Often, when I am discussing HIPAA privacy compliance, I am asked about possible penalties for privacy breaches. Plan sponsors sometimes overlook the fact that failing to have a privacy compliance package in place is itself a violation and can lead to some hefty penalties. Such was the case for Adult & Pediatric Dermatology, P.C., a medical provider that had a security breach. While the facts may not be specific to a covered plan, they should serve as a reminder of the potential consequences for failing to be HIPAA compliant.
The provider had a thumb drive stolen from one of the vehicles of a staff member. It was unencrypted and had PHI for about 2,200 people. The Department of Health and Human Services Office for Civil Rights opened an investigation that revealed that the provider had not conducted an analysis of the potential risks and vulnerabilities as part of its security management process. More importantly, HHS also determined that the provider did not fully comply with requirements of the Breach Notification Rule and that it did not have written policies in place or procedures to train employees on HIPAA privacy and handling of PHI. The provider ended up settling the claim for a $150,000 penalty.
This result is significant for 2 reasons. First, it is the first reported settlement of a claim for failure to have policies and procedures in place under the Breach Notification rules under the HITECH Act. Second, it shows that the Office of Civil Rights is serious about investigating instances of an alleged breach and enforcing the rules related to privacy compliance. Covered entities (like health plans) are under an affirmative obligation to implement HIPAA Privacy and Security compliance policies, monitor and train employees and take steps to avoid breaches. There is a reporting obligation if a breach occurs and penalties can come into play not just for the breach, but for failing to comply to prevent the breach from occurring.
At a time when plan sponsors are struggling to comply with the requirements of PPACA, other rules like ERISA and HIPAA Medical Privacy can get overlooked. Employers would do well to remember that sponsoring a health plan means complying with all of the various regulations, not just the ones in the media right now. For help locating and complying with all of the requirements for benefit plans, ask your attorney at Fox Rothschild for assistance.