Recent HIPAA Settlement Highlights Danger of Failure to Perform Security Risk Assessments, Implement HIPAA Policies and Train Employees

James Catanzaro, Jr., Calvin Marshall, Jr.
Chambliss, Bahner & Stophel, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

A recent Health Insurance Portability and Accountability Act ("HIPAA") settlement, which is notable as the first HIPAA settlement with a covered entity for failure to have policies and procedures in place to comply with HIPAA's breach notification provisions, offers a cautionary note for HIPAA covered entities and their business associates.  On December 26, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services announced a HIPAA settlement with a Massachusetts and New Hampshire dermatology practice.  The settlement followed a reported breach in which an unencrypted flash drive containing the electronic protected health information ("ePHI") of approximately 2,200 individuals was stolen from the vehicle of a staff member of the practice.
 
Upon investigating the breach, OCR determined that the practice had failed to conduct a formal analysis of the risks and vulnerabilities to the confidentiality of ePHI for which the practice was responsible, had failed to create breach notification policies and procedures, and had failed to implement employee breach notification training—all of which are required by HIPAA.  As a result of OCR's determinations, the practice entered into a settlement requiring it to pay a $150,000 fine and implement a corrective action plan to correct the deficiencies in its HIPAA compliance program.
 
This settlement reemphasizes the need for covered entities to conduct a formal risk assessment evaluating risks and vulnerabilities to ePHI for which they are responsible, to implement complete HIPAA policies and procedures, including breach notification policies and procedures, and to properly train workforce members in HIPAA compliance.  Much of the same is true for business associates, to whom some of these requirements, including conducting risk assessments and creating security policies and procedures, now directly apply under the HIPAA Omnibus Rule, which was fully implemented on September 23, 2013.  As this settlement indicates, failure to comply with such requirements can make an already expensive data breach reporting situation much more costly.  Thus, covered entities or business associates that lack HIPAA policies and procedures, have outdated policies and procedures, have not conducted any recent risk assessment or have not implemented employee training programs should act quickly to resolve such issues.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Chambliss, Bahner & Stophel, P.C. | Attorney Advertising

Written by:

Chambliss, Bahner & Stophel, P.C.
Chambliss, Bahner & Stophel, P.C.
Contact
more
less

Chambliss, Bahner & Stophel, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide