As we close out 2013, the Office of Civil Rights (OCR) announced on December 26 that it settled potential HIPAA violations with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) for $150,000.

APDerm is a private practice delivering dermatology services in four locations in Massachusetts and two in New Hampshire.

According to OCR, "this case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act." [1]

In a statement, Leon Rodriguez, the Director of OCR, advised that "Covered entities of all sizes need to give priority to securing electronic protected health information." [2]

[Jump to A Few Things to Note]

On October 7, 2011, APDerm notified OCR that a USB drive containing unencrypted electronic protected health information (ePHI) of approximately 2,200 individuals was stolen out of the vehicle of one of its workforce members. According to the Resolution Agreement, APDerm "impermissibly disclosed the ePHI . . . by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." [3]

On November 9, 2011, OCR notified APDerm that it would be launching an investigation into the incident.

During its investigation, OCR found the following problems:
  •  APDerm did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012.
  • APDerm failed to comply with the administrative requirements of the Breach Notification Rule until February 7, 2012:
    • APDerm did not have written policies and procedures to address the Breach Notification Rule
    • APDerm did not train members of its workforce regarding the Breach Notification requirements
  • APDerm "impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one its workforce members." [4]
Under the Corrective Action Plan, APDerm must take the following steps:
  • Security Management Process
    • Conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities, including review of electronic media and systems.
    • Develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures.
    • Provide to OCR for review and approval the risk analysis, risk management plan and any revised policies and procedures and implement any revisions suggested by OCR.
    • Implement, distribute, and train all appropriate staff members on the revised policies and procedures within 30 days.
  • Track and Report to OCR Any Further Breaches
    • APDerm must, "upon receiving information that a workforce member may have failed to comply with any provision of its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter."
    • If, after the investigation, APDerm "determines that a member of its workforce has failed to comply with a provision of its Privacy, Security, and Breach Notification policies and procedures, the Covered Entity shall notify OCR in writing within thirty (30) days."
    • The report to OCR must include:
      • "A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of the Covered Entity’s Privacy, Security, and Breach Notification policies and procedures; and" [5]
      • "A description of actions taken and any further steps the Covered Entity plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures." [6]
  • Provide to OCR an Implementation Report, which is to include, among other things,
    • "An explanation of how the Covered Entity implemented its security management process ... focusing specifically on how The Covered Entity determined whether its policies and procedures should be revised based on the risks and vulnerabilities identified in the risk analysis." [7]
    • An attestation from an APDerm officer that any revisions to policies and procedures were fully implemented and distributed to all workforce members.
    • "An attestation signed by an officer of the Covered Entity stating that he or she has reviewed the Implementation Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful."
      [8]

Entities subject to HIPAA compliance should take note of the requirements in the Corrective Action Plan, particularly the list of details that a report to OCR should include. The details noted by OCR should be included in the entity's breach investigation and report checklist. Specifically, any HIPAA breach investigation checklist should include, at least, the following elements:

  1. Description of the event
  2. Person(s) involved in the event
  3. Policies and procedures that were impacted by the event
    • Privacy policies
    • Security policies
    • Breach notification policies
  4. Steps covered entity took to mitigate any perceived harm
  5. Steps covered entity will take to address the specific incident
    • Workforce member sanctions
    • Additional training requirements for all workforce members
  6. Steps covered entity will take to prevent the harm in the future
A few things to note...
  • OCR notified APDerm in November 2011 that it would launch its investigation. But, this settlement was not announced until December 2013, a full 2 years after the launch date. One has to wonder how many other investigations and settlements are currently pending.
  • Neither the Press Release nor the Resolution Agreement provided details on the specifics of APDerm disclosing ePHI "by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule." But, covered entities and their business associates should take this opportunity to carefully review the roles and responsibilities of their workforce members to ensure that only authorized individuals have access to ePHI.
  • The OCR appears to be adopting the approach taken by the SEC, where it is requiring that any submissions being made to OCR are signed and attested to by an officer of the company. This has the potential to expand the scope of liability for the attesting officer for any false statements made in the reports to OCR.
  • This is yet another case where a breach could have been prevented if the portable media device was encrypted. Covered entities, their business associates and the subcontractors of such business associates need to carefully evaluate their existing policies and, to the extent possible, implement encryption for all portable media devices, including thumb drives and laptops.

------------------
[1] HHS, Office of Civil Rights, Press Release, Dermatology practice settles potential HIPAA violations, Dec. 26, 2013, available at https://www.hhs.gov/news/press/2013pres/12/20131226a.html.

[2] Id.

[3] HHS, Resolution Agreement with Adult & Pediatric Dermatology, P.C., p. 2, Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[4] Id.

[5] HHS, Resolution Agreement with Adult & Pediatric Dermatology, P.C., Appendix A: Corrective Action Plan, p. 3 (of Appendix A), Dec. 24, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.

[6] Id.

[7] Id.

[8] Id. at 4.