Dermatology practice settles potential HIPAA violations

[Jake <jake () riskbasedsecurity com>]

http://www.hhs.gov/news/press/2013pres/12/20131226a.html

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has
agreed to settle potential violations of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security,
and Breach Notification Rules with the Department of Health and Human
Services, agreeing to a $150,000 payment. APDerm will also be required
to implement a corrective action plan to correct deficiencies in its
HIPAA compliance program.  APDerm is a private practice that delivers
dermatology services in four locations in Massachusetts and two in New
Hampshire. This case marks the first settlement with a covered entity
for not having policies and procedures in place to address the breach
notification provisions of the Health Information Technology for
Economic and Clinical Health (HITECH) Act, passed as part of American
Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of
APDerm upon receiving a report that an unencrypted thumb drive
containing the electronic protected health information (ePHI) of
approximately 2,200 individuals was stolen from a vehicle of one its
staff members. The thumb drive was never recovered.  The investigation
revealed that APDerm had not conducted an accurate and thorough
analysis of the potential risks and vulnerabilities to the
confidentiality of ePHI as part of its security management process.
Further, APDerm did not fully comply with requirements of the Breach
Notification Rule to have in place written policies and procedures and
train workforce members.

“As we say in health care, an ounce of prevention is worth a pound of
cure,” said OCR Director Leon Rodriguez. “That is what a good risk
management process is all about – identifying and mitigating the risk
before a bad thing happens.  Covered entities of all sizes need to
give priority to securing electronic protected health information.”

In addition to a $150,000 resolution amount, the settlement includes a
corrective action plan requiring AP Derm to develop a risk analysis
and risk management plan to address and mitigate any security risks
and vulnerabilities, as well as to provide an implementation report to
OCR.

To learn more about nondiscrimination and health information privacy
laws, your civil rights and privacy rights in health care and human
service settings, and to find information on filing a complaint, visit
us at www.HHS.gov/OCR.

The resolution agreement can be found on the OCR website
athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.