Health Law Blog

HIPAA Violation Settlement for Failure to Establish Breach Notification Policies and Procedures

A Massachusetts dermatology practice, APDerm, has agree to make a $150,000 payment and enter into a corrective action plan with the U.S. Department of Health and Human Services’ Office for Civil Rights in order to settle potential violations of HIPAA Privacy, Security, and Breach Notification Rules.  According to HHS, this is the first settlement entered into by an entity for a failure to have breach notification policies and procedures in place under the HITECH Act.

According to the press release, an unencrypted thumb drive containing electronic protected health information (“ePHI”) of over 2,200 people was stolen from the vehicle of an APDerm employee in October 2011.  After HHS was notified of the situation, its investigation revelaed that APDerm did not conduct an adequate risk assessment of the vulnerabilities to the confidentiality of the ePHI it maintained prior to the loss of the thumb drive.  HHS also determined that APDerm did not qualify with the Breach Notification Rule by failing to have written policies and procedures in place to address such breaches, and by failing to train workers regarding the requirements of this rule.  HHS also found that the failure to safeguard the unencrypted thumb drive amounted to an impermissible disclosure of ePHI when it was stolen from the APDerm employee’s car.

The corrective action plan entered into by APDerm requires it to perform a risk analysis, develop breach notification policies and procedures, and establish an implementation plan for those procedures, each of which must be reviewed and approved by HHS.

The HHS press release is available here: http://www.hhs.gov/news/press/2013pres/12/20131226a.html

The Resolution Agreement is here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf

 

Tagged with: Breach Notification, ePHI, HIPAA, OCR, Policies and Procedures, Risk Analysis, Settlement,

Categories: Electronic Health Records, HIPAA, Office of Civil Rights,

Locations

The culture of teamwork and collaboration at O’Connell and Aronowitz helps our three office locations assist clients in a myriad of legal disciplines and harness the talents of O’Connell and Aronowitz attorneys across New York State. We offer the experience, resources, and skills to help you protect your rights and your best interests.

Albany

54 State Street
Albany, NY 12207

tel: 518.462.5601
fax: 518.462.2670



Saratoga Springs

1 Court Street
Saratoga Springs, NY 12866

tel: 518.584.5205
fax: 518.584.5441