ATTORNEY ADVERTISING

RECOVERY AUDIT CONTRACTOR (RAC)
We have extensive experience with RAC audits and appeals, working directly with healthcare entities subject to RAC audits.
STARK ANDANTI-KICKBACK
We have represented Independent Diagnostic Testing Facilities (“IDTFs”), mobile leasing entities, radiology group practices, and other imaging providers.
STAFF PRIVILEGES & LICENSING MATTERS
We provide assistance and guidance through the legal process focused on the goal of resolving your matter successfully and efficiently.
Published on:

Dermatology Practice Pays $150,000 to Settle Allegations of HIPAA Violations

On December 26, 2013, the Department of Health and Human Services (“HHS”) and Adult & Pediatric Dermatology, P.C. (“APDerm”) agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for $150,000. In addition the $150,00 settlement, APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.

This marks the first settlement with a covered entity under which the HHS Office of Civil Rights (“OCR”) specifically cited the practice for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).

The OCR initiated an investigation of APDerm after receiving a report than an unencrypted thumb drive containing electronic protected health information (“ePHI”) of approximately 2,200 patients was stolen from a staff member’s vehicle. The thumb drive was never recovered. After the close of the investigation, OCR determined that APDerm failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of the ePHI as a part of its security management process. Additionally, OCR found that APDerm failed to fully comply with the Breach Notification Rule by not having written policies and procedures in place and by failing to properly train its workforce members.

This settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities affirmatively review the mandatory requirements under the HIPAA Omnibus Rule.

For more information, or for questions related to HIPAA or other regulatory concerns, please contact Clinton Mikel, Esq., or Adrienne Dresevic, Esq. at (248) 996-8510 or via email at cmikel@thehlp.com or adresevic@thehlp.com.

Contact Information