The HHS Office for Civil Rights has fined Concord, Mass.-based Adult and Pediatric Dermatology $150,000 to resolve allegations of violations of the HIPAA privacy and security rules following the September 2011 theft of an unencrypted thumb drive from an employee’s vehicle.
The settlement fee accompanies a corrective action plan under which the provider agrees to develop a risk analysis and risk management plan to address vulnerabilities and to submit a report to OCR. The agency took the action after determining that the dermatology practice did not have policies and procedures to address provisions of the breach notification rule.
“The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process,” according to an OCR statement. “Further, APDerm did not fully comply with requirements of the breach notification rule to have in place written policies and procedures and train workforce members.”
Adult and Pediatric Dermatology issued the following statement after OCR announced its disciplinary action:
“Along with protecting our patients’ health and safety, protecting their privacy is our highest priority. In 2011, we were victims of a crime and a computer flash drive was stolen. The stolen information did not include any financial information or sensitive health information. We reached out to every patient that may have been affected and have worked diligently to put measures in place to ensure the safety and security of our patient’s information. “Today’s settlement announcement was as a result of the 2011 incident. We are disappointed with the amount of the settlement given that the flash drive was never used to anyone’s knowledge, nor did it contain financial information that could be used to harm anyone. We have agreed to pay the settlement amount rather than incur the additional costs of a hearing.”
The agreement between OCR and the dermatology practice is the sixth HIPAA resolution agreement the agency has reached in the past year. The others include:
* Affinity Health Plan (sold photocopier not cleaned, $1.2 million);
* WellPoint (PHI viewable on a Web site, $1.7 million);
* Shasta Regional Medical Center in Redding, Calif., and 23-hospital parent company Prime Healthcare Services (intentionally violating patient privacy, $275,000);
* Idaho State University (failure to conduct risk analysis for 5+ years, $400,000); and
* Hospice of North Idaho in Hayden (failure to comply with security rule for almost seven years, $50,000).
