A new settlement agreement announced by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) shows health plans, health care providers, health care clearinghouses and their business associates the perils of failing to properly implement the necessary policies and procedures to comply with the breach notification requirements added to the Health Insurance Portability & Accountability Act of 1996 (HIPAA) added by the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
Private dermatology practice,, Adult & Pediatric Dermatology, P.C., (APDerm) has agreed to pay $150,000 and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. The APDerm Setttlement marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.
According to its December 26, 2013 announcement of the settlement, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.
Enforcement Actions Highlight Growing HIPAA Exposures For Covered Entities
The APDerm settlement provides more evidence of the growing exposures that health care providers, health plans, health care clearinghouses and their business associates need to carefully and appropriately manage their HIPAA responsibilities. See HIPAA Heats Up: HITECH Act Changes Take Effect & OCR Begins Posting Names, Other Details Of Unsecured PHI Breach Reports On Website. It joins the growing list of settlement or resolution agreements under HIPAA announced by OCR.
The APDerm also is notable both as it settles the first ever charges against a covered entity for failing to adopt required Breach Notification policies and procedures and the relatively most settlement payment required in comparison to other announced settlement. Other settlements have been significantly higher. For instance, OCR required that Blue Cross Blue Shield of Tennessee (BCBST) to pay $1.5 million to resolve HIPAA violations charges.
For Representation, Training & Other Resources
If you need assistance monitoring HIPAA and other health and health plan related regulatory policy or enforcement developments, or to review or respond to these or other health care or health IT related risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.
Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.
For the past two years, Ms. Stamer has served as the scribe for the ABA Joint Committee on Employee Benefits agency meeting with OCR. Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the second year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others. You can get more information about her HIPAA and other experience here.
If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here.
You can review other recent publications and resources and additional information about the other experience of Ms. Stamer here. Examples of some recent publications that may be of interest include:
- OFCCP Posts Additional FAQs on the Implementation of the VEVRAA and Section 503 Final Rules
- Employer Faces $2M FLSA Lawsuit For Alleged Worker Misclassification
- OIG 2013 Top Management Challenges List Signals Tightening of Labor Department Enforcement
- DOL Sues PBI Bank For Alleged Fiduciary Breach In Sale of ESOP Stock
- Agencies Proposes To Treat Certain EAP, Dental and Vision Only Plans As ACA & HIPAA Excepted Benefits
- 1/1/14 Exchange Enrollment Deadline Extended As Enrollment Still Lags
- Businesses Performing Income, Payroll Tax Duties For Employers Confirm Compliance With Updated IRS Procedures
- IRS Provides Closed DB Plan Relief, Qualified Plan Changes List & In-Plan Roth Rollovers Guidance
- Report Documents Disappointing Lag In American Use of ACA Health Insurance Exchanges Despite Administration’s Positive Spin Efforts
- IRS To Tax Health Insurers On Assessments To Cover ACA Section 9010 Annual Fee
- 2014 Standard Mileage Rates Announced
- US Labor Department Seeks $300K+ Whistleblower Recovery Against Employer For Firing Worker
- Careful Selection & Contracting With Vendors Critical Part of Health Plan Renewals
- Exchange Enrollment Kicks Off Plagued By Government Shutdown, Other Challenges
- Model Language May Aid Section 83(b) Elections Even As Executive & Other Special Compensation Carry Growing Liability Traps
- Labor Risks Rising For Employers Despite NLRB Loss Of Arizona Secret Ballot Challenge
- USI Advisors Will Pay $1.27 Million To Settle Charges It Violated ERISA Fee Disclosure Requirements
- Wal-Mart Settlement Shows ADA Risks When Considering Employee Return To Work Accommodation Requests & Inquiries
- Stamer Speaks On HIPAA Developments On 9/14 At ABA Joint Tax/RPTE Fall Meeting In Boston
- Employer Pays $475,000 To Settle ADA Discrimination Lawsuit Challenging Medical Fitness Testing For EMTs, Firefighters & Other Public Safety Worker’s
- Employers & Plan Fiduciaries Reminded To Confirm Credentials & Bonding For Internal Staff, Plan Fidiciaries & Vendors Dealing With Benefits
- HIPAA & Texas Law Require HIPAA Training. Register Now For August 14 HIPAA Update Workshop!
- EBSA Updates Guidance On Fee Disclosure Requirements For 401(k) Plan Brokerage Window Arrangements
- Federal Mandate That Employer Health Plans Must Cover 100% Of Contraceptive, Other Women’s Health Services With No Cost Sharing Now Effective
- Use NIH & Other Free Government Resources To Help Round Out Wellness Programs
- 96% Employers of 50+ Employees, 36% Employers of Smaller Employers Provide Health Coverage
- 12 Steps Every Employer With A Health Plan Should Do Now To Manage 2012-14 Health Plan Risks & Liabilities
- Congress Gives Defined Benefit Plan Sponsors Welcome Funding Relief, Raises PBGC Premiums & Makes Other Reforms
- IRS To Offer Help For U.S. Citizens Overseas With Foreign Retirement Plans, Dual Citizenship Tax Issues
- New EEOC State Discrimination Charge Data Helpful Employer Risk Assessment Tool Discrimination Exposures Grow
- Obama’s Reaffirms Commitment Prosecute Disability Discrimination To Mark Omlstead Anniversary
- IRS Changing Individual Taxpayer ID Number Application Requirements
- Insurer Group Health Inc. To Refund $500,00+ & Change Claims Practices To Settle NY AG Charges It Wrongfully Denied Coverage
- NLRB Moves To Promote Non-Union Employee Use of Collective Action Rights By Launching Webpage
- Making Wellness Work On A Shoestring Budget
- Tighten Defensibility of Criminal & Other Background Check Practices In Light of Labor Department Non-Discrimination Regulation & Enforcement Emphasis
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here.
©2013 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc. All rights reserved.