Last month, the U.S. Department of Health and Human Services (HHS) announced that a Massachusetts dermatology practice will pay $150,000 to settle claims that it violated the HIPAA Privacy, Security, and Breach Notification Rules. Concord-based Adult & Pediatric Dermatology, P.C. becomes the first HIPAA-covered entity to be fined for failure to have policies and procedures in place to address the breach notification provisions of the HITECH Act.

HHS’s Office for Civil Rights (OCR) began investigating the practice after receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of about 2,200 patients had been stolen from the vehicle of one its staff members. The thumb drive was never recovered, but there was no evidence that the ePHI had actually been accessed, and the practice gave the required notices to its patients and the media within 30 days after the theft. Nonetheless, the OCR’s investigation revealed that the practice had not “conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process,” and “did not fully comply with requirements . . . to have in place written policies and procedures and train workforce members.”

As part of the settlement, the practice is required to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. Most importantly, the settlement should serve as a warning to all HIPAA-covered entities and their business associates to take these requirements seriously. 

In HHS’s statement, OCR Director Leon Rodriguez stressed the need for covered entities to have good risk management processes in place to mitigate the risk of a data breach, before the breach occurs. “Covered entities of all sizes need to give priority to securing electronic protected health information,” Rodriguez said.