Adult & Pediatric Dermatology, P.C. (APD), a 12 physician dermatology practice with offices in Massachusetts and New Hampshire, has become the first covered entity to settle “potential” HIPAA violations, involving the lack of breach notification policies. The settlement requires a $150,000 payment and a corrective action plan.
The practice was investigated by the HHS Office for Civil Rights (ORC) when a report was made that an unencrypted thumb drive was stolen from an APD staff member’s vehicle.
According to the resolution agreement, after the drive was stolen, the practice notified the 2,200 patients involved, provided media notice, and notified OCR. OCR stressed that the practice did not have the required breach notification policies and did not train its employees. Other findings were that the practice failed to safeguard the unencrypted thumb drive (e.g. with encryption) and failed to conduct an accurate and thorough risk analysis which would have anticipated the risk.
The last point, the lack of the risk analysis, is another example of OCR’s consistent stress of the risk analysis as the foundation for a HIPAA Security program.
Key points to take home from this case are:
1) Create comprehensive policies — train all employees – and follow the policies!
2) Don’t skimp on the risk analysis – get professional help if needed and be sure that it includes a complete inventory of equipment, including the small items like thumb drives
3) Encrypt, Encrypt, Encrypt. Any device that could have PHI that is easily lost or stolen should be encrypted.
4) Even small practices can be fined/penalized
Visit the OCR website to view the resolution agreement and press release here.
