The theft of an unencrypted flash drive has led to an agreement
by Adult & Pediatric Dermatology, P.C., of Concord, Mass.
(APDerm), to pay $150,000 to the Department of Health and Human
Services' Office for Civil Rights (OCR) to settle potential
violations of the Health Insurance Portability and Accountability
Act of 1996 (HIPAA) Privacy, Security, and Breach Notification
Rules. APDerm will also be required to implement a corrective
action plan to correct deficiencies in its HIPAA compliance
program. APDerm is a private practice that delivers dermatology
services in four locations in Massachusetts and two in New
Hampshire.
This case marks the first settlement with a covered entity for not
having policies and procedures in place to address the breach
notification provisions of the Health Information Technology for
Economic and Clinical Health (HITECH) Act, passed as part of the
American Recovery and Reinvestment Act of 2009. Significantly, it
also marks one of the few instances where OCR has taken enforcement
action against a smaller covered entity provider.
OCR opened an investigation of APDerm upon receiving a report that
an unencrypted flash drive containing the electronic protected
health information (ePHI) of approximately 2,200 individuals was
stolen from a vehicle of one its staff members. The flash drive was
never recovered, and the investigation revealed that APDerm had not
conducted "an accurate and thorough analysis of the potential
risks and vulnerabilities to the confidentiality of ePHI" as
part of its security management process. In other words, OCR
continues to target the failure of covered entities to conduct a
risk assessment under the Security Rule. Furthermore, OCR focused
on APDerm's failure to maintain appropriate policies and
procedures, as well as the associated training, pursuant to the
requirements of the Breach Notification Rule.
In addition to a $150,000 settlement, OCR imposed a corrective
action plan requiring APDerm to develop a risk analysis and risk
management plan to address and mitigate any security risks and
vulnerabilities, as well as to provide an implementation report to
OCR.
A copy of the Resolution Agreement and Corrective Action Plan may
be found here.
This article is presented for informational purposes only and is not intended to constitute legal advice.