Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Dermatology Practice HIPAA Breach Results in Settlement with OCR

Dermatology Practice HIPAA Breach(December 30, 2013):  A Concord, Massachusetts dermatology practice has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services (HHS).  The settlement is notable because it follows an investigation by the HHS Office for Civil Rights (OCR) into the practice after it voluntarily disclosed a data breach affecting patient health information.  Importantly, the dermatology practice HIPAA breach was reportedly the first case handled by OCR where the provider did not have the required HITECH policies and procedures in place to help the practice avoid the breach.

I.  The HIPAA Breach Notification Rule Requirements:

On January 17, 2013, HHS issued its final HIPAA Omnibus Rule[1], which affected many aspects of the privacy rule. The Omnibus Rule became effective on March 26, 2013, and HIPAA covered entities and business associates had to comply with its requirements no later than September 23, 2013. The rule comprised four final rules, which included a modification to the interim final rule for Breach Notification for Unsecured Protected Health Information[2] (the “Breach Notification Rule”).  The new Omnibus Rule strengthened the Breach Notification Rule with more objective standards, such as replacing its harm threshold for breach notification with a default presumption that a breach is any acquisition, access, use, or disclosure of protected health information (PHI) that violates the HIPAA Privacy Rule.

Furthermore, under the Health Information Technology for Economic and Clinical Health Act (“HITECH”), covered entities must make mandatory notifications to affected individuals, the Secretary HHS, and, in certain circumstances, the media in the event of a breach of unsecured PHI.

For individuals, the notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of the breach. The notification must include, to the extent possible, a description of the breach, a description of the type(s) of information that was involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent future breaches. If the breach affects more than 500 resident of a State or jurisdiction, the covered entity must also provide notice to prominent media outlets serving the State or that jurisdiction. Finally, covered entities must notify the Secretary HHS of breaches of unsecured PHI through the HHS web site.  If the breach affects 500 or more individuals, this notice to the Secretary must be made without unreasonable delay and in no case later than 60 days following a breach.

II.  Dermatology Practice Voluntarily Discloses a Breach:

The Massachusetts dermatology practice at issue is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. On October 7, 2011, the provider reported to HHS a breach of its unsecured electronic PHI (ePHI). The breach occurred after an unencrypted thumb drive, which stored ePHI regarding surgeries of approximately 2,200 individuals, was stolen from a staff member’s car. The thumb drive was never recovered.

Following proper HIPAA Breach Notification rules, the provider notified its patients within 30 days of the theft and provided notice to the local media. On November 9, 2011, HHS notified the provider that OCR intended to investigate the provider’s compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

III.  Potential Violations of HIPAA:

OCR’s investigation revealed several notable deficiencies in the practice’s risk management and compliance practices. In particular, the investigation revealed that,

The provider did not conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012;

The provider did not fully comply with the requirements of the Breach Notification Rule, which requires covered entities to have written policies and procedures and training workforce members regarding those policies and procedures, until February 7, 2012; and

The provider failed to reasonably safeguard the thumb drive that wound up being stolen.

These failures indicate that the provider’s problem did not stem from whether it appropriately responded to the breach.  Instead, the OCR review demonstrates that providers such as this are deficient in whether they are compliant with the Privacy, Security, and Breach Notification Rules prior to a breach incident and whether a breach can be avoided in the first place.

IV.  The Cost of this Dermatology Practice HIPAA Breach:

This dermatology practice HIPAA breach was ultimately settled for $150,000. The provider is also required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  In particular, the provider will have to develop a risk analysis and risk management plan that addresses and mitigates any security risks and vulnerabilities within its practice. The provider will also have to provide OCR with this implementation report as part of the settlement agreement.

Notably, in its Press Release, HHS acknowledged that this settlement is the first where a covered entity has not had policies and procedures in place to address the breach notification provisions of the HITECH Act. “As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

 V.  Final Remarks:

Providers and other covered entities must understand the problems associated an unexpected theft or other event that results in a reportable breach.  As this case demonstrates, a breach of PHI may open up the provider to a compliance audit by the OCR.  This audit can certainly lead to subsequent civil and/or criminal penalties.

It is imperative that all covered entities affirmatively review the mandatory requirements under the new HIPAA Omnibus Rule.  Frankly, there is no valid excuse for a covered entity not to have already conducted a proper risk assessment of its practice. Appropriate safeguards to protect individual patient PHI must be instituted to ensure that a breach does not occur. Don’t let a stolen thumbdrive be the first time you assess the safety and security of your PHI. Taking measures to implement an effective compliance plan is just your first step. In doing so, you can better ensure that your continuing obligation to fully comply with applicable statutory and regulatory requirements are being met.  Need help setting up your Compliance Plan?  Give us a call.

Healthcare LawyerRobert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law.  Liles Parker attorneys represent health care providers and suppliers around the country in connection with Medicare audits, HIPAA privacy requirements and other health law issues.  For a free consultation, call Robert at:  1 (800) 475-1906. 


[1] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013), available at www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.

[2] See 45 C.F.R., part 164, subpart D.

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.