Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Dec. 27 --A Massachusetts-based dermatology practice has agreed to pay $150,000 to settle claims that it violated federal privacy rules, the Department of Health and Human Services announced Dec. 26.
The pact marks the first settlement with a Health Insurance Portability and Accountability Act-covered entity for failing to have sufficient policies and procedures in place to address the breach notification provisions in the Health Information Technology for Economic and Clinical Health Act, the HHS said in a statement.
The HHS Office for Civil Rights said that Adult & Pediatric Dermatology PC (APDerm) of Concord, Mass., is also required, as part of a resolution agreement, to put in place a corrective action plan to address deficiencies in its HIPAA compliance program. The corrective action plan requires APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to the OCR.
The OCR said it opened an investigation of APDerm after receiving a report from the dermatology practice in October 2011 that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.
According to the resolution agreement, APDerm notified its patients of the theft of the thumb drive within 30 days of the theft and provided media notice at that time.
However, the OCR said its investigation revealed that APDerm hadn't conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until October 2012. The company also failed to have written policies and procedures in place and failed to train workforce members, as required under HIPAA rules, until February 2012, according to the OCR.
The OCR said in the agreement that it found that APDerm “impermissibly disclosed the ePHI of up to 2,200 individuals by providing an unauthorized individual access to said ePHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle” of one of its workers.
“As we say in health care, an ounce of prevention is worth a pound of cure,” OCR Director Leon Rodriguez said in the statement. “That is what a good risk management process is all about--identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”
APDerm told Bloomberg BNA in a statement Dec. 27 that, “Along with protecting our patients' health and safety, protecting their privacy is our highest priority.”
The practice, which has four locations in Massachusetts and two in New Hampshire, said the stolen information didn't include any financial information or sensitive health information.
“We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient's information,” the company said.
APDerm said it is disappointed with the amount of the settlement, “given that the flash drive was never used to anyone's knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.”
The resolution agreement states that the agreement isn't a concession of liability by APDerm.
To contact the reporter on this story: Martha Kessler in Boston at email@example.com
To contact the editor responsible for this story: Kendra Casey Plank at firstname.lastname@example.org
The resolution agreement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)