Data Breach, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Risk Analysis/Risk Management

Dermatology Practice Settles Potential HIPAA Violations $150,000 Plus Corrective Action Plan

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.

 

Advertisements

11 thoughts on “Dermatology Practice Settles Potential HIPAA Violations $150,000 Plus Corrective Action Plan”

  1. Having read this I thought it was very enlightening.

    I appreciate you finding the time and effort to put this
    information together. I once again find myself spending a significant amount of time
    both reading and commenting. But so what, it was still worthwhile!

    1. Did not get the opportunity to respond, but thank you very much for the kind words. Please let us know if you have other topics that we can review or research for you.

    1. Thank you very much for the nice comment! Technical writing is often difficult and tends to be boring. We at RISC really appreciate that you took the time to reply. Please feel free to provide us with topics that are important to you for future blogs!

  2. Attractive component to content. I just stumbled upon your
    web site and in accession capital to say that I acquire actually enjoyed account your blog posts.

    Any way I’ll be subscribing on your feeds or even I success you get admission to constantly
    rapidly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s