On December 26, 2013, the Department of Health and Human Services (“HHS”) and Adult & Pediatric Dermatology, P.C. (“APDerm”) agreed to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules for $150,000. In addition the $150,00 settlement, APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.
This marks the first settlement with a covered entity under which the HHS Office of Civil Rights (“OCR”) specifically cited the practice for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”).
The OCR initiated an investigation of APDerm after receiving a report than an unencrypted thumb drive containing electronic protected health information (“ePHI”) of approximately 2,200 patients was stolen from a staff member’s vehicle. The thumb drive was never recovered. After the close of the investigation, OCR determined that APDerm failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of the ePHI as a part of its security management process. Additionally, OCR found that APDerm failed to fully comply with the Breach Notification Rule by not having written policies and procedures in place and by failing to properly train its workforce members.
This settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities affirmatively review the mandatory requirements under the HIPAA Omnibus Rule.
For more information, or for questions related to HIPAA or other regulatory concerns, please contact Clinton Mikel, Esq., or Adrienne Dresevic, Esq. at (248) 996-8510 or via email at firstname.lastname@example.org or email@example.com.