Throughout 2013, HHS OCR has stated that covered entities of all sizes need to give priority to securing ePHI. In addition, HHS OCR has recommended that covered entities identify and mitigate risks before an incident occurs. HHS OCR’s enforcement activity during 2013 has focused on covered entities large and small. To end 2013, HHS OCR has issued its 6th resolution agreement with Adult & Pediatric Dermatology, P.C. (APDerm), a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. APDerm has agreed to a $150,000 resolution amount and corrective action plan to correct deficiencies in its HIPAA compliance program. This resolution agreement is HHS OCR’s first settlement pertaining to a covered entity’s failure to have policies and procedures in place to address the breach notification provisions of the HITECH Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
On October 7, 2011, APDerm notified HHS OCR that an unencrypted thumb drive containing the ePHI relating to the performance of Mohs surgery of approximately 2,200 individuals was stolen from the vehicle of one of its employees. On November 9, 2011, HHS OCR began its investigation into the incident and found the following:
- APDerm failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 1, 2012;
- APDermfailed to fully comply with the administrative requirements of the Breach Notification Rule by failing to have written policies and procedures in place, and failing to train members of its workforce, regarding the Breach Notification requirements until February 7, 2012.
- APDerm disclosed the ePHI of up to 2,200 individuals without permission on September 14, 2011 when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle belonging to an APDerm employee.
The CAP focuses on APDerm’s security management process and reportable events. Specifically, on a strict timeline with reporting requirements to HHS OCR, APDerm shall:
- conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities that incorporates all of APDerm’s electronic media and systems;
- Develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures, all of which must be submitted to OCR for comment and approval.
- Upon receiving information that a workforce member may have failed to comply with any provision of APDerm’s Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter. If APDerm, after review and investigation, determines that an employee has failed to comply with a provision of its policies and procedures, APDerm shall notify OCR in writing within thirty (30) days.
Enforcement activity is likely to increase in 2014 given OIG’s November 2013 report regarding OCR oversight and enforcement of the HIPAA Security Rule. OCR will continue to focus on what an organization is not doing, and whether the proper analysis is being conducted. HHS OCR Director Rodriguez has acknowledged that breaches of PHI are going to happen, as risks exist even where organizations are doing everything right. An organization must proactively identify, remedy and change – if needed.