Recent HIPAA Settlement Highlights Danger of Failure to Perform Security Risk Assessments, Implement HIPAA Policies and Train Employees

A recent Health Insurance Portability and Accountability Act ("HIPAA") settlement, which is notable as the first HIPAA settlement with a covered entity for failure to have policies and procedures in place to comply with HIPAA's breach notification provisions, offers a cautionary note for HIPAA covered entities and their business associates.  On December 26, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services announced a HIPAA settlement with a Massachusetts and New Hampshire dermatology practice.  The settlement followed a reported breach in which an unencrypted flash drive containing the electronic protected health information ("ePHI") of approximately 2,200 individuals was stolen from the vehicle of a staff member of the practice.
Upon investigating the breach, OCR determined that the practice had failed to conduct a formal analysis of the risks and vulnerabilities to the confidentiality of ePHI for which the practice was responsible, had failed to create breach notification policies and procedures, and had failed to implement employee breach notification training—all of which are required by HIPAA.  As a result of OCR's determinations, the practice entered into a settlement requiring it to pay a $150,000 fine and implement a corrective action plan to correct the deficiencies in its HIPAA compliance program.
This settlement reemphasizes the need for covered entities to conduct a formal risk assessment evaluating risks and vulnerabilities to ePHI for which they are responsible, to implement complete HIPAA policies and procedures, including breach notification policies and procedures, and to properly train workforce members in HIPAA compliance.  Much of the same is true for business associates, to whom some of these requirements, including conducting risk assessments and creating security policies and procedures, now directly apply under the HIPAA Omnibus Rule, which was fully implemented on September 23, 2013.  As this settlement indicates, failure to comply with such requirements can make an already expensive data breach reporting situation much more costly.  Thus, covered entities or business associates that lack HIPAA policies and procedures, have outdated policies and procedures, have not conducted any recent risk assessment or have not implemented employee training programs should act quickly to resolve such issues.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Chambliss, Bahner & Stophel, P.C. | Attorney Advertising

Written by:


Chambliss, Bahner & Stophel, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.