Dermatologists Pay $150,000 for Alleged HIPAA Violations

A dermatology practice settled with HHS as a result of alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. In a press release, HHS announced that this was the first settlement of a covered entity that failed to put policies and procedures in place pursuant to breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. As part of the resolution agreement, the dermatology practice, Adult & Pediatric Dermatology, P.C. of Concord, Massachusetts (APDerm), was ordered to pay $150,000 as well as enact corrective actions.

HITECH Act

The HITECH Act, which was passed as a part of the American Recovery and Reinvestment Act of 2009, was enacted in order to support meaningful use practices of health information technology. HITECH provided for four categories of violations with corresponding tiers of penalties. The legislation also eliminated a previous prohibition of the imposition of penalties if an entity did not know, or with the exercise of reasonable diligence would not have known, of the violation.

Allegations

According to HHS, an unencrypted thumb drive was stolen from the vehicle of one of APDerm’s staff members and was never recovered. The drive contained the electronic protected health information (ePHI) of approximately 2,200 patients. HHS alleged that as a result of its investigation, it was determined that APDerm failed to conduct “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as a part of its security management processes,” and also failed to put the correct written policies, procedures, and trainings to comply with HITECH breach notifications requirements.

Resolution Agreement

In addition to the payment of $150,000 the resolution agreement also requires APDerm to enact a corrective action plan, which includes the development of a risk management plan and requires the submission of an implementation report to HHS.