Just in Time for the New Year - Dermatology Clinic Settles with OCR for $150K

Just in Time for the New Year - Dermatology Clinic Settles with OCR for $150K

As we close out 2013, the Office of Civil Rights (OCR) announced on December 26 that it settled potential HIPAA violations with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) for $150,000.

APDerm is a private practice delivering dermatology services in four locations in Massachusetts and two in New Hampshire.

According to OCR, "this case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act." [1]

In a statement, Leon Rodriguez, the Director of OCR, advised that "Covered entities of all sizes need to give priority to securing electronic protected health information." [2]

[Jump to A Few Things to Note]

On October 7, 2011, APDerm notified OCR that a USB drive containing unencrypted electronic protected health information (ePHI) of approximately 2,200 individuals was stolen out of the vehicle of one of its workforce members. According to the Resolution Agreement, APDerm "impermissibly disclosed the ePHI . . . by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." [3]

On November 9, 2011, OCR notified APDerm that it would be launching an investigation into the incident.

During its investigation, OCR found the following problems:
  •  APDerm did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012.
  • APDerm failed to comply with the administrative requirements of the Breach Notification Rule until February 7, 2012:
    • APDerm did not have written policies and procedures to address the Breach Notification Rule
    • APDerm did not train members of its workforce regarding the Breach Notification requirements
  • APDerm "impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members." [4]
Under the Corrective Action Plan, APDerm must take the following steps:
  • Security Management Process
    • Conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities, including review of electronic media and systems.
    • Develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures.
    • Provide to OCR for review and approval the risk analysis, risk management plan and any revised policies and procedures and implement any revisions suggested by OCR.
    • Implement, distribute, and train all appropriate staff members on the revised policies and procedures within 30 days.
  • Track and Report to OCR Any Further Breaches
    • APDerm must, "upon receiving information that a workforce member may have failed to comply with any provision of its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter."
    • If, after the investigation, APDerm "determines that a member of its workforce has failed to comply with a provision of its Privacy, Security, and Breach Notification policies and procedures, the Covered Entity shall notify OCR in writing within thirty (30) days."
    • The report to OCR must include:
      • "A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of the Covered Entity’s Privacy, Security, and Breach Notification policies and procedures; and" [5]
      • "A description of actions taken and any further steps the Covered Entity plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures." [6]
  • Provide to OCR an Implementation Report, which is to include, among other things,
    • "An explanation of how the Covered Entity implemented its security management process ... focusing specifically on how The Covered Entity determined whether its policies and procedures should be revised based on the risks and vulnerabilities identified in the risk analysis." [7]
    • An attestation from an APDerm officer that any revisions to policies and procedures were fully implemented and distributed to all workforce members.
    • "An attestation signed by an officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful."

Entities subject to HIPAA compliance should take note of the requirements in the Corrective Action Plan, particularly the list of details that a report to OCR should include. The details noted by OCR should be included in the entity's breach investigation and report checklist. Specifically, any HIPAA breach investigation checklist should include, at least, the following elements:

  1. Description of the event
  2. Person(s) involved in the event
  3. Policies and procedures that were impacted by the event
    • Privacy policies
    • Security policies
    • Breach notification policies
  4. Steps covered entity took to mitigate any perceived harm
  5. Steps covered entity will take to address the specific incident
    • Workforce member sanctions
    • Additional training requirements for all workforce members
  6. Steps covered entity will take to prevent the harm in the future
A few things to note...
  • OCR notified APDerm in November 2011 that it would launch its investigation. But, this settlement was not announced until December 2013, a full 2 years after the launch date. One has to wonder how many other investigations and settlements are currently pending.
  • Neither the Press Release nor the Resolution Agreement provided details on the specifics of APDerm disclosing ePHI "by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." But, covered entities and their business associates should take this opportunity to carefully review the roles and responsibilities of their workforce members to ensure that only authorized individuals have access to ePHI.
  • The OCR appears to be adopting the approach taken by the SEC, where it is requiring that any submissions being made to OCR are signed and attested to by an officer of the company. This has the potential to expand the scope of liability for the attesting officer for any false statements made in the reports to OCR.
  • This is yet another case where a breach could have been prevented if the portable media device was encrypted. Covered entities, their business associates and the subcontractors of such business associates need to carefully evaluate their existing policies and, to the extent possible, implement encryption for all portable media devices, including thumb drives and laptops.

[1] HHS, Office of Civil Rights, Press Release, Dermatology practice settles potential HIPAA violations, Dec. 26, 2013, available at https://www.hhs.gov/news/press/2013pres/12/20131226a.html.

[2] Id.

[3] HHS, Resolution Agreement with
Adult & Pediatric Dermatology, P.C., p. 2, Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[4] Id.

HHS, Resolution Agreement with Adult & Pediatric Dermatology, P.C., Appendix A: Corrective Action Plan, p. 3 (of Appendix A), Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[6] Id.

[7] Id.

[8] Id. at 4.

September 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)