Employers should be aware that the Department of Human Services (“HHS”) is stepping up its enforcement of requirements for covered entities, such as group health plans, to adopt and implement policies and procedures for protecting and securing protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). As our colleagues at InsidePrivacy recently described in a blog post, HHS Announces First HIPAA Settlement Based on Lack of Breach Notification Policies and Procedures, HHS recently reached a $150,000 settlement with Adult & Pediatric Dermatology, P.C. for the company’s failure to have written policies and procedures regarding breach notification, and to train workforce members on those policies and procedures. HHS pursued the company after a thumb drive that held health information was stolen from an employee’s car.
Employers were required to amend, by the end of last September, HIPAA policies and procedures for their group health plans to comply with the breach notification requirements in the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.