Insights

Paying the Price: Physician Group Faces Hefty Penalty and OCR Oversight After Failure to Conduct Security Risk Assessment and Implement Policies

What you need to know:

The Office for Civil Rights of the US Department of Health & Human Services is continuing its trend toward more aggressive enforcement of HIPAA violations.  Small provider entities are not immune from enforcement action – and the government is continuing to use fines and penalties to call attention to instances where regulated entities have failed to comply with even the most basic HIPAA requirements.

What you need to do:

HIPAA covered entities and their business associates – even small ones – should review their policies and procedures to ensure that they are up-to-date with the current legal requirements and in particular that they are actually complying with HIPAA’s risk assessment and data breach reporting requirements.

The Office for Civil Rights of the US Department of Health & Human Services (“OCR”) recently imposed a $150,000 fine upon and entered into a corrective action plan (“CAP”) with Adult and Pediatric Dermatology, PC, a physician practice with locations in Massachusetts and New Hampshire.

The fine and agreement follow the September 2011 theft of an unencrypted thumb drive from a staff member’s car.  While the data breach alone would have supported the imposition of a fine and/or a CAP, OCR made clear in its press release and the CAP that the settlement was driven largely by the practice’s failure to have policies, procedures and training in place to address HIPAA’s breach notification provisions.  Additionally, OCR noted the practice’s lack of a thorough risk analysis related to the security of its PHI prior to the breach, as well as its failure to conduct such an analysis until nearly a year after the breach occurred.

Under the terms of the CAP, the practice is required to conduct a “comprehensive organizational-wide risk analysis” addressing security risks and vulnerabilities for all its electronic media and systems.  Based on that analysis, the practice must then develop a risk management plan to address identified risks, revise policies and procedures accordingly, and obtain OCR’s review and approval of the risk analysis, risk management plan, and the updated policies and procedures.  OCR has the right to require that changes be implemented, and the practice must train all relevant staff on the OCR-approved policies and procedures within 30 days of their approval.

The resolution also requires the practice to investigate and self-report any violation of the practice’s privacy, security or breach notification policies and procedures within 30 days.

This resolution serves as a strong reminder to those with access to protected health information that routine risk assessments and training are critical to minimizing your exposure if a breach does occur.