A recent settlement with the US Department of Health and Human Services Office of Civil Rights (OCR) demonstrates the importance of privacy and security policies, even other violations of regulations do not occur. APDerm, a Massachusetts-based dermatology practice, agreed to pay $150,000 to settle claims that it violated HIPAA and HITECH regulations by failing to have in place breach notification policies and procedures.
OCR began an investigation of APDerm after receiving a report of a lost USB thumb drive that may have included the PHI of up to 2,200 individuals. Despite uncovering no evidence of actual harm or that PHI had been accessed, and a timely notification to potentially affected individuals, APDerm lacked written policies and procedures regarding the notification rule or to train workforce members, among other alleged HIPAA violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
