It’s Not Enough to Notify: Don’t Forget the Policies, Risk Analyses, and Training

Davis Wright Tremaine LLP

HIPAA compliance ended with a bang in 2013, with the feds issuing the first settlement involving a health provider’s failure to have breach notification policies and procedures in place. On Dec. 24, 2013, the Department of Health and Human Services Office for Civil Rights (OCR) entered into a Resolution Agreement with Adult & Pediatric Dermatology, P.C. (AP Derm) that included a settlement of $150,000 and a corrective action plan.

OCR initiated its investigation after receiving notification of a breach of the health information of approximately 2,200 individuals. In an all-too-common scenario, the information was located on an unencrypted thumb drive stolen from the vehicle of an AP Derm workforce member and never recovered.

Although AP Derm reported the breach to OCR, notified patients of the theft within 30 days, and provided media notice, OCR still required financial settlement and a corrective action plan due to AP Derm’s alleged failure to:

  • Conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of electronic protected health information (ePHI) as part of its security management process;
  • Fully comply with the administrative requirements of the Breach Notification Rule by having written policies and procedures in place and training workforce members; and
  • Reasonably safeguard the unencrypted thumb drive that was stolen from the workforce member’s vehicle.

Lessons learned
The settlement highlights the importance of creating and implementing breach-related policies, procedures, and training.  Even if an entity appropriately provides breach notification, a lack of written policies may lead to enforcement actions by OCR. Moreover, appropriate training of workforce on safeguarding ePHI, including an emphasis on not leaving health information unattended, particularly in a parked vehicle, may avoid the breach in the first place.

As with previous settlements, OCR continues to emphasize the importance of an adequate Security Rule risk analysis for all ePHI. Covered entities and business associates who fail to conduct a risk analysis before a breach occurs potentially face performing one under the close and extended supervision of OCR.

For covered entities and business associates, adequate policies, procedures, workforce training, and risk management plans may not only help prevent and mitigate breaches of health information, but also unpleasant and costly encounters with OCR.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.