HIPAA Violation Settlement for Failure to Establish Breach Notification Policies and Procedures

A Massachusetts dermatology practice, APDerm, has agree to make a $150,000 payment and enter into a corrective action plan with the U.S. Department of Health and Human Services’ Office for Civil Rights in order to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules.  According to HHS, this is the first settlement entered into by an entity for a failure to have breach notification policies and procedures in place under the HITECH Act.

According to the press release, an unencrypted thumb drive containing electronic protected health information (“ePHI”) of over 2,200 people was stolen from the vehicle of an APDerm employee in October 2011.  After HHS was notified of the situation, its investigation revelaed that APDerm did not conduct an adequate risk assessment of the vulnerabilities to the confidentiality of the ePHI it maintained prior to the loss of the thumb drive.  HHS also determined that APDerm did not qualify with the Breach Notification Rule by failing to have written policies and procedures in place to address such breaches, and by failing to train workers regarding the requirements of this rule.  HHS also found that the failure to safeguard the unencrypted thumb drive amounted to an impermissible disclosure of ePHI when it was stolen from the APDerm employee’s car.

The corrective action plan entered into by APDerm requires it to perform a risk analysis, develop breach notification policies and procedures, and establish an implementation plan for those procedures, each of which must be reviewed and approved by HHS.

The HHS press release is available here: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

The Resolution Agreement is here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf