Last week, Department of Health and Human Services (HHS) announced that Adult & Pediatric Dermatology, P.C. (APDerm) of Concord, Mass., will pay $150,000 in data breach fines. The most interesting part of the news wasn’t the amount of money that APDerm had to pay – it was the fact that the fine was the first handed out because of a HITECH violation.
According to HHS, this was the first settlement involving a covered entity having not put policies and procedures in place to address the breach notification provisions of the HITECH Act. Though HITECH, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA), is often lumped together with HIPAA, HITECH’s Breach Notification requirements are worth revisiting.
The regulations, developed by OCR, require healthcare providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.
APDerm’s Corrective Action Plan (CAP)
Within one year following its CAP effective date, which wasn’t included in the report, ADDerm will have to conduct a comprehensive, organizational-wide risk analysis of the ePHI security risks and vulnerabilities that incorporate all of its electronic media and systems. And it will develop a risk management plan to address and mitigate any security risks and vulnerabilities following the risk analysis and, if necessary, revise its present policies and procedures. The risk analysis, risk management plan and any revised policies and procedures shall be forwarded to OCR for review and approval within 60 days of the date it completes the risk management plan.
Upon receiving OCR’s notice of required revisions, if any, [APDerm] shall have 30 days to incorporate the required revisions and provide the revised risk management plan or policies and procedures to OCR for review and approval. If revisions to the Covered Entity’s policies and procedures are required, the Covered Entity shall implement, distribute, and train all appropriate staff members on the revised policies and procedures within 30 calendar days of OCR’s approval, in accordance with its applicable administrative procedures for training.
And during the compliance term, the APDerm shall, upon receiving information that a workforce member may have failed to comply with any provision of its Privacy, Security, and Breach Notification policies and procedures, promptly investigate the matter. If APDerm, after review and investigation, determines that a member of its workforce has failed to comply with a provision of its Privacy, Security, and Breach Notification policies and procedures, APDerm shall notify OCR in writing within thirty (30) days. Such violations shall be known as “Reportable Events.” The report to OCR shall include the following:
a. A complete description of the event, including relevant facts, the persons involved, and the implicated provision(s) of the Covered Entity’s Privacy, Security, and Breach Notification policies and procedures; and
b. A description of actions taken and any further steps the Covered Entity plans to take to address the matter, to mitigate the harm, and to prevent it from recurring, including the application of appropriate sanctions against workforce members who failed to comply with its Privacy, Security, and Breach Notification policies and procedures.
2. If no Reportable Events occur during the Compliance Term, the Covered Entity shall advise OCR of this fact in the Implementation Report.