Dermatology Practice Fails to Adopt HIPAA Breach Notification Policies and Procedures, Agrees to Pay $150,000 Fine

Author: Tracy Morley, XpertHR Legal Editor

January 27, 2014

Adult & Pediatric Dermatology, P.C. (APDerm) agreed to pay $150,000 to settle potential violations of the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the US Department of Health and Human Services (HHS) announced. This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HHS Office for Civil Rights (OCR) began an investigation upon receipt of a report that an unencrypted thumb drive was stolen from a vehicle of one of APDerm's staff members. The unrecovered thumb drive contained the electronic protected health information (ePHI) of more than 2,000 individuals. After its investigation, OCR determined that APDerm failed to:

  • Conduct an accurate and thorough analysis of the potential risks to, and vulnerabilities of, the confidentiality of ePHI; and
  • Comply with requirements of the Breach Notification Rule to have written policies and procedures in place and to train its workforce.

In addition to the financial settlement, the resolution agreement requires APDerm to enter into a Corrective Action Plan (CAP). Under the CAP, APDerm must conduct a risk analysis and develop a risk management plan to address security risks and vulnerabilities.

This settlement underlines the importance of developing a compliance program that meets the HIPAA requirements, and appears to indicate increased enforcement actions by HHS.

"As we say in health care, an ounce of prevention is worth a pound of cure," said OCR Director Leon Rodriguez. "That is what a good risk management process is all about - identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information."