Dermatology Practice Pays $150,000 to Settle Potential HIPAA Violation Involving Stolen Thumb Drive
A Massachusetts dermatology practice agreed last month to settle a potential violation of the Privacy, Security and Breach Notification Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in exchange for payment of $150,000. The settlement with the U.S. Department of Health and Human Services (HHS) also requires the practice to implement a corrective action plan to bring its policies and procedures into compliance with the requirements of HIPAA.
The incident in question involved the theft of an unencrypted thumb drive containing electronic protected health information (ePHI) on approximately 2,200 patients. The thumb drive was stolen from the unattended automobile of an employee of the practice and was never recovered. In its investigation into the matter, HHS determined that, in addition to impermissibly disclosing the ePHI of its patients as a result of the theft of the thumb drive, the practice’s written policies and procedures and workforce training failed to fully comply with the administrative requirements of the HIPAA Breach Notification Rule.
A complete copy of the resolution agreement between HHS and the practice can be found at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-resolution-agreement.pdf