Shannon Hartsfield Salimone is a Partner in our Tallahassee office

The Department of Health and Human Services (HHS), on December 26, 2013, announced a settlement with Adult & Pediatric Dermatology, P.C., a dermatology practice in Concord, Massachusetts. This settlement, which resulted from an HHS Office for Civil Rights (OCR) investigation, illustrates the importance of a thorough HIPAA compliance program. It also shows that settlements may take years to negotiate. The matter began on September 14, 2011 when an unencrypted thumb drive was stolen from an unattended vehicle. Less than a month later, the practice notified HHS of the data breach involving 2,200 patient records. The thumb drive was never found. As required by HIPAA, the practice notified patients and the media of the theft, well within the required deadlines. HHS opened an investigation on November 9, 2011, and the settlement was not announced for more than two years.

HHS found, in its investigation, that the practice did not conduct an accurate and thorough security risk analysis until more than one year after the breach. Additionally, the covered entity did not implement the requirements of the HIPAA Breach Notification Rule to have written policies and procedures and train its workforce members until February 7, 2012.In the settlement agreement, the practice did not admit liability, but HHS refused to concede that the practice was in compliance. The practice had to pay a $150,000 resolution amount, and enter into a Corrective Action Plan (CAP). Among other things, the CAP requires the practice to, within one year, conduct a new risk analysis, and then to develop a risk management plan that must be reviewed and approved by OCR. The practice must also report any HIPAA violations to OCR within 30 days. Full details of the settlement are available here.

In a press release regarding the settlement, Leon Rodriguez, the OCR Director, stated, "As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about - identifying and mitigating risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information." President Obama recently announced that Mr. Rodriguez, who has been widely admired in his role as Director of OCR, is up for a new job. He has been nominated to become the Director of the United States Citizenship and Immigration Services office of the Department of Homeland Security. The full press release is available here. It remains to be seen whether this leadership change will result in increased HIPAA enforcement. Stay tuned for more updates on OCR enforcement and leadership changes.

This settlement, which resulted from an HHS Office for Civil Rights (OCR) investigation, illustrates the importance of a thorough HIPAA compliance program. It also shows that settlements may take years to negotiate. The matter began on September 14, 2011 when an unencrypted thumb drive was stolen from an unattended vehicle. Less than a month later, the practice notified HHS of the data breach involving 2,200 patient records. The thumb drive was never found. As required by HIPAA, the practice notified patients and the media of the theft, well within the required deadlines. HHS opened an investigation on November 9, 2011, and the settlement was not announced for more than two years.

HHS found, in its investigation, that the practice did not conduct an accurate and thorough security risk analysis until more than one year after the breach. Additionally, the covered entity did not implement the requirements of the HIPAA Breach Notification Rule to have written policies and procedures and train its workforce members until February 7, 2012.In the settlement agreement, the practice did not admit liability, but HHS refused to concede that the practice was in compliance. The practice had to pay a $150,000 resolution amount, and enter into a Corrective Action Plan (CAP). Among other things, the CAP requires the practice to, within one year, conduct a new risk analysis, and then to develop a risk management plan that must be reviewed and approved by OCR. The practice must also report any HIPAA violations to OCR within 30 days. Full details of the settlement are available here.

In a press release regarding the settlement, Leon Rodriguez, the OCR Director, stated, "As we say in health care, an ounce of prevention is worth a pound of cure. That is what a good risk management process is all about - identifying and mitigating risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information." President Obama recently announced that Mr. Rodriguez, who has been widely admired in his role as Director of OCR, is up for a new job. He has been nominated to become the Director of the United States Citizenship and Immigration Services office of the Department of Homeland Security. The full press release is available here. It remains to be seen whether this leadership change will result in increased HIPAA enforcement. Stay tuned for more updates on OCR enforcement and leadership changes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.