Coming to a Medical Practice near You: HIPAA and Hi-Tech Audits (Health Insurance Portability and Accountability Act)
Tuesday, February 4, 2014
Christopher Shaughnessy, Health care, Attorney, McBrayer, Law Firm
Print Mail Download i

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog (here and here) and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis? On Thursday, we will review the risks associated with these devices and how encryption of ePHI can help insulate your practice from liability.

© 2024 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.

Current Legal Analysis

More from McBrayer, McGinnis, Leslie and Kirkland, PLLC

Businesses Receive Greater Clarity on Obligations under Federal Law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Public Improvement Liens on Government-Owned Projects
by: Brendan R. Yates
Providers Wary after First Ruling on CMS 60-Day Rule
by: Christopher J. Shaughnessy
Anheuser-Busch to sell distributorship in compliance with Kentucky law
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
Estate Planning for Same-Sex Couples After Obergefell
by: McBrayer, McGinnis, Leslie & Kirkland, PLLC
CMS Sends a Lifeline on Stark after Tuomey Affirmed: What Health Providers Should Know
by: Anne-Tyler Morgan
Disparate Impact Claims Fair Game under the Fair Housing Act
by: Preston Clark Worley
How Should Employers Provide Bathrooms for Transgender Employees? OSHA Has the Answer.
by: Amy D. Cubbage
Congratulations on the Birth of Your New Tax Exemption! (Tax Breaks for New Parents)
by: Matthew Koch
NLRB Protects a New Kind of Employee Activity: Worrying About Your Job
by: Luke A. Wingfield

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins