A recent Health Insurance Portability and Accountability Act ("HIPAA") settlement, which is notable as the first HIPAA settlement with a covered entity for failure to have policies and procedures in place to comply with HIPAA's breach notification provisions, offers a cautionary note for HIPAA covered entities and their business associates. On December 26, 2013, the Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services announced a HIPAA settlement with a Massachusetts and New Hampshire dermatology practice. The settlement followed a reported breach in which an unencrypted flash drive containing the electronic protected health information ("ePHI") of approximately 2,200 individuals was stolen from the vehicle of a staff member of the practice.
Upon investigating the breach, OCR determined that the practice had failed to conduct a formal analysis of the risks and vulnerabilities to the confidentiality of ePHI for which the practice was responsible, had failed to create breach notification policies and procedures, and had failed to implement employee breach notification training—all of which are required by HIPAA. As a result of OCR's determinations, the practice entered into a settlement requiring it to pay a $150,000 fine and implement a corrective action plan to correct the deficiencies in its HIPAA compliance program.
This settlement reemphasizes the need for covered entities to conduct a formal risk assessment evaluating risks and vulnerabilities to ePHI for which they are responsible, to implement complete HIPAA policies and procedures, including breach notification policies and procedures, and to properly train workforce members in HIPAA compliance. Much of the same is true for business associates, to whom some of these requirements, including conducting risk assessments and creating security policies and procedures, now directly apply under the HIPAA Omnibus Rule, which was fully implemented on September 23, 2013. As this settlement indicates, failure to comply with such requirements can make an already expensive data breach reporting situation much more costly. Thus, covered entities or business associates that lack HIPAA policies and procedures, have outdated policies and procedures, have not conducted any recent risk assessment or have not implemented employee training programs should act quickly to resolve such issues.