Thursday, January 30, 2014

Dermatology Practice Settles Potential HIPAA Violations

One of my Top 10  Practice Predictions for 2014 (number 4 to be exact) dealt with HIPPA.

Many practices are thinking they are doing the right things with the federal standard, but in actuality they are not.

Then there are problems like securing your backups.  As I've said time and time again, backing up is a chain and you need to have as many links as possible in that chain to make sure you have enough copies of your data.

Of course, with each copy you make, you also have to secure that data.

In my case, all backups that are kept offsite are always in my possession.  That means if I stop at the grocery store for a gallon of milk on my way home, the backups go into the store with me.  If I do *anything* before I can store the backups, they are on my person.  It's that simple.  They never leave my possession.

Recently a dermatology practice in the Northeast lost a jump drive that contained data on 2200 individuals.  Read on for the press release from  the Department of Health & Human Services:


Dermatology practice settles potential HIPAA violations

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy,  Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program.  APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.  The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. 

“As we say in health care, an ounce of prevention is worth a pound of cure,” said OCR Director Leon Rodriguez. “That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information.”

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

To learn more about nondiscrimination and health information privacy laws, your civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

The resolution agreement can be found on the OCR website at

No comments:

Post a Comment