Recent HIPAA Settlement Highlights Danger of Failure to Perform Security Risk Assessments, Implement HIPAA Policies and Train Employees

A recent Health Insurance Portability and Accountability Act ("HIPAA") settlement, which is notable as the first HIPAA settlement with a covered entity for failure to have policies and procedures in place to comply with HIPAA's breach notification provisions, offers a cautionary note for HIPAA covered entities and their business associates.  On December 26, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services announced a HIPAA settlement with a Massachusetts and New Hampshire dermatology practice.  The settlement followed a reported breach in which an unencrypted flash drive containing the electronic protected health information ("ePHI") of approximately 2,200 individuals was stolen from the vehicle of a staff member of the practice.
Upon investigating the breach, OCR determined that the practice had failed to conduct a formal analysis of the risks and vulnerabilities to the confidentiality of ePHI for which the practice was responsible, had failed to create breach notification policies and procedures, and had failed to implement employee breach notification training—all of which are required by HIPAA.  As a result of OCR's determinations, the practice entered into a settlement requiring it to pay a $150,000 fine and implement a corrective action plan to correct the deficiencies in its HIPAA compliance program.
This settlement reemphasizes the need for covered entities to conduct a formal risk assessment evaluating risks and vulnerabilities to ePHI for which they are responsible, to implement complete HIPAA policies and procedures, including breach notification policies and procedures, and to properly train workforce members in HIPAA compliance.  Much of the same is true for business associates, to whom some of these requirements, including conducting risk assessments and creating security policies and procedures, now directly apply under the HIPAA Omnibus Rule, which was fully implemented on September 23, 2013.  As this settlement indicates, failure to comply with such requirements can make an already expensive data breach reporting situation much more costly.  Thus, covered entities or business associates that lack HIPAA policies and procedures, have outdated policies and procedures, have not conducted any recent risk assessment or have not implemented employee training programs should act quickly to resolve such issues.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Chambliss, Bahner & Stophel, P.C. | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.