The Department of Health and Human Services (“HHS”) announced on December 26th that Adult & Pediatric Dermatology, P.C. (“APDerm”) has agreed to a $150,000 settlement to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
The HHS Office of Civil Rights (“OCR”) investigation began as a result of a report that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from an APDerm staff member’s vehicle. The thumb drive was never recovered. After investigation, the OCR determined that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI and did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. OCR Director, Leon Rodriguez, stated in the HHS press release that “…a good risk management plan is all about – identifying and mitigating risk before bad things happen. Covered entities of all sizes need to give priority to securing electronic protected health information.”
The HHS press release as well as the resolution agreement with corrective action plan between OCR and APDerm can be found here.