HIPAA Update: $150k Penalty Levied for Failure to Have Required Policies and Procedures in Place

MARLENE MAHEU

January 2, 2013 | Reading Time: 1 Minutes

 382

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

The Department of Health and Human Services’ Office for Civil Rights (OCR) investigated the Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) after receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered.

As is often the case, the investigation by the OCR found more than one violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. It was determined that APDerm had failed to:

conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process
fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

APDerm has agreed to settle potential violations of HIPAA, and pay $150,000 in fines. APDerm will also implement a corrective action plan to correct deficiencies in its HIPAA compliance program. This case is the first settlement with a covered entity for failing to have policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

In addition to a $150,000, AP Derm will be required to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

To learn more about nondiscrimination and health information privacy laws, civil rights and privacy rights in health care and human service settings, and to find information on filing a complaint, visit the Office for Civil Rights.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.