Back in 2013 Adult & Pediatric Dermatology of Concord, Massachusetts, was hit with a $150,000 HIPAA fine for an unencrypted thumb drive that stored more than 2,200 patient records and was stolen from a staff member’s car. Not only did the dermatology group owe the hefty sum, it joined the ranks of healthcare providers listed on the Wall of Shame where security breaches are reported by the Department of Health and Human Services Department’s (HHS) Office of Civil Rights (OCR). OCR even issued a news release calling out APDerm’s violation of the HIPAA Privacy, Security and Breach Notification Rules.
APDerm earned the dubious honor of paying the first fine levied against a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Even though APDerm confirmed that the stolen thumb drive did not contain sensitive health or financial information, the news release spurred negative publicity with Google searches still linking APDerm to unwelcomed coverage of the incident.
By law, a medical practice must report lost or stolen electronic protected health information (ePHI) to patients within 60 days of discovery. Breaches of more than 500 individuals must be reported to the OCR within 60 days as well.
Upon notification, the OCR will conduct an investigation of the breach. In the case of APDerm, the OCR investigation concluded that the 12-physician group had failed to perform “an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI (electronic protected health information), as part of its security management process.”
According to the OCR’s news release, issued at the end of 2013, APDerm settled the HIPAA violation agreement but it didn’t end there. The release pointed out that APDerm had not mitigated the risks of ePHI exposure, such as encrypting mobile devices and thumb drives that stored ePHI. Further, APDerm did not have written policies and procedures in place, nor staff members trained on breach notification requirements of HITECH.