Dermatology Practice Settles Potential HIPAA Violations

APdermAdult & Pediatric Dermatology, P.C., of Concord, Mass.,  has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. The practice will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  Adult and Pediatric 5647_logo_hhs_ocr_175x175Dermatology is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
The HHS Office for Civil Rights (OCR) opened an investigation of Adult and Pediatric Dermatology upon receiving a report that an un-encrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that Adult and Pediatric Dermatology had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, Adult and Pediatric Dermatology did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring Adult and Pediatric Dermatology to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

View the Corrective Action Plan(CAP) here >>

Tips s to providers:  Almost all of the  HIPAA/HITECH violations identified in the last few years is due to insufficient security risk analysis conducted by the providers or business associates.  Review our toolkit to learn more about how you can implement required HIPAA/HITECH requirements easily or contact us today to help you comply with the requirements.

Share this in :
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.