Compliance program must be strong
Case resulted in $150,000 settlement
Executive summary
A dermatology practice recently settled allegations of privacy law violations for $150,000. The fine and other sanctions appear to be the result of systematic failures in the compliance program rather than the breach itself.
-
Even a small breach can open the door to an inspection of your entire program.
-
This is the first settlement regarding a failure to have policies and procedures for breach notification.
-
The settlement includes a corrective action plan.
What might seem like a rather minor data breach could lead to bigger problems if it opens the door to investigators taking a look at your entire Health Insurance Portability and Accountability Act (HIPAA) compliance program. That situation is what happened with Adult & Pediatric Dermatology (APDerm) of Concord, MA, which recently settled allegations of HIPAA violations for $150,000.
APDerm will be required to implement a corrective action plan (CAP) to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), notes Shannon Hartsfield Salimone, JD, a partner with the law firm of Holland & Knight in Tallahassee, FL.
The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (PHI) of about 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.
The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, according to a statement from the OCR. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
"As we say in healthcare, an ounce of prevention is worth a pound of cure," said OCR Director Leon Rodriguez said in announcing the settlement. "That is what a good risk management process is all about: identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information."
HHS found in its investigation that the practice did not conduct an accurate and thorough security risk analysis until more than one year after the breach. Additionally, the covered entity did not implement the requirements of the HIPAA Breach Notification Rule to have written policies and procedures and train its workforce members until Feb. 7, 2012. In the settlement agreement, the practice did not admit liability, but HHS refused to concede that the practice was in compliance.
Among other things, the CAP requires the practice to, within one year, conduct a new risk analysis, and then to develop a risk management plan that must be reviewed and approved by OCR. The practice also must report any HIPAA violations to OCR within 30 days. The full terms of the settlement are available online at http://tinyurl.com/DermSettlement.
Although the $150,000 payment is not extraordinary, Salimone says the case illustrates how healthcare providers can find themselves in quicksand once data is compromised. "From the settlement, it was clear they were not being penalized just for the breach," she says. "Instead, it seems this was the result of what the Office for Civil Rights perceived as a lack of compliance with the basic requirements of the security rule. All covered entities are required to do a documented risk analysis, which presumably would have turned up the fact that this practice wasn't being as careful as it should on training employees."
The case also illustrates how doing the right thing by reporting a data breach can prompt more trouble than the breach itself. "From an enforcement perspective, no good deed goes unpunished. That seems to be the entry point for a lot of these Office for Civil Rights enforcement activities," Salimone says. "To me it seems a little bit unfair to just go after these folks who have done the right thing by reporting, and it would be more fair to have some sort of random auditing. But they don't have the budget for that, and I'm not sure that's on the horizon."
Because any breach could invite investigators in for a close look at your HIPAA compliance program, it is important to evaluate your program for any shortcomings and constantly improve, Salimone says. (See the story below for the most common failings of a HIPAA compliance program.)
"If you have a breach and you can show that you had those protections in place ahead of time and you did everything you could reasonably to prevent it, I think you're going to be less subject to penalties," Salimone says.
Source
- Shannon Hartsfield Salimone, JD, Partner, Holland & Knight, Tallahassee, FL. Telephone: (850) 425-5642. Email: [email protected].