Article
A Massachusetts dermatology practice has agreed to pay a $150,000 settlement to the federal government, the result of an unencrypted thumb drive containing patient data being stolen from a staff member’s car.
A Massachusetts dermatology practice has agreed to pay a $150,000 settlement to the federal government, the result of an unencrypted thumb drive containing patient data being stolen from a staff member’s car.
Adult & Pediatric Dermatology, of Concord, Mass., agreed Dec. 24 to settle the potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and must enact an action plan to correct deficiencies in its HIPAA compliance program, the Department of Health and Human Services (HHS) announced in a news release.
The theft occurred in September 2011, when an unencrypted thumb drive was taken from a practice employee’s car. The thumb drive contained electronic protected health information (ePHI) of about 2,200 patients who had undergone Mohs surgeries. The dermatology practice advised its patients of the theft within 30 days of the incident; the thumb drive was never recovered.
Despite the theft, HHS determined that the dermatology practice failed to conduct an “accurate and thorough” analysis of its potential vulnerabilities and risks related to confidentiality of the ePHI until more than a year after the theft, in October 2012.
Additionally, the HHS stated the dermatology practice neglected to fully comply with requirements of the Breach Notification Rule until February 2012. Compliance with that rule calls for written policies and procedures and training for employees regarding the Breach Notification requirements. The agreement isn’t an admission of liability by the dermatology practice.
“As we say in healthcare, an ounce of prevention is worth a pound of cure,” Leon Rodriguez, director of the HHS Office for Civil Rights, stated in the news release. “That is what good risk management is all about - identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information.”