing one under the close and extended supervision of OCR.
For covered entities and business associates, adequate policies, procedures, workforce training, and risk management plans may not only help prevent and mitigate breaches of health information, but also unpleasant and costly encounters with OCR.