HIPAA case settled
January 20, 2014
By Kelly Soderlund, ADA News staff
Concord, Mass.—A dermatology practice will pay the federal government $150,000 to settle potential violations of the Health Insurance Portability and Accountability Act.
It's the first settlement by a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health Act, according to a news release from the Department of Health and Human Services Office for Civil Rights.
Adult & Pediatric Dermatology, P.C. will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program and provide a report on the implementation to the OCR, according to the release. APDerm is a private dermatology practice with four offices in Massachusetts and two in New Hampshire.
OCR began investigating APDerm after receiving a report that an unencrypted thumb drive containing the electronic protected health information of about 2,200 people was stolen from a staff member's car. The thumb drive was never recovered.
The investigation revealed that APDerm didn't conduct an accurate and thorough analysis of the potential risks and vulnerabilities of the electronic protected health information as part of its security management progress. OCR also determined that APDerm also didn't fully comply with the Breach Notification Rule requirements to have written policies and procedures in place and train workforce members.
For more information on the HIPAA Breach Notification Rule, visit the website. The ADA offers its own insight for members online.
ADA Complete HIPAA Compliance Kit (J598) is available from the ADA Catalog, and includes a manual, the training CD-ROM and a three-year update service. The kit is $300 for members and $450 for nonmembers.